package init

CVE-2019-17359.patch

@@ -0,0 +1,119 @@
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java	2019-12-25 16:41:28.246642457 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java	2019-12-25 16:42:45.727085573 +0800
+@@ -139,7 +139,7 @@
+     {
+         boolean isConstructed = (tag & CONSTRUCTED) != 0;
+ 
+-        DefiniteLengthInputStream defIn = new DefiniteLengthInputStream(this, length);
++        DefiniteLengthInputStream defIn = new DefiniteLengthInputStream(this, length, limit);
+ 
+         if ((tag & APPLICATION) != 0)
+         {
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/ASN1StreamParser.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/ASN1StreamParser.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/ASN1StreamParser.java	2019-12-25 16:41:28.246642457 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/ASN1StreamParser.java	2019-12-25 16:43:14.097247799 +0800
+@@ -168,7 +168,7 @@
+         }
+         else
+         {
+-            DefiniteLengthInputStream defIn = new DefiniteLengthInputStream(_in, length);
++            DefiniteLengthInputStream defIn = new DefiniteLengthInputStream(_in, length, _limit);
+ 
+             if ((tag & BERTags.APPLICATION) != 0)
+             {
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/DefiniteLengthInputStream.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/DefiniteLengthInputStream.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/DefiniteLengthInputStream.java	2019-12-25 16:41:28.246642457 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/DefiniteLengthInputStream.java	2019-12-25 16:45:17.287952074 +0800
+@@ -19,9 +19,10 @@
+ 
+     DefiniteLengthInputStream(
+         InputStream in,
+-        int         length)
++        int         length,
++        int         limit)
+     {
+-        super(in, length);
++        super(in, limit, length);
+ 
+         if (length < 0)
+         {
+@@ -97,6 +98,12 @@
+             return EMPTY_BYTES;
+         }
+ 
++        //make sure it's safe to do this!
++        if (_remaining >= this.getLimit())
++        {
++           throw new IOException("corrupted stream - out of bounds length found: " + _remaining + " >= " + this.getLimit());
++        }
++
+         byte[] bytes = new byte[_remaining];
+         if ((_remaining -= Streams.readFully(_in, bytes)) != 0)
+         {
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/IndefiniteLengthInputStream.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/IndefiniteLengthInputStream.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/IndefiniteLengthInputStream.java	2019-12-25 16:41:28.246642457 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/IndefiniteLengthInputStream.java	2019-12-25 16:45:50.298140750 +0800
+@@ -17,7 +17,7 @@
+         int         limit)
+         throws IOException
+     {
+-        super(in, limit);
++        super(in, limit, limit);
+ 
+         _b1 = in.read();
+         _b2 = in.read();
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/LimitedInputStream.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/LimitedInputStream.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/LimitedInputStream.java	2019-12-25 16:41:28.256642514 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/LimitedInputStream.java	2019-12-25 16:47:41.218774610 +0800
+@@ -10,19 +10,27 @@
+ {
+     protected final InputStream _in;
+     private int _limit;
++    private int _length;
+ 
+     LimitedInputStream(
+         InputStream in,
+-        int         limit)
++        int         limit,
++        int         length)
+     {
+         this._in = in;
+         this._limit = limit;
++        this._length = length;
++    }
++
++    int getLimit()
++    {
++       return _limit;
+     }
+ 
+     int getRemaining()
+     {
+         // TODO: maybe one day this can become more accurate
+-        return _limit;
++        return _length;
+     }
+     
+     protected void setParentEofDetect(boolean on)
+diff -Nur bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/StreamUtil.java bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/StreamUtil.java
+--- bc-java-r1rv61.org/core/src/main/java/org/bouncycastle/asn1/StreamUtil.java	2019-12-25 16:41:28.256642514 +0800
++++ bc-java-r1rv61/core/src/main/java/org/bouncycastle/asn1/StreamUtil.java	2019-12-25 16:48:49.509164763 +0800
+@@ -11,7 +11,7 @@
+     private static final long  MAX_MEMORY = Runtime.getRuntime().maxMemory();
+ 
+     /**
+-     * Find out possible longest length...
++     * Find out possible longest length, capped by available memory.
+      *
+      * @param in input stream of interest
+      * @return length calculation or MAX_VALUE.
+@@ -20,7 +20,7 @@
+     {
+         if (in instanceof LimitedInputStream)
+         {
+-            return ((LimitedInputStream)in).getRemaining();
++            return ((LimitedInputStream)in).getLimit();
+         }
+         else if (in instanceof ASN1InputStream)
+         {

