fix CVE-2019-14900

2021-03-19 11:03:35 +08:00 · 2021-03-19 11:03:35 +08:00 · 98d05f8ff1
commit 98d05f8ff1
parent e9a4fccea2
2 changed files with 66 additions and 3 deletions
--- a/CVE-2019-14900.patch
+++ b/CVE-2019-14900.patch
@ -0,0 +1,58 @@
+From 646b383f959eff18d58081b1a574f0d777d353da Mon Sep 17 00:00:00 2001
+From: Gail Badner <gbadner@redhat.com>
+Date: Thu, 30 Apr 2020 16:26:56 -0700
+Subject: [PATCH] HHH-14077 : CVE-2019-14900 SQL injection issue in Hibernate ORM
+
+---
+ .../expression/LiteralExpression.java         | 30 +++++++++++++++----
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+index b2451e6..dc7cbc3 100644
+--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+@@ -72,17 +72,35 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
+ 		return ':' + parameterName;
+ 	}
+ 
+	/**
+	 * Inline String literal.
+	 *
+	 * @return escaped String
+	 */
+	private String inlineLiteral(String literal) {
+		return String.format( "\'%s\'", escapeLiteral( literal ) );
+	}
+
+	/**
+	 * Escape String literal.
+	 *
+	 * @return escaped String
+	 */
+	private String escapeLiteral(String literal) {
+		return literal.replace("'", "''");
+	}
+
+ 	@SuppressWarnings({ "unchecked" })
+ 	public String renderProjection(RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return inlineLiteral( literal.toString() );
+		}
+
+ 		// some drivers/servers do not like parameters in the select clause
+ 		final ValueHandlerFactory.ValueHandler handler =
+ 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
+-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+-			return '\'' + handler.render( literal ) + '\'';
+-		}
+-		else {
+-			return handler.render( literal );
+-		}
+		return handler.render( literal );
+ 	}
+ 
+ 	@Override
+-- 
+2.23.0
+
--- a/hibernate4.spec
+++ b/hibernate4.spec
@ -3,7 +3,7 @@
 %global pom_url http://repo1.maven.org/maven2/org/hibernate
 Name:                hibernate4
 Version:             4.3.11
-Release:             2
+Release:             3
 Summary:             Relational persistence and query service
 License:             LGPLv2+ and ASL 2.0
 URL:                 http://www.hibernate.org/
@ -23,6 +23,7 @@ Source60:            http://www.apache.org/licenses/LICENSE-2.0.txt
 Patch0:              hibernate-4.3.11.Final-hibernate-commons-annotations5.patch
 Patch1:              hibernate-4.3.11.Final-infinispan8.patch
 Patch2:              CVE-2020-25638.patch 
+Patch3:              CVE-2019-14900.patch
 BuildRequires:       maven-local mvn(antlr:antlr) mvn(com.experlog:xapool)
 BuildRequires:       mvn(com.fasterxml:classmate) mvn(com.mchange:c3p0) mvn(com.zaxxer:HikariCP)
 BuildRequires:       mvn(dom4j:dom4j) mvn(java_cup:java_cup) mvn(javax.enterprise:cdi-api)
@ -128,6 +129,7 @@ rm -r documentation/*
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 cp -p %{SOURCE1} hibernate-c3p0/pom.xml
 cp -p %{SOURCE2} hibernate-core/pom.xml
 cp -p %{SOURCE3} hibernate-ehcache/pom.xml
@ -374,8 +376,11 @@ sed -i.jandex1.2.2 "s|classDotName, superName, access_flag, interfaces, map|clas
 %license lgpl.txt LICENSE-2.0.txt

 %changelog
-* Wed Oct 28 2020 wangxiao65 <wangxiao65@huawei.com> - 4.3.11-2
- fix CVE-2020-25638
+* Thu Mar 18 2021 wangxiao <wangxiao65@huawei.com> - 4.3.11-3
+- Fix CVE-2019-14900
+
+* Wed Oct 28 2020 wangxiao <wangxiao65@huawei.com> - 4.3.11-2
+- Fix CVE-2020-25638

 * Wed Oct 28 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 4.3.11-1
 - Package init