add CVE-2019-12402.patch
This commit is contained in:
small_leek
parent
ce0a57585a
commit
1173fa387d
119
CVE-2019-12402.patch
Normal file
119
CVE-2019-12402.patch
Normal file
@ -0,0 +1,119 @@
|
||||
diff -Nur commons-compress-1.17-src_old/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java commons-compress-1.17-src/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
|
||||
--- commons-compress-1.17-src_old/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java 2019-12-26 01:58:18.095645681 -0500
|
||||
+++ commons-compress-1.17-src/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java 2019-12-26 01:59:05.351833877 -0500
|
||||
@@ -112,7 +112,9 @@
|
||||
} else if (res.isOverflow()) {
|
||||
int increment = estimateIncrementalEncodingSize(enc, cb.remaining());
|
||||
out = ZipEncodingHelper.growBufferBy(out, increment);
|
||||
- }
|
||||
+ }else if(res.isUnderflow() || res.isError()) {
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
// tell the encoder we are done
|
||||
enc.encode(cb, out, true);
|
||||
diff -Nur commons-compress-1.17-src_old/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java commons-compress-1.17-src/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
|
||||
--- commons-compress-1.17-src_old/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ commons-compress-1.17-src/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java 2019-12-26 01:59:34.823951249 -0500
|
||||
@@ -0,0 +1,101 @@
|
||||
+/*
|
||||
+ * *LicensedtotheApacheSoftwareFoundation(ASF)underone
|
||||
+ * *ormorecontributorlicenseagreements.SeetheNOTICEfile
|
||||
+ * *distributedwiththisworkforadditionalinformation
|
||||
+ * *regardingcopyrightownership.TheASFlicensesthisfile
|
||||
+ * *toyouundertheApacheLicense,Version2.0(the
|
||||
+ * *"License");youmaynotusethisfileexceptincompliance
|
||||
+ * *withtheLicense.YoumayobtainacopyoftheLicenseat
|
||||
+ * *
|
||||
+ * *http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ * *
|
||||
+ * *Unlessrequiredbyapplicablelaworagreedtoinwriting,
|
||||
+ * *softwaredistributedundertheLicenseisdistributedonan
|
||||
+ * *"ASIS"BASIS,WITHOUTWARRANTIESORCONDITIONSOFANY
|
||||
+ * *KIND,eitherexpressorimplied.SeetheLicenseforthe
|
||||
+ * *specificlanguagegoverningpermissionsandlimitations
|
||||
+ * *undertheLicense.
|
||||
+ *
|
||||
+ */
|
||||
+package org.apache.commons.compress.archivers.zip;
|
||||
+
|
||||
+import java.nio.ByteBuffer;
|
||||
+import java.nio.charset.StandardCharsets;
|
||||
+import java.util.Arrays;
|
||||
+
|
||||
+import org.junit.Assert;
|
||||
+import org.junit.Test;
|
||||
+
|
||||
+public class NioZipEncodingTest {
|
||||
+
|
||||
+ private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
|
||||
+
|
||||
+ @Test
|
||||
+ public void umlautToUTF16BE() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
|
||||
+ ByteBuffer bb = e.encode(UMLAUTS);
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result);
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void umlautToUTF8() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
|
||||
+ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result);
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void umlautToISO88591() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true);
|
||||
+ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void unmappableUmlauts() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
|
||||
+ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII));
|
||||
+ }
|
||||
+
|
||||
+ private static final String RAINBOW_EMOJI = "\ud83c\udf08";
|
||||
+
|
||||
+ @Test
|
||||
+ public void unmappableRainbowEmoji() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
|
||||
+ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII));
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void rainbowEmojiToSurrogatePairUTF16() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
|
||||
+ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result);
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void partialSurrogatePair() {
|
||||
+ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
|
||||
+ ByteBuffer bb = e.encode("\ud83c");
|
||||
+ final int off = bb.arrayOffset();
|
||||
+ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
|
||||
+ Assert.assertEquals(0, result.length);
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+}
|
||||
+
|
||||
+
|
||||
@ -1,6 +1,6 @@
|
||||
Name: apache-commons-compress
|
||||
Version: 1.17
|
||||
Release: 4
|
||||
Release: 4.h1
|
||||
Summary: Java API for working with archivers and compressed files
|
||||
License: ASL 2.0
|
||||
URL: http://commons.apache.org/proper/commons-compress/
|
||||
@ -9,6 +9,7 @@ Source0: http://archive.apache.org/dist/commons/compress/source/commons-c
|
||||
Patch0001: 0001-Remove-Brotli-compressor.patch
|
||||
Patch0002: 0002-Remove-ZSTD-compressor.patch
|
||||
Patch0003: 0003-COMPRESS-463-throw-exception-when-detecting-a-trunca.patch
|
||||
Patch6000: CVE-2019-12402.patch
|
||||
BuildRequires: maven-local mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:)
|
||||
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.powermock:powermock-api-mockito)
|
||||
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) mvn(org.osgi:org.osgi.core)
|
||||
@ -54,5 +55,11 @@ rm src/test/java/org/apache/commons/compress/OsgiITest.java
|
||||
%files help -f .mfiles-javadoc
|
||||
|
||||
%changelog
|
||||
* Thu Dec 26 2019 Senlin Xia <xiasenlin1@huawei.com> - 1.17-4.h1
|
||||
- Type:cves
|
||||
- ID:CVE-2019-12402
|
||||
- SUG:restart
|
||||
- DESC:fix bug with CVE-2019-12402
|
||||
|
||||
* Wed Dec 4 2019 Tianfei <tianfei16@huawei.com> - 1.17-4
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user