diff --git a/CVE-2020-8908.patch b/CVE-2020-8908.patch new file mode 100644 index 0000000..0fff607 --- /dev/null +++ b/CVE-2020-8908.patch @@ -0,0 +1,48 @@ +From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001 +From: glorioso +Date: Wed, 26 Aug 2020 10:02:56 -0700 +Subject: [PATCH] Deprecate Files.createTempDir(), noting that better + alternatives exist for Android as well as for users running Java 7 or later. + +RELNOTES=`io`: Deprecated `Files.createTempDir()`. + +------------- +Created by MOE: https://github.com/google/moe +MOE_MIGRATED_REVID=328552787 +--- + guava/src/com/google/common/io/Files.java | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/guava/src/com/google/common/io/Files.java b/guava/src/com/google/common/io/Files.java +index 0d6cfc1..990a6a4 100644 +--- a/guava/src/com/google/common/io/Files.java ++++ b/guava/src/com/google/common/io/Files.java +@@ -393,12 +393,24 @@ public final class Files { + * be exploited to create security vulnerabilities, especially when executable files are to be + * written into the directory. + * ++ *

Depending on the environmment that this code is run in, the system temporary directory (and ++ * thus the directory this method creates) may be more visible that a program would like - files ++ * written to this directory may be read or overwritten by hostile programs running on the same ++ * machine. ++ * + *

This method assumes that the temporary volume is writable, has free inodes and free blocks, + * and that it will not be called thousands of times per second. + * + * @return the newly-created directory + * @throws IllegalStateException if the directory could not be created +- */ ++ * @deprecated For Android users, see the Data and File ++ * Storage overview to select an appropriate temporary directory (perhaps {@code ++ * context.getCacheDir()}). For developers on Java 7 or later, use {@link ++ * java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link ++ * java.nio.file.Path#toFile() toFile()} if needed. ++ */ ++ @Deprecated + public static File createTempDir() { + File baseDir = new File(System.getProperty("java.io.tmpdir")); + String baseName = System.currentTimeMillis() + "-"; +-- +2.23.0 + diff --git a/guava20.spec b/guava20.spec index 2218398..9026535 100644 --- a/guava20.spec +++ b/guava20.spec @@ -1,12 +1,13 @@ Name: guava20 Version: 20.0 -Release: 9 +Release: 10 Summary: Google Libraries for Java License: ASL 2.0 and CC0 URL: https://github.com/google/guava Source0: https://github.com/google/guava/archive/v%{version}.tar.gz BuildArch: noarch Patch0000: 0001-Avoid-presizing-arrays.patch +Patch0001: CVE-2020-8908.patch BuildRequires: maven-local mvn(com.google.code.findbugs:jsr305) mvn(junit:junit) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.codehaus.mojo:build-helper-maven-plugin) BuildRequires: mvn(org.sonatype.oss:oss-parent:pom:) @@ -63,5 +64,8 @@ find -name '*.java' | xargs sed -ri "s/^import .*\.($annotations);//;s/@($annota %doc CONTRIBUTORS README* %changelog -* Thu Dec 5 2019 zhujunhao 20.0-9 +* Fri Feb 26 2021 zhanghua - 20.0-10 +- fix CVE-2020-8908 + +* Thu Dec 5 2019 zhujunhao - 20.0-9 - Package init