diff --git a/CVE-2021-26291.patch b/CVE-2021-26291.patch new file mode 100644 index 0000000..769c3d6 --- /dev/null +++ b/CVE-2021-26291.patch @@ -0,0 +1,243 @@ +From 046a11e967e31e1be83b72625d40193e9728699a Mon Sep 17 00:00:00 2001 +From: hboutemy@apache.org +Date: Sat, 13 Mar 2021 18:40:48 +0100 +Subject: [PATCH] [MNG-7116] add support for mirrorOf external:http:* + [PATCH] [MNG-7117] add support for blocked mirror + [PATCH] [MNG-7118] block HTTP repositories by default + +--- + .../repository/DefaultMirrorSelector.java | 49 +++++++++++++++++-- + .../maven/bridge/MavenRepositorySystem.java | 48 ++++++++++++++++-- + ...DefaultRepositorySystemSessionFactory.java | 4 +- + maven-settings/pom.xml | 2 +- + maven-settings/src/main/mdo/settings.mdo | 17 ++++++- + 5 files changed, 106 insertions(+), 14 deletions(-) + +diff --git a/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java b/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java +index 6fa2c55..9ad4f47 100644 +--- a/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java ++++ b/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java +@@ -41,6 +41,8 @@ public class DefaultMirrorSelector + + private static final String EXTERNAL_WILDCARD = "external:*"; + ++ private static final String EXTERNAL_HTTP_WILDCARD = "external:http:*"; ++ + public Mirror getMirror( ArtifactRepository repository, List mirrors ) + { + String repoId = repository.getId(); +@@ -68,9 +70,14 @@ public class DefaultMirrorSelector + } + + /** +- * This method checks if the pattern matches the originalRepository. Valid patterns: * = +- * everything external:* = everything not on the localhost and not file based. repo,repo1 = repo +- * or repo1 *,!repo1 = everything except repo1 ++ * This method checks if the pattern matches the originalRepository. Valid patterns: ++ * + * + * @param originalRepository to compare for a match. + * @param pattern used for match. Currently only '*' is supported. +@@ -115,6 +122,12 @@ public class DefaultMirrorSelector + result = true; + // don't stop processing in case a future segment explicitly excludes this repo + } ++ // check for external:http:* ++ else if ( EXTERNAL_HTTP_WILDCARD.equals( repo ) && isExternalHttpRepo( originalRepository ) ) ++ { ++ result = true; ++ // don't stop processing in case a future segment explicitly excludes this repo ++ } + else if ( WILDCARD.equals( repo ) ) + { + result = true; +@@ -136,9 +149,35 @@ public class DefaultMirrorSelector + try + { + URL url = new URL( originalRepository.getUrl() ); +- return !( url.getHost().equals( "localhost" ) || url.getHost().equals( "127.0.0.1" ) +- || url.getProtocol().equals( "file" ) ); ++ return !( isLocal( url.getHost() ) || url.getProtocol().equals( "file" ) ); + } ++ catch ( MalformedURLException e ) ++ { ++ // bad url just skip it here. It should have been validated already, but the wagon lookup will deal with it ++ return false; ++ } ++ } ++ ++ private static boolean isLocal( String host ) ++ { ++ return "localhost".equals( host ) || "127.0.0.1".equals( host ); ++ } ++ ++ /** ++ * Checks the URL to see if this repository refers to a non-localhost repository using HTTP. ++ * ++ * @param originalRepository ++ * @return true if external. ++ */ ++ static boolean isExternalHttpRepo( ArtifactRepository originalRepository ) ++ { ++ try ++ { ++ URL url = new URL( originalRepository.getUrl() ); ++ return ( "http".equalsIgnoreCase( url.getProtocol() ) || "dav".equalsIgnoreCase( url.getProtocol() ) ++ || "dav:http".equalsIgnoreCase( url.getProtocol() ) ++ || "dav+http".equalsIgnoreCase( url.getProtocol() ) ) && !isLocal( url.getHost() ); ++ } + catch ( MalformedURLException e ) + { + // bad url just skip it here. It should have been validated already, but the wagon lookup will deal with it +diff --git a/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java b/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java +index 84ad93c..1b1c1d5 100644 +--- a/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java ++++ b/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java +@@ -622,6 +622,8 @@ public class MavenRepositorySystem + + private static final String EXTERNAL_WILDCARD = "external:*"; + ++ private static final String EXTERNAL_HTTP_WILDCARD = "external:http:*"; ++ + public static Mirror getMirror( ArtifactRepository repository, List mirrors ) + { + String repoId = repository.getId(); +@@ -649,8 +651,14 @@ public class MavenRepositorySystem + } + + /** +- * This method checks if the pattern matches the originalRepository. Valid patterns: * = everything external:* = +- * everything not on the localhost and not file based. repo,repo1 = repo or repo1 *,!repo1 = everything except repo1 ++ * This method checks if the pattern matches the originalRepository. Valid patterns: ++ * + * + * @param originalRepository to compare for a match. + * @param pattern used for match. Currently only '*' is supported. +@@ -694,6 +702,12 @@ public class MavenRepositorySystem + result = true; + // don't stop processing in case a future segment explicitly excludes this repo + } ++ // check for external:http:* ++ else if ( EXTERNAL_HTTP_WILDCARD.equals( repo ) && isExternalHttpRepo( originalRepository ) ) ++ { ++ result = true; ++ // don't stop processing in case a future segment explicitly excludes this repo ++ } + else if ( WILDCARD.equals( repo ) ) + { + result = true; +@@ -715,8 +729,34 @@ public class MavenRepositorySystem + try + { + URL url = new URL( originalRepository.getUrl() ); +- return !