bcmail-jdk15on-1.61.pom

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.bouncycastle</groupId>
+  <artifactId>bcmail-jdk15on</artifactId>
+  <packaging>jar</packaging>
+  <name>Bouncy Castle S/MIME API</name>
+  <version>1.61</version>
+  <description>The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.</description>
+  <url>http://www.bouncycastle.org/java.html</url>
+  <licenses>
+    <license>
+      <name>Bouncy Castle Licence</name>
+      <url>http://www.bouncycastle.org/licence.html</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <scm>
+    <url>https://github.com/bcgit/bc-java</url>
+  </scm>
+  <issueManagement>
+     <system>GitHub</system>
+     <url>https://github.com/bcgit/bc-java/issues</url>
+  </issueManagement>
+  <developers>
+    <developer>
+      <id>feedback-crypto</id>
+      <name>The Legion of the Bouncy Castle Inc.</name>
+      <email>feedback-crypto@bouncycastle.org</email>
+    </developer>
+  </developers>
+  <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.61</version>
+      <type>jar</type>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>1.61</version>
+      <type>jar</type>
+    </dependency>
+  </dependencies>
+</project>

bcpg-jdk15on-1.61.pom

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.bouncycastle</groupId>
+  <artifactId>bcpg-jdk15on</artifactId>
+  <packaging>jar</packaging>
+  <name>Bouncy Castle OpenPGP API</name>
+  <version>1.61</version>
+  <description>The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
+  <url>http://www.bouncycastle.org/java.html</url>
+  <licenses>
+    <license>
+      <name>Bouncy Castle Licence</name>
+      <url>http://www.bouncycastle.org/licence.html</url>
+      <distribution>repo</distribution>
+    </license>
+    <license>
+      <name>Apache Software License, Version 1.1</name>
+      <url>http://www.apache.org/licenses/LICENSE-1.1</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <scm>
+    <url>https://github.com/bcgit/bc-java</url>
+  </scm>
+  <issueManagement>
+     <system>GitHub</system>
+     <url>https://github.com/bcgit/bc-java/issues</url>
+  </issueManagement>
+  <developers>
+    <developer>
+      <id>feedback-crypto</id>
+      <name>The Legion of the Bouncy Castle Inc.</name>
+      <email>feedback-crypto@bouncycastle.org</email>
+    </developer>
+  </developers>
+  <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.61</version>
+      <type>jar</type>
+    </dependency>
+  </dependencies>
+</project>

bcpkix-jdk15on-1.61.pom

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.bouncycastle</groupId>
+  <artifactId>bcpkix-jdk15on</artifactId>
+  <packaging>jar</packaging>
+  <name>Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs</name>
+  <version>1.61</version>
+  <description>The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
+  <url>http://www.bouncycastle.org/java.html</url>
+  <licenses>
+    <license>
+      <name>Bouncy Castle Licence</name>
+      <url>http://www.bouncycastle.org/licence.html</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <scm>
+    <url>https://github.com/bcgit/bc-java</url>
+  </scm>
+  <issueManagement>
+     <system>GitHub</system>
+     <url>https://github.com/bcgit/bc-java/issues</url>
+  </issueManagement>
+  <developers>
+    <developer>
+      <id>feedback-crypto</id>
+      <name>The Legion of the Bouncy Castle Inc.</name>
+      <email>feedback-crypto@bouncycastle.org</email>
+    </developer>
+  </developers>
+  <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.61</version>
+      <type>jar</type>
+    </dependency>
+  </dependencies>
+</project>

