From 3317f7066494eceb0a3e5f00071ba7378293407e Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 3 Jul 2023 16:31:17 +0800 Subject: [PATCH] Fix CVE-2023-34455 and CVE-2023-34454 --- CVE-2023-34454.patch | 205 +++++++++++++++++++++++++++++++++++++++++++ CVE-2023-34455.patch | 122 +++++++++++++++++++++++++ snappy-java.spec | 9 +- 3 files changed, 335 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-34454.patch create mode 100644 CVE-2023-34455.patch diff --git a/CVE-2023-34454.patch b/CVE-2023-34454.patch new file mode 100644 index 0000000..13b19d4 --- /dev/null +++ b/CVE-2023-34454.patch @@ -0,0 +1,205 @@ +From d0042551e4a3509a725038eb9b2ad1f683674d94 Mon Sep 17 00:00:00 2001 +From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com> +Date: Wed, 14 Jun 2023 11:06:30 -0700 +Subject: [PATCH] Merge pull request from GHSA-fjpj-2g6w-x25r + +* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception + +* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception + +* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception + +* improved error messages by adding new error enum INPUT_TOO_LARGE in SnappyErrorCode.java, and added happy and sad cases in SnappyTest.java + +* fixed mispelling: validArrayInputLength --> isInvalidArrayInputLength + +* switched SnappyError into ILLEGAL_ARGUMENT in SnappyErrorCode.java and Snappy.java and fixed a typo in error comment + +* Fix buffer size boundary tests + +* Remove negative array size tests + +* updated comments for unit test + +Origin: https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94 + +--- + src/main/java/org/xerial/snappy/Snappy.java | 36 ++++++++-- + .../org/xerial/snappy/SnappyErrorCode.java | 4 +- + .../java/org/xerial/snappy/SnappyTest.java | 65 +++++++++++++++++++ + 3 files changed, 98 insertions(+), 7 deletions(-) + +diff --git a/src/main/java/org/xerial/snappy/Snappy.java b/src/main/java/org/xerial/snappy/Snappy.java +index dc81f7c..762be59 100755 +--- a/src/main/java/org/xerial/snappy/Snappy.java ++++ b/src/main/java/org/xerial/snappy/Snappy.java +@@ -163,7 +163,11 @@ public class Snappy + public static byte[] compress(char[] input) + throws IOException + { +- return rawCompress(input, input.length * 2); // char uses 2 bytes ++ int byteSize = input.length * 2; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // char uses 2 bytes + } + + /** +@@ -175,7 +179,11 @@ public class Snappy + public static byte[] compress(double[] input) + throws IOException + { +- return rawCompress(input, input.length * 8); // double uses 8 bytes ++ int byteSize = input.length * 8; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // double uses 8 bytes + } + + /** +@@ -187,7 +195,11 @@ public class Snappy + public static byte[] compress(float[] input) + throws IOException + { +- return rawCompress(input, input.length * 4); // float uses 4 bytes ++ int byteSize = input.length * 4; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // float uses 4 bytes + } + + /** +@@ -199,7 +211,11 @@ public class Snappy + public static byte[] compress(int[] input) + throws IOException + { +- return rawCompress(input, input.length * 4); // int uses 4 bytes ++ int byteSize = input.length * 4; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // int uses 4 bytes + } + + /** +@@ -211,7 +227,11 @@ public class Snappy + public static byte[] compress(long[] input) + throws IOException + { +- return rawCompress(input, input.length * 8); // long uses 8 bytes ++ int byteSize = input.length * 8; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // long uses 8 bytes + } + + /** +@@ -223,7 +243,11 @@ public class Snappy + public static byte[] compress(short[] input) + throws IOException + { +- return rawCompress(input, input.length * 2); // short uses 2 bytes ++ int byteSize = input.length * 2; ++ if (byteSize < input.length) { ++ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length); ++ } ++ return rawCompress(input, byteSize); // short uses 2 bytes + } + + /** +diff --git a/src/main/java/org/xerial/snappy/SnappyErrorCode.java