!5 fix CVE-2020-17521

From: @wang_yue111 Reviewed-by: @small_leek,@wangchong1995924 Signed-off-by: @small_leek,@wangchong1995924
2021-02-20 10:26:37 +08:00 · 2021-02-20 10:26:37 +08:00 · 0fb6441969
commit 0fb6441969
parent 157fcc34af b40edce7f0
2 changed files with 87 additions and 2 deletions
--- a/CVE-2020-17521.patch
+++ b/CVE-2020-17521.patch
@ -0,0 +1,81 @@
+From 24a2441ad715cda26c9cae9febb36cdb51983092 Mon Sep 17 00:00:00 2001
+From: Paul King <paulk@asert.com.au>
+Date: Fri, 5 Feb 2021 10:15:52 +0800
+Subject: [PATCH] use newer api for creating temp dir
+
+---
+ .../runtime/DefaultGroovyStaticMethods.java   | 48 ++++++-------------
+ 1 file changed, 14 insertions(+), 34 deletions(-)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+index 9e4ce31..61414b2 100644
+--- a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+++ b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+@@ -24,6 +24,8 @@ import java.io.File;
+ import java.io.IOException;
+ import java.text.ParseException;
+ import java.text.SimpleDateFormat;
+import java.nio.file.Files;
+import java.nio.file.Path;
+ import java.util.Date;
+ import java.util.ResourceBundle;
+ import java.util.Locale;
+@@ -261,43 +263,21 @@ public class DefaultGroovyStaticMethods {
+     }
+ 
+     public static File createTempDir(File self) throws IOException {
+-        return createTempDir(self, "groovy-generated-", "-tmpdir");
+	return createTempDir(self, "groovy-generated-", "tmpdir-");
+    }
+
+    public static File createTempDir(File self, final String prefix) throws IOException {
+	return createTempDirNio(prefix);
+     }
+ 
+     public static File createTempDir(File self, final String prefix, final String suffix) throws IOException {
+-        final int MAXTRIES = 3;
+-        int accessDeniedCounter = 0;
+-        File tempFile=null;
+-        for (int i=0; i<MAXTRIES; i++) {
+-            try {
+-                tempFile = File.createTempFile(prefix, suffix);
+-                tempFile.delete();
+-                tempFile.mkdirs();
+-                break;
+-            } catch (IOException ioe) {
+-                if (ioe.getMessage().startsWith("Access is denied")) {
+-                    accessDeniedCounter++;
+-                    try { Thread.sleep(100); } catch (InterruptedException e) {}
+-                }
+-                if (i==MAXTRIES-1) {
+-                    if (accessDeniedCounter==MAXTRIES) {
+-                        String msg =
+-                                "Access is denied.\nWe tried " +
+-                                        + accessDeniedCounter+
+-                                        " times to create a temporary directory"+
+-                                        " and failed each time. If you are on Windows"+
+-                                        " you are possibly victim to"+
+-                                        " http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169. "+
+-                                        " this is no bug in Groovy.";
+-                        throw new IOException(msg);
+-                    } else {
+-                        throw ioe;
+-                    }
+-                }
+-                continue;
+-            }
+-        }
+-        return tempFile;
+	// more secure Files api doesn't support suffix, so just append it to the prefix
+        return createTempDirNio(prefix + suffix);
+    }
+
+    private static File createTempDirNio(String prefix) throws IOException {
+	Path tempPath = Files.createTempDirectory(prefix);
+	return tempPath.toFile();
+     }
+ 
+   /**
+-- 
+2.23.0
+
--- a/groovy.spec
+++ b/groovy.spec
@ -1,8 +1,8 @@
 Name:           groovy
 Version:        2.4.8
-Release:        8
+Release:        9
 Summary:        Dynamic language for the Java Platform
-License:        ASL 2.0 and BSD and EPL and Public Domain and CC-BY
+License:        ASL 2.0 and BSD and EPL-1.0 and Public Domain and ANTLR-PD and MIT
 URL:            http://groovy-lang.org
 Source0:        https://dl.bintray.com/groovy/maven/apache-groovy-src-%{version}.zip
 Source1:        groovy-script.sh
@ -17,6 +17,7 @@ Patch3:         0004-Remove-android-support.patch
 Patch4:         0005-Update-to-QDox-2.0.patch
 Patch5:         0006-Disable-artifactory-publish.patch
 Patch6:         0007-Fix-missing-extension-definitions.patch
+Patch7:         CVE-2020-17521.patch

 BuildRequires:  gradle-local >= 2.1-0.9 javapackages-local java-devel >= 1.8 ant antlr-tool ant-antlr
 BuildRequires:  aqute-bnd gpars multiverse apache-parent testng jline apache-commons-cli apache-commons-beanutils
@ -189,5 +190,8 @@ EOF
 %doc LICENSE NOTICE README.adoc

 %changelog
+* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-9
+- fix CVE-2020-17521
+
 * Thu Dec 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.8-8
 - Package init