bcprov-jdk15on-1.61.pom

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.bouncycastle</groupId>
+  <artifactId>bcprov-jdk15on</artifactId>
+  <packaging>jar</packaging>
+  <name>Bouncy Castle Provider</name>
+  <version>1.61</version>
+  <description>The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.</description>
+  <url>http://www.bouncycastle.org/java.html</url>
+  <licenses>
+    <license>
+      <name>Bouncy Castle Licence</name>
+      <url>http://www.bouncycastle.org/licence.html</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <scm>
+    <url>https://github.com/bcgit/bc-java</url>
+  </scm>
+  <issueManagement>
+     <system>GitHub</system>
+     <url>https://github.com/bcgit/bc-java/issues</url>
+  </issueManagement>
+  <developers>
+    <developer>
+      <id>feedback-crypto</id>
+      <name>The Legion of the Bouncy Castle Inc.</name>
+      <email>feedback-crypto@bouncycastle.org</email>
+    </developer>
+  </developers>
+</project>

bctls-jdk15on-1.61.pom

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.bouncycastle</groupId>
+  <artifactId>bctls-jdk15on</artifactId>
+  <packaging>jar</packaging>
+  <name>Bouncy Castle JSSE provider and TLS/DTLS API</name>
+  <version>1.61</version>
+  <description>The Bouncy Castle Java APIs for TLS and DTLS, including a provider for the JSSE.</description>
+  <url>http://www.bouncycastle.org/java.html</url>
+  <licenses>
+    <license>
+      <name>Bouncy Castle Licence</name>
+      <url>http://www.bouncycastle.org/licence.html</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <scm>
+    <url>https://github.com/bcgit/bc-java</url>
+  </scm>
+  <issueManagement>
+     <system>GitHub</system>
+     <url>https://github.com/bcgit/bc-java/issues</url>
+  </issueManagement>
+  <developers>
+    <developer>
+      <id>feedback-crypto</id>
+      <name>The Legion of the Bouncy Castle Inc.</name>
+      <email>feedback-crypto@bouncycastle.org</email>
+    </developer>
+  </developers>
+  <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.61</version>
+      <type>jar</type>
+    </dependency>
+  </dependencies>
+</project>

