!7 fix CVE-2019-14900

From: @wangxiao65
Reviewed-by: @zhanghua1831,@wangchong1995924
Signed-off-by: @wangchong1995924

CVE-2019-14900.patch

@@ -0,0 +1,58 @@
+From 646b383f959eff18d58081b1a574f0d777d353da Mon Sep 17 00:00:00 2001
+From: Gail Badner <gbadner@redhat.com>
+Date: Thu, 30 Apr 2020 16:26:56 -0700
+Subject: [PATCH] HHH-14077 : CVE-2019-14900 SQL injection issue in Hibernate ORM
+
+---
+ .../expression/LiteralExpression.java         | 30 +++++++++++++++----
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+index b2451e6..dc7cbc3 100644
+--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
++++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+@@ -72,17 +72,35 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
+ 		return ':' + parameterName;
+ 	}
+ 
++	/**
++	 * Inline String literal.
++	 *
++	 * @return escaped String
++	 */
++	private String inlineLiteral(String literal) {
++		return String.format( "\'%s\'", escapeLiteral( literal ) );
++	}
++
++	/**
++	 * Escape String literal.
++	 *
++	 * @return escaped String
++	 */
++	private String escapeLiteral(String literal) {
++		return literal.replace("'", "''");
++	}
++
+ 	@SuppressWarnings({ "unchecked" })
+ 	public String renderProjection(RenderingContext renderingContext) {
++		if ( ValueHandlerFactory.isCharacter( literal ) ) {
++			// In case literal is a Character, pass literal.toString() as the argument.
++			return inlineLiteral( literal.toString() );
++		}
++
+ 		// some drivers/servers do not like parameters in the select clause
+ 		final ValueHandlerFactory.ValueHandler handler =
+ 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
+-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+-			return '\'' + handler.render( literal ) + '\'';
+-		}
+-		else {
+-			return handler.render( literal );
+-		}
++		return handler.render( literal );
+ 	}
+ 
+ 	@Override
+-- 
+2.23.0
+

hibernate4.spec

@@ -3,7 +3,7 @@
 %global pom_url http://repo1.maven.org/maven2/org/hibernate
 Name:                hibernate4
 Version:             4.3.11
-Release:             2
+Release:             3
 Summary:             Relational persistence and query service
 License:             LGPLv2+ and ASL 2.0
 URL:                 http://www.hibernate.org/
@@ -23,6 +23,7 @@ Source60:            http://www.apache.org/licenses/LICENSE-2.0.txt
 Patch0:              hibernate-4.3.11.Final-hibernate-commons-annotations5.patch
 Patch1:              hibernate-4.3.11.Final-infinispan8.patch
 Patch2:              CVE-2020-25638.patch 
+Patch3:              CVE-2019-14900.patch
 BuildRequires:       maven-local mvn(antlr:antlr) mvn(com.experlog:xapool)
 BuildRequires:       mvn(com.fasterxml:classmate) mvn(com.mchange:c3p0) mvn(com.zaxxer:HikariCP)
 BuildRequires:       mvn(dom4j:dom4j) mvn(java_cup:java_cup) mvn(javax.enterprise:cdi-api)
@@ -128,6 +129,7 @@ rm -r documentation/*
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 cp -p %{SOURCE1} hibernate-c3p0/pom.xml
 cp -p %{SOURCE2} hibernate-core/pom.xml
 cp -p %{SOURCE3} hibernate-ehcache/pom.xml
@@ -374,8 +376,11 @@ sed -i.jandex1.2.2 "s|classDotName, superName, access_flag, interfaces, map|clas
 %license lgpl.txt LICENSE-2.0.txt
 
 %changelog
-* Wed Oct 28 2020 wangxiao65 <wangxiao65@huawei.com> - 4.3.11-2
-- fix CVE-2020-25638
+* Thu Mar 18 2021 wangxiao <wangxiao65@huawei.com> - 4.3.11-3
+- Fix CVE-2019-14900
+
+* Wed Oct 28 2020 wangxiao <wangxiao65@huawei.com> - 4.3.11-2
+- Fix CVE-2020-25638
 
 * Wed Oct 28 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 4.3.11-1
 - Package init