From 269fd925cc14d1124413fa2a0846eef0be06a6cf Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Fri, 23 Apr 2021 15:45:52 +0800 Subject: [PATCH] fix CVE-2020-13936 --- CVE-2020-13936-1.patch | 60 ++++++++++++++++++++++++++++++++++++++++++ CVE-2020-13936-2.patch | 41 +++++++++++++++++++++++++++++ CVE-2020-13936-3.patch | 24 +++++++++++++++++ velocity.spec | 12 +++++++-- 4 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-13936-1.patch create mode 100644 CVE-2020-13936-2.patch create mode 100644 CVE-2020-13936-3.patch diff --git a/CVE-2020-13936-1.patch b/CVE-2020-13936-1.patch new file mode 100644 index 0000000..d9468ba --- /dev/null +++ b/CVE-2020-13936-1.patch @@ -0,0 +1,60 @@ +From 3539136e0e1805164fb0a0c75248dd51e8a5672a Mon Sep 17 00:00:00 2001 +From: Will Glass-Husain +Date: Thu, 16 Jul 2020 22:09:42 -0700 +Subject: [PATCH] disallow ClassLoader, Thread, and subclasses. + +--- + .../apache/velocity/runtime/defaults/velocity.properties | 7 +------ + .../util/introspection/SecureIntrospectorImpl.java | 9 +++++++++ + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index 7fac119..504cbcc 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec + + introspector.restrict.packages = java.lang.reflect + +-# The two most dangerous classes ++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + + introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety +- + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + +diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +index f317b1c..6907c69 100644 +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros + return true; + } + ++ /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ + /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages +-- +2.23.0 + diff --git a/CVE-2020-13936-2.patch b/CVE-2020-13936-2.patch new file mode 100644 index 0000000..0a1cc07 --- /dev/null +++ b/CVE-2020-13936-2.patch @@ -0,0 +1,41 @@ +From cf85e450636afbe0408354ff04a4018659e64955 Mon Sep 17 00:00:00 2001 +From: Will Glass-Husain +Date: Thu, 16 Jul 2020 22:31:22 -0700 +Subject: [PATCH] update list of restricted classes + +--- + .../velocity/runtime/defaults/velocity.properties | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index 504cbcc..fd1063a 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -245,9 +245,13 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec + # accessed. + # ---------------------------------------------------------------------------- + ++# Prohibit reflection + introspector.restrict.packages = java.lang.reflect + +-## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl ++# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl ++ ++# Restrict these system classes. Note that anything in this list is matched exactly. ++# (Subclasses must be explicitly named to be included). + + introspector.restrict.classes = java.lang.Class + introspector.restrict.classes = java.lang.Compiler +@@ -261,4 +265,9 @@ introspector.restrict.classes = java.lang.System + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + ++# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty) ++ ++introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager ++introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager ++introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory + +-- +2.23.0 + diff --git a/CVE-2020-13936-3.patch b/CVE-2020-13936-3.patch new file mode 100644 index 0000000..396fe7e --- /dev/null +++ b/CVE-2020-13936-3.patch @@ -0,0 +1,24 @@ +From aa82d7d8ea65b80b486e1468883f4c352d78fded Mon Sep 17 00:00:00 2001 +From: Will Glass-Husain +Date: Wed, 5 Aug 2020 20:59:36 -0700 +Subject: [PATCH] add further tomcat class to restricted list + +--- + .../org/apache/velocity/runtime/defaults/velocity.properties | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index fd1063a..5516d53 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -268,6 +268,7 @@ introspector.restrict.classes = java.lang.ThreadLocal + # Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty) + + introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager ++introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager + introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager + introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory + +-- +2.23.0 + diff --git a/velocity.spec b/velocity.spec index f2d5418..5021e81 100644 --- a/velocity.spec +++ b/velocity.spec @@ -1,7 +1,7 @@ Name: velocity Epoch: 0 Version: 1.7 -Release: 25 +Release: 26 Summary: Java-based template engine License: ASL 2.0 URL: http://velocity.apache.org/ @@ -19,6 +19,9 @@ Patch0005: 0001-Don-t-use-Werken-XPath.patch Patch0006: 0006-Skip-Java-8-incompatible-test.patch Patch0007: velocity-1.7-doclint.patch Patch0008: velocity-1.7-osgi.patch +Patch0009: CVE-2020-13936-1.patch +Patch0010: CVE-2020-13936-2.patch +Patch0011: CVE-2020-13936-3.patch BuildRequires: javapackages-local ant antlr junit ant-junit BuildRequires: apache-commons-collections apache-commons-logging apache-commons-lang @@ -83,7 +86,9 @@ cp %{SOURCE1} ./pom.xml %patch0006 -p1 %patch0007 -p1 %patch0008 -p1 - +%patch0009 -p1 +%patch0010 -p1 +%patch0011 -p1 %build export CLASSPATH=$(build-classpath antlr apache-commons-collections \ @@ -121,6 +126,9 @@ cp -pr examples test %{buildroot}%{_datadir}/%{name} %changelog +* Fri Apr 23 2021 wangyue - 1.7-26 +- Fix CVE-2020-13936 + * Wed Dec 04 2019 zoushuangshuang - 1.7-25 - Package init