bouncycastle.spec

@@ -0,0 +1,160 @@
+%define tag r1rv61
+%define class_name org.bouncycastle.jce.provider.BouncyCastleProvider
+%define jdk_dir build/artifacts/jdk1.5
+%define java_sec_dir %{_sysconfdir}/java/security/security.d
+%define suffix_name security/classpath.security
+
+Name:             bouncycastle
+Version:          1.61
+Release:          4
+Summary:          A Java implementation of cryptographic algorithms
+License:          MIT
+URL:              http://www.bouncycastle.org
+Source0:          https://github.com/bcgit/bc-java/archive/%{tag}.tar.gz
+Source1:          http://repo1.maven.org/maven2/org/bouncycastle/bcmail-jdk15on/%{version}/bcmail-jdk15on-%{version}.pom
+Source2:          http://repo1.maven.org/maven2/org/bouncycastle/bcpg-jdk15on/%{version}/bcpg-jdk15on-%{version}.pom
+Source3:          http://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/%{version}/bcpkix-jdk15on-%{version}.pom
+Source4:          http://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/%{version}/bcprov-jdk15on-%{version}.pom
+Source5:          http://repo1.maven.org/maven2/org/bouncycastle/bctls-jdk15on/%{version}/bctls-jdk15on-%{version}.pom
+Patch6000:        CVE-2019-17359.patch
+
+BuildRequires:    ant ant-junit aqute-bnd javamail javapackages-local
+Requires(post):   javapackages-tools
+Requires(postun): javapackages-tools
+
+BuildArch:        noarch
+
+Provides:         bcprov = %{version}-%{release}
+Provides:         %{name}-pkix
+Provides:         %{name}-pg
+Provides:         %{name}-mail
+Provides:         %{name}-tls
+Provides:         %{name}-javadoc
+Provides:         %{name}-pkix-javadoc = %{version}-%{release}
+Provides:         %{name}-pg-javadoc = %{version}-%{release}
+Provides:         %{name}-mail-javadoc = %{version}-%{release}
+Obsoletes:        %{name}-pkix
+Obsoletes:        %{name}-pg
+Obsoletes:        %{name}-mail
+Obsoletes:        %{name}-tls
+Obsoletes:        %{name}-javadoc
+Obsoletes:        %{name}-pkix-javadoc < %{version}-%{release}
+Obsoletes:        %{name}-pg-javadoc < %{version}-%{release}
+Obsoletes:        %{name}-mail-javadoc < %{version}-%{release}
+
+%description
+The package is organised so that it contains a light-weight API suitable for
+use in any environment (including the newly released J2ME) with the additional
+infrastructure to conform the algorithms to the JCE framework.
+
+
+%prep
+%autosetup -n bc-java-%{tag} -p1
+
+find . -type f -name "*.class" -delete
+find . -type f -name "*.jar" -delete
+
+sed -i -e '/<javadoc/aadditionalparam="-Xdoclint:none" encoding="UTF-8"' \
+       -e '/<javac/aencoding="UTF-8"' ant/bc+-build.xml
+
+cp -p %{SOURCE1} bcmail.pom
+cp -p %{SOURCE2} bcpg.pom
+cp -p %{SOURCE3} bcpkix.pom
+cp -p %{SOURCE4} bcprov.pom
+cp -p %{SOURCE5} bctls.pom
+
+%build
+ant -f ant/jdk15+.xml \
+  -Dactivation.jar.home= \
+  -Dmail.jar.home=$(build-classpath javax.mail) \
+  -Djunit.jar.home=$(build-classpath junit) \
+  -Drelease.debug=true \
+  clean build-provider build
+
+cat > bnd.bnd <<EOF
+-classpath=bcprov.jar,bcpkix.jar,bcpg.jar,bcmail.jar,bctls.jar
+Export-Package: *;version=%{version}
+EOF
+
+for kind in bcprov bcpkix bcpg bcmail bctls ; do
+  bnd wrap -b $kind -v %{version} -p bnd.bnd -o $kind.jar %{jdk_dir}/jars/$kind-jdk15on-*.jar
+
+  %mvn_file ":$kind-jdk15on" $kind
+  %mvn_package ":$kind-jdk15on" $kind
+  %mvn_alias ":$kind-jdk15on" "org.bouncycastle:$kind-jdk16" "org.bouncycastle:$kind-jdk15"
+  %mvn_artifact $kind.pom $kind.jar
+done
+
+rm -rf %{jdk_dir}/javadoc/lcrypto
+
+%install
+install -d -m 755 %{buildroot}%{java_sec_dir}
+touch %{buildroot}%{java_sec_dir}/2000-%{class_name}
+
+%mvn_install -J %{jdk_dir}/javadoc
+
+%post
+{
+  suffix=%{suffix_name}
+  class_secfiles="/usr/lib/$suffix /usr/lib64/$suffix"
+
+  for secfile in $class_secfiles
+  do
+    [ -f "$secfile" ] || continue
+
+    sed -i '/^security\.provider\./d' "$secfile"
+
+    num=0
+    for provider in $(ls %{java_sec_dir})
+    do
+      num=$((num + 1))
+      echo "security.provider.${num}=${provider#*-}" >> "$secfile"
+    done
+  done
+} || :
+
+%postun
+if [ "$1" -eq 0 ] ; then
+
+  {
+    suffix=%{suffix_name}
+    class_secfiles="/usr/lib/$suffix /usr/lib64/$suffix"
+
+    for secfile in $class_secfiles
+    do
+      [ -f "$secfile" ] || continue
+
+      sed -i '/^security\.provider\./d' "$secfile"
+
+      num=0
+      for provider in $(ls %{java_sec_dir})
+      do
+        num=$((num + 1))
+        echo "security.provider.${num}=${provider#*-}" >> "$secfile"
+      done
+    done
+  } || :
+
+fi
+
+%files
+%doc docs/ core/docs/ *.html
+%doc %{_javadocdir}/%{name}
+%license %{jdk_dir}/bcprov-jdk15on-*/LICENSE.html
+%{_datadir}/maven-metadata/*
+%{_javadir}/*
+%{_mavenpomdir}/*
+%{java_sec_dir}/2000-%{class_name}
+
+%changelog
+* Wed Feb 12 2020 Shuaishuai Song <songshuaishuai2@huawei.com> - 1.61-4
+- remove script
+
+* Thu Dec 26 2019 zhujunhao <zhujunhao5@huawei.com> - 1.61-3
+- Type:cves
+- ID:CVE-2019-17359
+- SUG:restart
+- DESC:fix CVE-2019-17359
+
+* Tue Dec 10 2019 huyan <hu.huyan@huawei.com> - 1.61-2
+- Package Initialization