b/src/main/java/org/xerial/snappy/SnappyErrorCode.java +index 4325b02..661ffd8 100755 +--- a/src/main/java/org/xerial/snappy/SnappyErrorCode.java ++++ b/src/main/java/org/xerial/snappy/SnappyErrorCode.java +@@ -41,7 +41,9 @@ public enum SnappyErrorCode + FAILED_TO_UNCOMPRESS(5), + EMPTY_INPUT(6), + INCOMPATIBLE_VERSION(7), +- INVALID_CHUNK_SIZE(8); ++ INVALID_CHUNK_SIZE(8), ++ UNSUPPORTED_PLATFORM(9), ++ TOO_LARGE_INPUT(10); + + public final int id; + +diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java +index 730dae9..4a863e0 100755 +--- a/src/test/java/org/xerial/snappy/SnappyTest.java ++++ b/src/test/java/org/xerial/snappy/SnappyTest.java +@@ -376,4 +376,69 @@ public class SnappyTest + // But OutOfMemoryError will not be caught, and will still be thrown + } + } ++ ++ /* ++ Tests happy cases for BitShuffle.shuffle method ++ - double: 0, 10 ++ - float: 0, 10 ++ - int: 0, 10 ++ - long: 0, 10 ++ - short: 0, 10 ++ */ ++ @Test ++ public void isValidArrayInputLength() ++ throws Exception { ++ byte[] a = Snappy.compress(new char[0]); ++ byte[] b = Snappy.compress(new double[0]); ++ byte[] c = Snappy.compress(new float[0]); ++ byte[] d = Snappy.compress(new int[0]); ++ byte[] e = Snappy.compress(new long[0]); ++ byte[] f = Snappy.compress(new short[0]); ++ byte[] g = Snappy.compress(new char[10]); ++ byte[] h = Snappy.compress(new double[10]); ++ byte[] i = Snappy.compress(new float[10]); ++ byte[] j = Snappy.compress(new int[10]); ++ byte[] k = Snappy.compress(new long[10]); ++ byte[] l = Snappy.compress(new short[10]); ++ } ++ ++ /* ++ Tests sad cases for Snappy.compress ++ - Allocate a buffer whose byte size will be a bit larger than Integer.MAX_VALUE ++ - char ++ - double ++ - float ++ - int ++ - long ++ - short ++ */ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeDoubleArrayInputLength() throws Exception { ++ Snappy.compress(new double[Integer.MAX_VALUE / 8 + 1]); ++ } ++ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeCharArrayInputLength() throws Exception { ++ Snappy.compress(new char[Integer.MAX_VALUE / 2 + 1]); ++ } ++ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeFloatArrayInputLength() throws Exception { ++ Snappy.compress(new float[Integer.MAX_VALUE / 4 + 1]); ++ } ++ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeIntArrayInputLength() throws Exception { ++ Snappy.compress(new int[Integer.MAX_VALUE / 4 + 1]); ++ } ++ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeLongArrayInputLength() throws Exception { ++ Snappy.compress(new long[Integer.MAX_VALUE / 8 + 1]); ++ } ++ ++ @Test(expected = SnappyError.class) ++ public void isTooLargeShortArrayInputLength() throws Exception { ++ Snappy.compress(new short[Integer.MAX_VALUE / 2 + 1]); ++ } + } +-- +2.33.0 + diff --git a/CVE-2023-34455.patch b/CVE-2023-34455.patch new file mode 100644 index 0000000..c0fd57a --- /dev/null +++ b/CVE-2023-34455.patch @@ -0,0 +1,122 @@ +From 3bf67857fcf70d9eea56eed4af7c925671e8eaea Mon Sep 17 00:00:00 2001 +From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com> +Date: Wed, 14 Jun 2023 10:49:52 -0700 +Subject: [PATCH] Merge pull request from GHSA-qcwq-55hx-v3vh + +* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception + +* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception + +* https://github.com/xerial/snappy-java-ghsa-qcwq-55hx-v3vh/pull/2 + +* advisory-fix-3 + +* added and changed method name for happy and sad cases in SnappyTest.java + +* removed expected error for happy case in unit testing + +* added another unit test case in SnappyTest.java and fixed comments in SnappyInputStream.java + +* switched SnappyError to INVALID_CHUNK_SIZE + +* Updated unit tests + +Origin: https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea + +--- + .../org/xerial/snappy/SnappyInputStream.java | 13 ++++- + .../java/org/xerial/snappy/SnappyTest.java | 47 +++++++++++++++++++ + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/src/main/java/org/xerial/snappy/SnappyInputStream.java b/src/main/java/org/xerial/snappy/SnappyInputStream.java +index 19a68c6..f499c66 