Fix CVE-2022-41853

2023-12-07 10:51:14 +08:00 · 2023-12-07 10:51:14 +08:00 · a1e65a8368
commit a1e65a8368
parent 78c68cf02c
2 changed files with 68 additions and 4 deletions
--- a/CVE-2022-41853.patch
+++ b/CVE-2022-41853.patch
@ -0,0 +1,61 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 7 Dec 2022 13:00:46 +0100
+Subject: CVE-2022-41853
+
+Bug-Debian: https://bugs.debian.org/1023573
+Origin: https://sourceforge.net/p/hsqldb/svn/6614/
+---
+ src/org/hsqldb/persist/HsqlDatabaseProperties.java | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+index bc03e82..bee0ea6 100644
+--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+@@ -51,28 +51,28 @@ import org.hsqldb.lib.StringUtil;
+  */
+ public class HsqlDatabaseProperties extends HsqlProperties {
+ 
+-    private static final String hsqldb_method_class_names =
+    public static final String hsqldb_method_class_names =
+         "hsqldb.method_class_names";
+     public static final String textdb_allow_full_path =
+         "textdb.allow_full_path";
+-    private static HashSet accessibleJavaMethodNames;
+    public static String methodClassNames;
+    private static final HashSet accessibleJavaMethodNames = new HashSet();
+     private static boolean allowFullPath;
+ 
+     static {
+         try {
+-            String prop = System.getProperty(hsqldb_method_class_names);
+            methodClassNames = System.getProperty(hsqldb_method_class_names);
+ 
+-            if (prop != null) {
+-                accessibleJavaMethodNames = new HashSet();
+            if (methodClassNames != null) {
+ 
+-                String[] names = StringUtil.split(prop, ";");
+                String[] names = StringUtil.split(methodClassNames, ";");
+ 
+                 for (int i = 0; i < names.length; i++) {
+                     accessibleJavaMethodNames.add(names[i]);
+                 }
+             }
+ 
+-            prop = System.getProperty(textdb_allow_full_path);
+            String prop = System.getProperty(textdb_allow_full_path);
+ 
+             if (prop != null) {
+                 if (Boolean.valueOf(prop)) {
+@@ -97,10 +97,6 @@ public class HsqlDatabaseProperties extends HsqlProperties {
+      */
+     public static boolean supportsJavaMethod(String name) {
+ 
+-        if (accessibleJavaMethodNames == null) {
+-            return true;
+-        }
+-
+         if (name.startsWith("java.lang.Math.")) {
+             return true;
+         }
--- a/hsqldb.spec
+++ b/hsqldb.spec
@ -1,6 +1,6 @@
 Name:                hsqldb
 Version:             2.4.0
-Release:             4
+Release:             5
 Epoch:               1
 Summary:             HyperSQL Database Engine
 License:             BSD-3-Clause
@ -17,6 +17,8 @@ Source8:             %{name}-post
 Source9:             %{name}-stop
 Patch0:              0001-Fix-javadoc-build.patch
 Patch1:              0002-Build-cmdline-classes.patch
+# https://sourceforge.net/p/hsqldb/svn/6614/
+Patch2:              CVE-2022-41853.patch

 BuildRequires:       ant javapackages-local systemd-units glassfish-servlet-api
 Requires:            %{name}-lib = %{epoch}:%{version}-%{release} glassfish-servlet-api
@ -70,9 +72,7 @@ Requires:            %{name} = %{epoch}:%{version}-%{release}
 Demonstrations and samples for %{name}.

 %prep
-%setup -q -n %{name}-%{version}
-%patch0 -p1
-%patch1 -p1
+%autosetup -n %{name}-%{version} -p1
 find . -name "*.sh" -exec chmod 755 \{\} \;
 for dir in `find . -name _notes`; do rm -rf $dir; done
 find . -name "*.jar" -exec rm -f {} \;
@ -160,6 +160,9 @@ popd
 %files demo

 %changelog
+* Thu Dec 07 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.4.0-5
+- Fix CVE-2022-41853
+
 * Tue May 10 2022 liyanan <liyanan32@h-partners.com> - 2.4.0-4
 - License compliance rectification