( url.getHost().equals( "localhost" ) || url.getHost().equals( "127.0.0.1" ) +- || url.getProtocol().equals( "file" ) ); ++ return !( isLocal( url.getHost() ) || url.getProtocol().equals( "file" ) ); ++ } ++ catch ( MalformedURLException e ) ++ { ++ // bad url just skip it here. It should have been validated already, but the wagon lookup will deal with it ++ return false; ++ } ++ } ++ ++ private static boolean isLocal( String host ) ++ { ++ return "localhost".equals( host ) || "127.0.0.1".equals( host ); ++ } ++ ++ /** ++ * Checks the URL to see if this repository refers to a non-localhost repository using HTTP. ++ * ++ * @param originalRepository ++ * @return true if external. ++ */ ++ static boolean isExternalHttpRepo( ArtifactRepository originalRepository ) ++ { ++ try ++ { ++ URL url = new URL( originalRepository.getUrl() ); ++ return ( "http".equalsIgnoreCase( url.getProtocol() ) || "dav".equalsIgnoreCase( url.getProtocol() ) ++ || "dav:http".equalsIgnoreCase( url.getProtocol() ) ++ || "dav+http".equalsIgnoreCase( url.getProtocol() ) ) && !isLocal( url.getHost() ); + } + catch ( MalformedURLException e ) + { +diff --git a/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java b/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java +index 248a3b6..f262ad2 100644 +--- a/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java ++++ b/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java +@@ -177,8 +177,8 @@ public class DefaultRepositorySystemSessionFactory + DefaultMirrorSelector mirrorSelector = new DefaultMirrorSelector(); + for ( Mirror mirror : request.getMirrors() ) + { +- mirrorSelector.add( mirror.getId(), mirror.getUrl(), mirror.getLayout(), false, mirror.getMirrorOf(), +- mirror.getMirrorOfLayouts() ); ++ mirrorSelector.add( mirror.getId(), mirror.getUrl(), mirror.getLayout(), false, mirror.isBlocked(), ++ mirror.getMirrorOf(), mirror.getMirrorOfLayouts() ); + } + session.setMirrorSelector( mirrorSelector ); + +diff --git a/maven-settings/pom.xml b/maven-settings/pom.xml +index c16e823..3242832 100644 +--- a/maven-settings/pom.xml ++++ b/maven-settings/pom.xml +@@ -46,7 +46,7 @@ under the License. + org.codehaus.modello + modello-maven-plugin + +- 1.1.0 ++ 1.2.0 + + src/main/mdo/settings.mdo + +diff --git a/maven-settings/src/main/mdo/settings.mdo b/maven-settings/src/main/mdo/settings.mdo +index 7547a9c..ca88c3b 100644 +--- a/maven-settings/src/main/mdo/settings.mdo ++++ b/maven-settings/src/main/mdo/settings.mdo +@@ -632,7 +632,16 @@ + The layouts of repositories being mirrored. This value can be used to restrict the usage + of the mirror to repositories with a matching layout (apart from a matching id). Since Maven 3. + +- ++ ++ ++ blocked ++ 1.2.0+ ++ boolean ++ false ++ ++ Whether this mirror should be blocked from any download request but fail the download process, explaining why. ++ ++ + + + +@@ -647,7 +656,11 @@ + sb.append( "id=" ).append( this.getId() ); + sb.append( ",mirrorOf=" ).append( mirrorOf ); + sb.append( ",url=" ).append( this.url ); +- sb.append( ",name=" ).append( this.name ); ++ sb.append( ",name=" ).append( this.name ); ++ if ( isBlocked() ) ++ { ++ sb.append( ",blocked" ); ++ } + sb.append( "]" ); + return sb.toString(); + } +-- +2.23.0 + diff --git a/maven.spec b/maven.spec index 59f9b4d..782929c 100644 --- a/maven.spec +++ b/maven.spec @@ -5,7 +5,7 @@ Name: maven Epoch: 1 Version: 3.5.4 -Release: 8 +Release: 9 Summary: Java project management and project comprehension tool License: ASL 2.0 and MIT URL: http://maven.apache.org/ @@ -14,6 +14,7 @@ Source1: maven-bash-completion Source2: mvn.1 Patch1: 0001-Adapt-mvn-script.patch Patch2: 0002-Invoke-logback-via-reflection.patch +Patch3: CVE-2021-26291.patch BuildRequires: maven-local mvn(com.google.guava:guava:20.0) BuildRequires: mvn(com.google.inject:guice::no_aop:) mvn(commons-cli:commons-cli) BuildRequires: mvn(commons-jxpath:commons-jxpath) mvn(javax.annotation:jsr250-api) @@ -88,6 +89,7 @@ Summary: API documentation for %{name} %prep %setup -q -n apache-%{name}-%{version} %patch1 -p1 +%patch3 -p1 find -name '*.jar' -not -path '*/test/*' -delete find -name '*.class' -delete find -name '*.bat' -delete @@ -175,6 +177,9 @@ update-alternatives --install %{_bindir}/mvn mvn %{homedir}/bin/mvn %{?maven_alt %license LICENSE NOTICE %changelog +* Fri 16 Jul 2021 wutao - 1:3.5.4-9 +- fix CVE-2021-26291 + * Thu 15 Oct 2020 lingsheng - 1:3.5.4-8 - Change require to java-1.8.0-devel