packages/groovy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 fix CVE-2020-17521

Browse Source 
From: @wang_yue111
Reviewed-by: @small_leek,@wangchong1995924
Signed-off-by: @small_leek,@wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-02-20 10:26:37 +08:00 committed by Gitee
commit 0fb6441969
2 changed files with 87 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
CVE-2020-17521.patch Normal file
View File

@ -0,0 +1,81 @@
From 24a2441ad715cda26c9cae9febb36cdb51983092 Mon Sep 17 00:00:00 2001
From: Paul King <paulk@asert.com.au>
Date: Fri, 5 Feb 2021 10:15:52 +0800
Subject: [PATCH] use newer api for creating temp dir
---
.../runtime/DefaultGroovyStaticMethods.java | 48 ++++++-------------
1 file changed, 14 insertions(+), 34 deletions(-)
diff --git a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
index 9e4ce31..61414b2 100644
--- a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+++ b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
@@ -24,6 +24,8 @@ import java.io.File;
import java.io.IOException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
+import java.nio.file.Files;
+import java.nio.file.Path;
import java.util.Date;
import java.util.ResourceBundle;
import java.util.Locale;
@@ -261,43 +263,21 @@ public class DefaultGroovyStaticMethods {
}
public static File createTempDir(File self) throws IOException {
- return createTempDir(self, "groovy-generated-", "-tmpdir");
+ return createTempDir(self, "groovy-generated-", "tmpdir-");
+ }
+
+ public static File createTempDir(File self, final String prefix) throws IOException {
+ return createTempDirNio(prefix);
}
public static File createTempDir(File self, final String prefix, final String suffix) throws IOException {
- final int MAXTRIES = 3;
- int accessDeniedCounter = 0;
- File tempFile=null;
- for (int i=0; i<MAXTRIES; i++) {
- try {
- tempFile = File.createTempFile(prefix, suffix);
- tempFile.delete();
- tempFile.mkdirs();
- break;
- } catch (IOException ioe) {
- if (ioe.getMessage().startsWith("Access is denied")) {
- accessDeniedCounter++;
- try { Thread.sleep(100); } catch (InterruptedException e) {}
- }
- if (i==MAXTRIES-1) {
- if (accessDeniedCounter==MAXTRIES) {
- String msg =
- "Access is denied.\nWe tried " +
- + accessDeniedCounter+
- " times to create a temporary directory"+
- " and failed each time. If you are on Windows"+
- " you are possibly victim to"+
- " http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169. "+
- " this is no bug in Groovy.";
- throw new IOException(msg);
- } else {
- throw ioe;
- }
- }
- continue;
- }
- }
- return tempFile;
+ // more secure Files api doesn't support suffix, so just append it to the prefix
+ return createTempDirNio(prefix + suffix);
+ }
+
+ private static File createTempDirNio(String prefix) throws IOException {
+ Path tempPath = Files.createTempDirectory(prefix);
+ return tempPath.toFile();
}
/**
--
2.23.0

8
groovy.spec
View File

@ -1,8 +1,8 @@
Name: groovy Name: groovy
Version: 2.4.8 Version: 2.4.8
Release: 8 Release: 9
Summary: Dynamic language for the Java Platform Summary: Dynamic language for the Java Platform
License: ASL 2.0 and BSD and EPL and Public Domain and CC-BY License: ASL 2.0 and BSD and EPL-1.0 and Public Domain and ANTLR-PD and MIT
URL: http://groovy-lang.org URL: http://groovy-lang.org
Source0: https://dl.bintray.com/groovy/maven/apache-groovy-src-%{version}.zip Source0: https://dl.bintray.com/groovy/maven/apache-groovy-src-%{version}.zip
Source1: groovy-script.sh Source1: groovy-script.sh
@ -17,6 +17,7 @@ Patch3: 0004-Remove-android-support.patch
Patch4: 0005-Update-to-QDox-2.0.patch Patch4: 0005-Update-to-QDox-2.0.patch
Patch5: 0006-Disable-artifactory-publish.patch Patch5: 0006-Disable-artifactory-publish.patch
Patch6: 0007-Fix-missing-extension-definitions.patch Patch6: 0007-Fix-missing-extension-definitions.patch
Patch7: CVE-2020-17521.patch
BuildRequires: gradle-local >= 2.1-0.9 javapackages-local java-devel >= 1.8 ant antlr-tool ant-antlr BuildRequires: gradle-local >= 2.1-0.9 javapackages-local java-devel >= 1.8 ant antlr-tool ant-antlr
BuildRequires: aqute-bnd gpars multiverse apache-parent testng jline apache-commons-cli apache-commons-beanutils BuildRequires: aqute-bnd gpars multiverse apache-parent testng jline apache-commons-cli apache-commons-beanutils
@ -189,5 +190,8 @@ EOF
%doc LICENSE NOTICE README.adoc %doc LICENSE NOTICE README.adoc
%changelog %changelog
* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-9
- fix CVE-2020-17521
* Thu Dec 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.8-8 * Thu Dec 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.8-8
- Package init - Package init