!4 add CVE-2019-12402.patch

Merge pull request !4 from small_leek/xsl_apache-commons-compress
2019-12-26 16:40:34 +08:00 · 2019-12-26 16:40:34 +08:00 · cfeabba982
commit cfeabba982
parent ce0a57585a 12ff97b95b
2 changed files with 127 additions and 1 deletions
--- a/CVE-2019-12402.patch
+++ b/CVE-2019-12402.patch
@ -0,0 +1,119 @@
 diff -Nur commons-compress-1.17-src_old/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java commons-compress-1.17-src/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
 --- commons-compress-1.17-src_old/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java	2019-12-26 01:58:18.095645681 -0500
 +++ commons-compress-1.17-src/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java	2019-12-26 01:59:05.351833877 -0500
@@ -112,7 +112,9 @@
             } else if (res.isOverflow()) {
                 int increment = estimateIncrementalEncodingSize(enc, cb.remaining());
                 out = ZipEncodingHelper.growBufferBy(out, increment);
 -            }
 +            }else if(res.isUnderflow() || res.isError()) {
 +		break;
 +	    }
         }
         // tell the encoder we are done
         enc.encode(cb, out, true);
 diff -Nur commons-compress-1.17-src_old/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java commons-compress-1.17-src/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
 --- commons-compress-1.17-src_old/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java	1969-12-31 19:00:00.000000000 -0500
 +++ commons-compress-1.17-src/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java	2019-12-26 01:59:34.823951249 -0500
@@ -0,0 +1,101 @@
 +/*
 + * *LicensedtotheApacheSoftwareFoundation(ASF)underone
 + * *ormorecontributorlicenseagreements.SeetheNOTICEfile
 + * *distributedwiththisworkforadditionalinformation
 + * *regardingcopyrightownership.TheASFlicensesthisfile
 + * *toyouundertheApacheLicense,Version2.0(the
 + * *"License");youmaynotusethisfileexceptincompliance
 + * *withtheLicense.YoumayobtainacopyoftheLicenseat
 + * *
 + * *http://www.apache.org/licenses/LICENSE-2.0
 + * *
 + * *Unlessrequiredbyapplicablelaworagreedtoinwriting,
 + * *softwaredistributedundertheLicenseisdistributedonan
 + * *"ASIS"BASIS,WITHOUTWARRANTIESORCONDITIONSOFANY
 + * *KIND,eitherexpressorimplied.SeetheLicenseforthe
 + * *specificlanguagegoverningpermissionsandlimitations
 + * *undertheLicense.
 + *
 + */
 +package org.apache.commons.compress.archivers.zip;
 +
 +import java.nio.ByteBuffer;
 +import java.nio.charset.StandardCharsets;
 +import java.util.Arrays;
 +
 +import org.junit.Assert;
 +import org.junit.Test;
 +
 +public class NioZipEncodingTest {
 +
 +	private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
 +
 +	@Test
 +	public void umlautToUTF16BE() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
 +		ByteBuffer bb = e.encode(UMLAUTS);
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result);
 +	}
 +
 +	@Test
 +	public void umlautToUTF8() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
 +		ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result);
 +	}
 +
 +	@Test
 +	public void umlautToISO88591() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true);
 +		ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
 +	}
 +
 +	@Test
 +	public void unmappableUmlauts() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
 +		ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII));
 +	}
 +
 +	private static final String RAINBOW_EMOJI = "\ud83c\udf08";
 +
 +	@Test
 +	public void unmappableRainbowEmoji() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
 +		ByteBuffer bb = e.encode(RAINBOW_EMOJI);
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII));
 +	}
 +
 +	@Test
 +	public void rainbowEmojiToSurrogatePairUTF16() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
 +		ByteBuffer bb = e.encode(RAINBOW_EMOJI);
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result);
 +	}
 +
 +	@Test
 +	public void partialSurrogatePair() {
 +		NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
 +		ByteBuffer bb = e.encode("\ud83c");
 +		final int off = bb.arrayOffset();
 +		byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
 +		Assert.assertEquals(0, result.length);
 +	}
 +
 +
 +}
 +
 +
--- a/apache-commons-compress.spec
+++ b/apache-commons-compress.spec
@ -1,6 +1,6 @@
 Name:           apache-commons-compress
 Version:        1.17
-Release:        4
+Release:        5
 Summary:        Java API for working with archivers and compressed files
 License:        ASL 2.0
 URL:            http://commons.apache.org/proper/commons-compress/
@ -9,6 +9,7 @@ Source0:        http://archive.apache.org/dist/commons/compress/source/commons-c
 Patch0001:      0001-Remove-Brotli-compressor.patch
 Patch0002:      0002-Remove-ZSTD-compressor.patch
 Patch0003:      0003-COMPRESS-463-throw-exception-when-detecting-a-trunca.patch
 Patch6000:	CVE-2019-12402.patch
 BuildRequires:  maven-local mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin) mvn(org.powermock:powermock-api-mockito)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-antrun-plugin) mvn(org.osgi:org.osgi.core)
@ -54,5 +55,11 @@ rm src/test/java/org/apache/commons/compress/OsgiITest.java
 %files help -f .mfiles-javadoc
 %changelog
 * Thu Dec 26 2019 Senlin Xia <xiasenlin1@huawei.com> - 1.17-4.h1
 - Type:cves
 - ID:CVE-2019-12402
 - SUG:restart
 - DESC:fix bug with CVE-2019-12402
 * Wed Dec 4 2019 Tianfei <tianfei16@huawei.com> - 1.17-4
 - Package init