!34 Fix CVE-2022-4132

From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2022-4132.patch

@@ -0,0 +1,39 @@
+From bc8e2e6a37922cd15ef39e7e9c194b0dcbea8aa6 Mon Sep 17 00:00:00 2001
+From: Marco Fargetta <mfargett@redhat.com>
+Date: Thu, 25 May 2023 18:22:21 +0200
+Subject: [PATCH] Fix OoM in JSSEngineReferenceImpl object
+
+If TLS connection is terminated by the server with a `close_notify`
+tomcat will call the `closeOutbound()` method but the `closeInbound()`
+is never called so the cleanup cannot be done at the end.
+
+It is possible to test the problem with a tomcat instance. If the option
+`-H 'Connection: close'` is present only the `closeoutbound()` is called.
+---
+ .../org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java   | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+index 1f0e10b31..cdd65f7ad 100644
+--- a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
++++ b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+@@ -1588,6 +1588,11 @@ public SSLEngineResult wrap(ByteBuffer[] srcs, int offset, int length, ByteBuffe
+         if (is_outbound_closed) {
+             debug("Socket is currently closed.");
+             handshake_status = SSLEngineResult.Status.CLOSED;
++            if(as_server) {
++                // If is_outbound_closed is true there is no need to wait
++                // for the receipt the peer's close_notify message.
++                closeInbound();
++            }
+         }
+ 
+         debug("JSSEngine.wrap() - Finished");
+@@ -1699,7 +1704,6 @@ protected void finalize() {
+         cleanup();
+     }
+ 
+-
+     private class CertValidationTask extends CertAuthHandler {
+         public CertValidationTask(SSLFDProxy fd) {
+             super(fd);

jss.spec

@@ -1,23 +1,27 @@
+%bcond_without javadoc
+
+%bcond_with tests
+
+%define java_home %{_jvmdir}/jre-17-openjdk
+
 Name:          jss
 Summary:       Java Security Services
 URL:           http://www.dogtagpki.org/wiki/JSS
 License:       MPLv1.1 or GPLv2+ or LGPLv2+
-Version:       5.1.0
+Version:       5.4.2
-Release:       1
+Release:       2
-Source:        https://github.com/dogtagpki/jss/archive/refs/tags/jss-%{version}.tar.gz
+Source0:       https://github.com/dogtagpki/jss/archive/v%{version}/%{name}-%{version}.tar.gz 
 
-BuildRequires: make cmake gcc-c++ nspr-devel >= 4.13.1 nss-devel >= 3.30 nss-tools >= 3.30 java-devel
+Patch0:        support-clang-build.patch
-BuildRequires: jpackage-utils slf4j glassfish-jaxb-api slf4j-jdk14 apache-commons-lang apache-commons-codec
+Patch1:        CVE-2022-4132.patch
-BuildRequires: junit
 
-BuildRequires: zip unzip java-11-openjdk-devel apache-commons-lang3
+BuildRequires: make cmake >= 3.14 gcc-c++ nspr-devel >= 4.13.1 nss-devel >= 3.66 nss-tools >= 3.66
+BuildRequires: jpackage-utils slf4j glassfish-jaxb-api slf4j-jdk14 apache-commons-codec junit
+BuildRequires: zip unzip java-17-openjdk-devel apache-commons-lang3
 
-Requires:      nss >= 3.30 java-headless jpackage-utils slf4j glassfish-jaxb-api
+Requires:      nss >= 3.66  jpackage-utils slf4j slf4j-jdk14 java-17-openjdk-headless apache-commons-lang3
-Requires:      slf4j-jdk14 apache-commons-lang apache-commons-codec
 
-Requires: java-11-openjdk-headless apache-commons-lang3
+Conflicts:     ldapjdk < 4.20 idm-console-framework < 1.2 tomcatjss < 7.6.0 pki-base < 10.10.0
-
-Conflicts:     ldapjdk < 4.20 idm-console-framework < 1.2 tomcatjss < 7.3.4 pki-base < 10.6.5
 
 %description
 JSS offers a implementation for java-based applications to use native NSS.
@@ -36,54 +40,66 @@ API documentation for JSS.
 %build
 
