From da9512fc51afdc1c1c04400e245b1f1e21756b11 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Fri, 19 Mar 2021 11:50:33 +0800 Subject: [PATCH] fix CVE-2019-14900 --- CVE-2019-14900.patch | 48 ++++++++++++++++++++++++++++++++++++++++++++ hibernate.spec | 7 +++++-- 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 CVE-2019-14900.patch diff --git a/CVE-2019-14900.patch b/CVE-2019-14900.patch new file mode 100644 index 0000000..7774125 --- /dev/null +++ b/CVE-2019-14900.patch @@ -0,0 +1,48 @@ +From 64a0cec764bfdd93c5e3d57e9fc342bcc9824ea3 Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Fri, 19 Mar 2021 11:45:31 +0800 +Subject: [PATCH] fix CVE-2019-14900 + +--- + .../expression/LiteralExpression.java | 20 +++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java +index ac485b4..6125363 100644 +--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java ++++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java +@@ -58,17 +58,25 @@ public class LiteralExpression extends ExpressionImpl implements Serializa + return ':' + parameterName; + } + ++ private String escapeLiteral(String literal) { ++ return literal.replace("'", "''"); ++ } ++ ++ private String inlineLiteral(String literal) { ++ return String.format( "\'%s\'", escapeLiteral( literal) ); ++ } ++ + @SuppressWarnings({ "unchecked" }) + public String renderProjection(RenderingContext renderingContext) { ++ if ( ValueHandlerFactory.isCharacter( literal ) ) { ++ // In case literal is a Character, pass literal.toString() as the argument. ++ return inlineLiteral( literal.toString() ); ++ } ++ + // some drivers/servers do not like parameters in the select clause + final ValueHandlerFactory.ValueHandler handler = + ValueHandlerFactory.determineAppropriateHandler( literal.getClass() ); +- if ( ValueHandlerFactory.isCharacter( literal ) ) { +- return '\'' + handler.render( literal ) + '\''; +- } +- else { +- return handler.render( literal ); +- } ++ return handler.render( literal ); + } + + @Override +-- +2.23.0 + diff --git a/hibernate.spec b/hibernate.spec index e1615e7..fbc525c 100644 --- a/hibernate.spec +++ b/hibernate.spec @@ -5,7 +5,7 @@ Name: hibernate Summary: an easy-to-use and powerful object relational persistence framework for Java applications Version: 5.0.10 -Release: 7 +Release: 8 License: LGPLv2+ and ASL 2.0 URL: http://www.hibernate.org/ @@ -34,7 +34,7 @@ Source67: Bundle-Description-Name.txt Source68: manifestFile.txt Patch0000: CVE-2020-25638.patch - +Patch0001: CVE-2019-14900.patch BuildRequires: maven-local mvn(antlr:antlr) mvn(com.experlog:xapool) mvn(com.fasterxml:classmate) BuildRequires: mvn(com.mchange:c3p0) mvn(com.zaxxer:HikariCP) mvn(dom4j:dom4j) mvn(java_cup:java_cup) BuildRequires: mvn(javax.enterprise:cdi-api) mvn(javax.validation:validation-api) mvn(junit:junit) @@ -164,6 +164,9 @@ done %doc hibernate-osgi/README.md %changelog +* Thu Mar 18 2021 wangyue 5.0.10-8 +- fix CVE-2019-14900 + * Sat Dec 12 2020 zhangtao - 5.0.10-7 - CVE-2020-25638