packages/jackson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!3 fix CVE-2019-10172

Browse Source 
From: @starlet-dx
Reviewed-by: @wangchong1995924
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-09-13 07:32:10 +00:00 committed by Gitee
commit faad8d6f61
3 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
CVE-2019-10172-1.patch Normal file
View File

@ -0,0 +1,48 @@
From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pj.fanning@workday.com>
Date: Fri, 1 Jul 2016 01:49:46 +0100
Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory
---
.../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++
.../codehaus/jackson/xc/DomElementJsonDeserializer.java | 1 +
2 files changed, 8 insertions(+)
diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
index 50e6016c2..3a486b9e4 100644
--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
@@ -2,7 +2,9 @@
import java.io.StringReader;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import org.codehaus.jackson.map.DeserializationContext;
import org.codehaus.jackson.map.deser.std.FromStringDeserializer;
@@ -22,6 +24,11 @@
_parserFactory = DocumentBuilderFactory.newInstance();
// yup, only cave men do XML without recognizing namespaces...
_parserFactory.setNamespaceAware(true);
+ try {
+ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch(ParserConfigurationException pce) {
+ System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString());
+ }
}
protected DOMDeserializer(Class<T> cls) { super(cls); }
diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
index cf9c073d9..ccd631aa3 100644
--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
@@ -30,6 +30,7 @@ public DomElementJsonDeserializer()
try {
DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
bf.setNamespaceAware(true);
+ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
builder = bf.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new RuntimeException();

39
CVE-2019-10172-2.patch Normal file
View File

@ -0,0 +1,39 @@
From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pj.fanning@workday.com>
Date: Fri, 1 Jul 2016 22:57:06 +0100
Subject: [PATCH] setExpandEntityReferences(false)
---
.../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 1 +
.../org/codehaus/jackson/xc/DomElementJsonDeserializer.java | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
index 3a486b9e4..97f76af97 100644
--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
@@ -24,6 +24,7 @@
_parserFactory = DocumentBuilderFactory.newInstance();
// yup, only cave men do XML without recognizing namespaces...
_parserFactory.setNamespaceAware(true);
+ _parserFactory.setExpandEntityReferences(false);
try {
_parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch(ParserConfigurationException pce) {
diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
index ccd631aa3..8b1de578a 100644
--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
@@ -30,10 +30,11 @@ public DomElementJsonDeserializer()
try {
DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
bf.setNamespaceAware(true);
+ bf.setExpandEntityReferences(false);
bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
builder = bf.newDocumentBuilder();
} catch (ParserConfigurationException e) {
- throw new RuntimeException();
+ throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString());
}
}

7
jackson.spec
View File

@ -1,6 +1,6 @@
Name: jackson
Version: 1.9.11
Release: 16
Release: 17
Summary: Jackson Java JSON-processor
License: ASL2.0 and LGPLv2
URL: https://github.com/codehaus/jackson
@ -9,6 +9,8 @@ Patch0001: jackson-build-plain-jars-instead-of-osgi-bundles.patch
Patch0002: jackson-dont-require-repackaged-asm.patch
Patch0003: jackson-1.9.11-to-1.9.13.patch
Patch0004: jackson-1.9.11-javadoc.patch
Patch0005: CVE-2019-10172-1.patch
Patch0006: CVE-2019-10172-2.patch
BuildArch: noarch
Requires: joda-time >= 1.6.2 stax2-api >= 3.1.1 jsr-311 >= 1.1.1 objectweb-asm3 >= 3.3
BuildRequires: javapackages-local ant >= 1.8.2 joda-time >= 1.6.2 stax2-api >= 3.1.1
@ -69,6 +71,9 @@ ant dist
%doc README.txt
%changelog
* Mon Sep 13 2021 yaoxin <yaoxin30@huawei.com> - 1.9.11-17
- Fix CVE-2019-10172
* Thu Feb 4 2021 wutao <wutao61@huawei.com> - 1.9.11-16
- drop groovy18 dependency