 %set_build_flags
-home_path=`ls /usr/lib/jvm | grep java-11-openjdk`
+
-[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/${home_path}
+export JAVA_HOME=%{java_home}
 
 export BUILD_OPT=1
 
-export CFLAGS="-g $RPM_OPT_FLAGS"
+CFLAGS="-g $RPM_OPT_FLAGS"
+export CFLAGS
 
 modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
 
-
 ./build.sh \
     %{?_verbose:-v} \
-    --work-dir=build \
+    --work-dir=%{_vpath_builddir} \
-    --jni-dir=%{_jnidir} \
+    --prefix-dir=%{_prefix} \
+    --include-dir=%{_includedir} \
     --lib-dir=%{_libdir} \
+    --sysconf-dir=%{_sysconfdir} \
+    --share-dir=%{_datadir} \
+    --cmake=%{__cmake} \
+    --java-home=%{java_home} \
+    --jni-dir=%{_jnidir} \
     --version=%{version} \
+    %{!?with_javadoc:--without-javadoc} \
+    %{?with_tests:--with-tests} \
     dist
 
 %install
-mkdir -p $RPM_BUILD_ROOT%{_jnidir}
+./build.sh \
-chmod 755 $RPM_BUILD_ROOT%{_jnidir}
+    %{?_verbose:-v} \
-cp build/jss.jar ${RPM_BUILD_ROOT}%{_jnidir}
+    --work-dir=%{_vpath_builddir} \
-chmod 644 ${RPM_BUILD_ROOT}%{_jnidir}/jss.jar
+    --install-dir=%{buildroot} \
-
+    install
-mkdir -p $RPM_BUILD_ROOT%{_libdir}/jss
-chmod 755 $RPM_BUILD_ROOT%{_libdir}/jss
-cp build/libjss.so ${RPM_BUILD_ROOT}%{_libdir}/jss
-chmod 755 ${RPM_BUILD_ROOT}%{_libdir}/jss/libjss.so
-
-pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
-ln -fs %{_jnidir}/jss.jar jss.jar
-popd
-
-mkdir -p $RPM_BUILD_ROOT%{_javadocdir}/jss-%{version}
-chmod 755 $RPM_BUILD_ROOT%{_javadocdir}/jss-%{version}
-cp -rp build/docs/* jss.html *.txt $RPM_BUILD_ROOT%{_javadocdir}/jss-%{version}
 
 %files
 %defattr(-,root,root,-)
-%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss.html 
+%license MPL-1.1.txt gpl.txt lgpl.txt symkey/LICENSE
 %{_libdir}/*
 %{_jnidir}/*
 
 %files help
 %defattr(-,root,root,-)
-%{_javadocdir}/jss-%{version}/
+%{_javadocdir}/jss/
 
 %changelog
+* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 5.4.2-2
+- Fix CVE-2022-4132
+
+* Tue Jan 09 2024 yaoxin <yao_xin001@hoperun.com> - 5.4.2-1
+- Upgrade to 5.4.2
+
+* Sat Sep 23 2023 luofeng <luofeng13@huawei.com> - 5.4.0-2
+- support clang build
+
+* Wed Apr 26 2023 xu_ping <707078654@qq.com> - 5.4.0-1
+- Upgrade to 5.4.0
+
+* Thu Feb 23 2023 lilong <lilong@kylinos.cn> - 5.3.0-1
+- Upgrade to 5.3.0
+
 * Mon Jun 06 2022 Ge Wang <wangge20@h-partners.com> - 5.1.0-1
 - Upgrade version to 5.1.0
 

support-clang-build.patch

@@ -0,0 +1,25 @@
+From fd3adeeb0a757c52c62327ace6016fb792b7a491 Mon Sep 17 00:00:00 2001
+From: luofeng <luofeng13@huawei.com>
+Date: Sat, 23 Sep 2023 17:55:57 +0800
+Subject: [PATCH] support clang build
+
+---
+ cmake/JSSConfig.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
+index 07b5cd6..a11289e 100644
+--- a/cmake/JSSConfig.cmake
++++ b/cmake/JSSConfig.cmake
+@@ -176,7 +176,7 @@ macro(jss_config_cflags)
+     # Handle passed-in C flags as well; assume they are valid.
+     separate_arguments(PASSED_C_FLAGS UNIX_COMMAND "${CMAKE_C_FLAGS}")
+     foreach(PASSED_C_FLAG ${PASSED_C_FLAGS})
+-        list(INSERT JSS_C_FLAGS 0 "${PASSED_C_FLAG}")
++        list(APPEND JSS_C_FLAGS "${PASSED_C_FLAG}")
+     endforeach()
+ 
+     message(STATUS "JSS C FLAGS: ${JSS_C_FLAGS}")
+-- 
+2.19.1
+