!6 fix CVE-2019-14900

From: @zhanghua1831 Reviewed-by: @wangxiao65,@wangchong1995924 Signed-off-by: @wangchong1995924
2021-03-22 09:39:23 +08:00 · 2021-03-22 09:39:23 +08:00 · 9e61f5712e
commit 9e61f5712e
parent 505963ea2b 508eb30e26
2 changed files with 54 additions and 1 deletions
--- a/CVE-2019-14900.patch
+++ b/CVE-2019-14900.patch
@ -0,0 +1,49 @@
+From cacc327ec6af98a53dc986a98a396761ce77dac8 Mon Sep 17 00:00:00 2001
+From: zhanghua1831 <zhanghua1831@163.com>
+Date: Fri, 19 Mar 2021 09:12:05 +0800
+Subject: [PATCH] HHH-14077: CVE-2019-14900 SQL injection issue in
+Hibernate ORM
+
+---
+ .../expression/LiteralExpression.java         | 20 +++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+index bd739b7..0104226 100644
+--- a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+++ b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+@@ -73,17 +73,25 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
+ 		return ':' + parameterName;
+ 	}
+ 
+	private String escapeLiteral(String literal) {
+		return literal.replace("'", "''");
+	}
+
+	private String inlineLiteral(String literal) {
+		return String.format( "\'%s\'", escapeLiteral( literal) );
+	}
+
+ 	@SuppressWarnings({ "unchecked" })
+ 	public String renderProjection(CriteriaQueryCompiler.RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+                        return inlineLiteral( literal.toString() );
+		}
+
+ 		// some drivers/servers do not like parameters in the select clause
+ 		final ValueHandlerFactory.ValueHandler handler =
+ 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
+-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+-			return '\'' + handler.render( literal ) + '\'';
+-		}
+-		else {
+-			return handler.render( literal );
+-		}
+		return handler.render( literal );
+ 	}
+ 
+ 	@Override
+-- 
+2.23.0
+
--- a/hibernate3.spec
+++ b/hibernate3.spec
@ -1,6 +1,6 @@
 Name:       hibernate3
 Version:    3.6.10
-Release:    24
+Release:    25
 Summary:    Inquiry service and persistence of releationship
 License:    LGPLv2+
 URL:        http://www.hibernate.org/
@ -10,6 +10,7 @@ Source0:    hibernate-orm-3.6.10.Final.tar.xz
 Patch0000:  hibernate-orm-fix-jacc-gid-aid.patch
 Patch0001:  hibernate-orm-cglib-3.1.patch
 Patch0002:  CVE-2020-25638.patch
+Patch0003:  CVE-2019-14900.patch

 BuildArch:  noarch

@ -156,6 +157,9 @@ export LANG=en_US.UTF-8
 %license lgpl.txt

 %changelog
+* Fri Mar 19 2021 zhanghua <zhanghua40@huawei.com> - 3.6.10-25
+- fix CVE-2019-14900
+
 * Sat Dec 12 2020 zhangtao <zhangtao221@huawei.com> - 3.6.10-24
 - CVE-2020-25638