100755 +--- a/src/main/java/org/xerial/snappy/SnappyInputStream.java ++++ b/src/main/java/org/xerial/snappy/SnappyInputStream.java +@@ -417,9 +417,20 @@ public class SnappyInputStream + } + } + ++ // chunkSize is negative ++ if (chunkSize < 0) { ++ throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, "chunkSize is too big or negative : " + chunkSize); ++ } ++ + // extend the compressed data buffer size + if (compressed == null || chunkSize > compressed.length) { +- compressed = new byte[chunkSize]; ++ // chunkSize exceeds limit ++ try { ++ compressed = new byte[chunkSize]; ++ } ++ catch (java.lang.OutOfMemoryError e) { ++ throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, e.getMessage()); ++ } + } + readBytes = 0; + while (readBytes < chunkSize) { +diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java +index 18b39e9..730dae9 100755 +--- a/src/test/java/org/xerial/snappy/SnappyTest.java ++++ b/src/test/java/org/xerial/snappy/SnappyTest.java +@@ -26,6 +26,7 @@ package org.xerial.snappy; + + import static org.junit.Assert.*; + ++import java.io.ByteArrayInputStream; + import java.io.IOException; + import java.nio.ByteBuffer; + +@@ -329,4 +330,50 @@ public class SnappyTest + _logger.debug(e); + } + } ++ ++ /* ++ Tests happy cases for SnappyInputStream.read method ++ - {0} ++ */ ++ @Test ++ public void isValidChunkLengthForSnappyInputStreamIn() ++ throws Exception { ++ byte[] data = {0}; ++ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data)); ++ byte[] out = new byte[50]; ++ in.read(out); ++ } ++ ++ /* ++ Tests sad cases for SnappyInputStream.read method ++ - Expects a java.lang.NegativeArraySizeException catched into a SnappyError ++ - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff} ++ */ ++ @Test(expected = SnappyError.class) ++ public void isInvalidChunkLengthForSnappyInputStreamInNegative() ++ throws Exception { ++ byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}; ++ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data)); ++ byte[] out = new byte[50]; ++ in.read(out); ++ } ++ ++ /* ++ Tests sad cases for SnappyInputStream.read method ++ - Expects a java.lang.OutOfMemoryError ++ - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff} ++ */ ++ @Test(expected = SnappyError.class) ++ public void isInvalidChunkLengthForSnappyInputStreamOutOfMemory() ++ throws Exception { ++ byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0, (byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}; ++ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data)); ++ byte[] out = new byte[50]; ++ try { ++ in.read(out); ++ } catch (Exception ignored) { ++ // Exception here will be catched ++ // But OutOfMemoryError will not be caught, and will still be thrown ++ } ++ } + } +-- +2.33.0 + diff --git a/snappy-java.spec b/snappy-java.spec index abc2697..58879ff 100644 --- a/snappy-java.spec +++ b/snappy-java.spec @@ -1,7 +1,7 @@ %global debug_package %nil Name: snappy-java Version: 1.1.2.4 -Release: 1 +Release: 2 Summary: Fast compressor/decompresser License: ASL 2.0 URL: http://xerial.org/snappy-java/ @@ -9,6 +9,8 @@ Source0: https://github.com/xerial/snappy-java/archive/%{version}.ta Source1: https://repo1.maven.org/maven2/org/xerial/snappy/%{name}/%{version}/%{name}-%{version}.pom Patch0: snappy-java-1.1.2-build.patch Patch1: snappy-java-1.1.2.4-lsnappy.patch +Patch2: CVE-2023-34455.patch +Patch3: CVE-2023-34454.patch BuildRequires: make gcc-c++ libstdc++-static snappy-devel BuildRequires: maven-local mvn(com.sun:tools) mvn(org.apache.felix:maven-bundle-plugin) @@ -38,6 +40,8 @@ find -name "*.a" -print -delete find -name "*.h" -print -delete %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 cp %{SOURCE1} pom.xml %pom_change_dep org.osgi: org.apache.felix::1.4.0 %pom_xpath_remove "pom:dependency[pom:scope = 'test']" @@ -119,5 +123,8 @@ export CXXFLAGS %license LICENSE NOTICE %changelog +* Mon Jul 03 2023 wangkai <13474090681@163.com> - 1.1.2.4-2 +- Fix CVE-2023-34455 and CVE-2023-34454 + * Tue Jul 28 2020 leiju - 1.1.2.4-1 - Package init