!4 Fix CVE-2022-41853

From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-12-14 06:46:35 +00:00 · 2023-12-14 06:46:35 +00:00 · 2ed3f9debe
commit 2ed3f9debe
parent 42e9f87b65 73e3cffbb5
2 changed files with 69 additions and 2 deletions
--- a/hsqldb-1.8.0-CVE-2022-41853.patch
+++ b/hsqldb-1.8.0-CVE-2022-41853.patch
@ -0,0 +1,59 @@
+From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Mon, 7 Nov 2022 10:06:16 +0100
+Subject: [PATCH] Fix CVE-2022-41853
+
+Backport upstream fix for CVE-2022-41853 from SVN r6614.
+Java methods used in routines must now be in hsqldb.method_class_names
+value string.
+
+Origin: https://git.centos.org/rpms/hsqldb/c/145c0b1fd04d9f3a3867d4ed210a5863fac28f57
+
+https://sourceforge.net/p/hsqldb/svn/6614
+---
+ src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+index 2033183..b2012c2 100644
+--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+@@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties {
+ 
+     private static String hsqldb_method_class_names =
+         "hsqldb.method_class_names";
+-    private static HashSet accessibleJavaMethodNames;
+    private static HashSet accessibleJavaMethodNames = new HashSet();
+ 
+     static {
+         try {
+             String prop = System.getProperty(hsqldb_method_class_names);
+ 
+             if (prop != null) {
+-                accessibleJavaMethodNames = new HashSet();
+ 
+                 String[] names = StringUtil.split(prop, ";");
+ 
+@@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties {
+ 
+     /**
+      * If the system property "hsqldb.method_class_names" is not set, then
+-     * static methods of all available Java classes can be accessed as functions
+     * static methods of available Java classes cannot be accessed as functions
+      * in HSQLDB. If the property is set, then only the list of semicolon
+      * seperated method names becomes accessible. An empty property value means
+      * no class is accessible.<p>
+@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties {
+      */
+     public static boolean supportsJavaMethod(String name) {
+ 
+-        if (accessibleJavaMethodNames == null) {
+-            return true;
+-        }
+-
+         if (name.startsWith("org.hsqldb.Library.")) {
+             return true;
+         }
+-- 
+2.37.3
+
--- a/hsqldb1.spec
+++ b/hsqldb1.spec
@ -2,13 +2,14 @@
 %global majorversion 1
 Name:                hsqldb1
 Version:             1.8.1.3
-Release:             1
+Release:             3
 Summary:             HyperSQL Database Engine
-License:             BSD
+License:             BSD-3-Clause
 URL:                 http://hsqldb.sourceforge.net/
 Source0:             http://downloads.sourceforge.net/hsqldb/hsqldb_%{cvs_version}.zip
 Source1:             https://repo1.maven.org/maven2/org/hsqldb/hsqldb/1.8.0.10/hsqldb-1.8.0.10.pom
 Patch0:              hsqldb-jdbc-4.1.patch
+Patch1:              hsqldb-1.8.0-CVE-2022-41853.patch

 BuildRequires:       ant java-devel javapackages-local junit glassfish-servlet-api
 Requires:            glassfish-servlet-api
@ -45,6 +46,7 @@ find . -name "*.class" -exec rm -f {} \;
 find . -name "*.war" -exec rm -f {} \;
 chmod -R go=u-w *
 %patch0 -p1
+%patch1 -p1
 cp %{SOURCE1} ./pom.xml
 %mvn_file hsqldb:hsqldb %{name}
 %mvn_compat_version : %{majorversion}
@ -66,5 +68,11 @@ popd
 %license doc/hsqldb_lic.txt

 %changelog
+* Wed Dec 13 2023 wangkai <13474090681@163.com> - 1.8.1.3-3
+- Fix CVE-2022-41853
+
+* Mon May 9 2022 caodongxia <caodongxia@h-partners.com> - 1.8.1.3-2
+- License compliance rectification
+
 * Mon Jul 27 2020 leiju <leiju4@huawei.com> - 1.8.1.3-1
 - Package init