fix cves

2021-01-22 12:08:22 +08:00 · 2021-01-22 12:08:22 +08:00 · d93b36f7ab
commit d93b36f7ab
parent b2cd76eab5
5 changed files with 60 additions and 56 deletions
--- a/CVE-2020-36179-36180-36181-36182.patch
+++ b/CVE-2020-36179-36180-36181-36182.patch
@ -1,6 +1,6 @@
-From 3712a09e9ae5da3dbbaa0fbcf75114f25557171e Mon Sep 17 00:00:00 2001
+From 3d55f744ac2ce771ddf7e9da2a55b1955c035f6d Mon Sep 17 00:00:00 2001
 From: Tatu Saloranta <tatu.saloranta@iki.fi>
-Date: Thu, 21 Jan 2021 17:36:28 +0800
+Date: Fri, 22 Jan 2021 10:45:32 +0800
 Subject: [PATCH] Fixed #3004

 ---
@ -8,7 +8,7 @@ Subject: [PATCH] Fixed #3004
 1 file changed, 12 insertions(+), 6 deletions(-)

 diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 2fda051..787e573 100644
+index 2be6d49..db6866d 100644
 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -118,9 +118,12 @@ public class SubTypeValidator
@ -37,7 +37,7 @@ index 2fda051..787e573 100644
         // [databind#2698]: weblogic w/ oracle/aq-jms
         // (note: dependency not available via Maven Central, but as part of
         // weblogic installation, possibly fairly old version(s))
-@@ -202,9 +205,10 @@ public class SubTypeValidator
+@@ -202,16 +205,18 @@ public class SubTypeValidator
         // [databind#2798]: com.pastdev.httpcomponents:
         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
         
@ -49,7 +49,16 @@ index 2fda051..787e573 100644
 
         // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
         // (derivative of #2469)
-@@ -220,12 +224,14 @@ public class SubTypeValidator
+         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
+-	// [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+	// [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+ 	// (derivative of #2478)
+	s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
+ 	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
+ 	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
+ 
+@@ -220,8 +225,9 @@ public class SubTypeValidator
 	s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
 	s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
 
@ -59,12 +68,6 @@ index 2fda051..787e573 100644
 +	s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
-	// [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
-+	// [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
- 	// (derivative of #2478)
-+	s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
- 	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
- 	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
 
 -- 
 2.23.0
--- a/CVE-2020-36183.patch
+++ b/CVE-2020-36183.patch
@ -0,0 +1,26 @@
+From ed90729275eb5e97357728667de9008a5c3cf9a7 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 22 Jan 2021 14:53:17 +0800
+Subject: [PATCH] Fixed #3003
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index db6866d..91ce229 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -214,6 +214,9 @@ public class SubTypeValidator
+         // (derivative of #2469)
+         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
+	// [databind#3003]: another case of embedded Xalan (derivative of #2469)
+	s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+ 	// [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+ 	// (derivative of #2478)
+ 	s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
+-- 
+2.23.0
+
--- a/CVE-2020-36184-CVE-2020-36185.patch
+++ b/CVE-2020-36184-CVE-2020-36185.patch
@ -1,27 +1,28 @@
-From d8b91e1b94096f26443457463efeb0eb7f3477c8 Mon Sep 17 00:00:00 2001
+From 2cf1231703fa3a348ada8fa4491c96ee747bf7ed Mon Sep 17 00:00:00 2001
 From: Tatu Saloranta <tatu.saloranta@iki.fi>
-Date: Thu, 21 Jan 2021 15:36:41 +0800
+Date: Mon, 18 Jan 2021 18:30:47 +0800
 Subject: [PATCH] Fixed #2998

 ---
- .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
- 1 file changed, 4 insertions(+)
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 5 +++++
+ 1 file changed, 5 insertions(+)

 diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 2be6d49..2fda051 100644
+index 3e52fb7..9df94ec 100644
 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -224,6 +224,10 @@ public class SubTypeValidator
- 	// (derivative of #2478)
- 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
- 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
+@@ -210,6 +210,11 @@ public class SubTypeValidator
+         // (derivative of #2469)
+         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
 +	// [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
 +	// (derivative of #2478)
 +	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
 +	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
- 
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
+ 
 -- 
 2.23.0

--- a/CVE-2020-36185.patch
+++ b/CVE-2020-36185.patch
@ -1,28 +0,0 @@
-From 2cf1231703fa3a348ada8fa4491c96ee747bf7ed Mon Sep 17 00:00:00 2001
-From: Tatu Saloranta <tatu.saloranta@iki.fi>
-Date: Mon, 18 Jan 2021 18:30:47 +0800
-Subject: [PATCH] Fixed #2998
-
---
- .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 3e52fb7..9df94ec 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -210,6 +210,11 @@ public class SubTypeValidator
-         // (derivative of #2469)
-         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
- 
-+	// [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
-+	// (derivative of #2478)
-+	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
-+	s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 
-- 
-2.23.0
-
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@ -1,6 +1,6 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             6
+Release:             7
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
@ -40,12 +40,12 @@ Patch0031:           CVE-2020-24616.patch
 Patch0032:           CVE-2020-25649.patch
 Patch0033:           CVE-2020-35490-CVE-2020-35491.patch
 Patch0034:           CVE-2020-35728.patch
-Patch0035:           CVE-2020-36185.patch
+Patch0035:           CVE-2020-36184-CVE-2020-36185.patch
 Patch0036:           CVE-2020-36188-CVE-2020-36189.patch
 Patch0037:           CVE-2020-36187-CVE-2020-36186.patch
-Patch0038:           CVE-2020-36184-CVE-2020-36185.patch
 #The CVE-2020-36179-36180-36181-36182.patch is used to fix CVE-2020-36179 and CVE-2020-36180 and CVE-2020-36181 and CVE-2020-36182
-Patch0039:           CVE-2020-36179-36180-36181-36182.patch
+Patch0038:           CVE-2020-36179-36180-36181-36182.patch
+Patch0039:           CVE-2020-36183.patch

 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@ -98,10 +98,12 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE

 %changelog
+* Fri Jan 22 2021 wangyue <wangyue92@huawei.com> - 2.9.8-7
+- fix CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
+  CVE-2020-36182 CVE-2020-36183 CVE-2020-36184
+
 * Thu Jan 21 2021 wangyue <wangyue92@huawei.com> - 2.9.8-6
- fix CVE-2020-36185 CVE-2020-36188 CVE-2020-36189 CVE-2020-36187
-  CVE-2020-36186 CVE-2020-36184 CVE-2020-36185 CVE-2020-36179
-  CVE-2020-36180 CVE-2020-36181 CVE-2020-36182
+- fix CVE-2020-36188 CVE-2020-36189 CVE-2020-36187 CVE-2020-36186

 * Mon Jan 18 2021 wangyue <wangyue92@huaweo.com> - 2.9.8-5
 - fix CVE-2020-36185