From 7d75c221714166a2a0b6ae7291d1ea3fc85f1e7c Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 11 Mar 2022 15:17:38 +0800
Subject: [PATCH] Fix CVE-2019-17531

(cherry picked from commit 2f5dc725bbf767b9d84766bdb46f27a745ad5e4e)
---
 CVE-2019-17531.patch  | 27 +++++++++++++++++++++++++++
 jackson-databind.spec |  6 +++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-17531.patch

diff --git a/CVE-2019-17531.patch b/CVE-2019-17531.patch
new file mode 100644
index 0000000..3a16d72
--- /dev/null
+++ b/CVE-2019-17531.patch
@@ -0,0 +1,27 @@
+From 1a32d9d07efcc2b089a5d42ee8f4b14e03607b3c Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 12 Oct 2019 11:00:17 -0700
+Subject: [PATCH] Fix #2498
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index d28e2b9..bdd5100 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -235,6 +235,10 @@ public class SubTypeValidator
+ 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
+ 	s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
+ 
++	// [databind#2498]: log4j-extras (1.2)
++	s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++	s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.30.0
+
diff --git a/jackson-databind.spec b/jackson-databind.spec
index 0b26fa7..4498123 100644
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@@ -1,6 +1,6 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             8
+Release:             9
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
@@ -47,6 +47,7 @@ Patch0037:           CVE-2020-36187-CVE-2020-36186.patch
 Patch0038:           CVE-2020-36179-36180-36181-36182.patch
 Patch0039:           CVE-2020-36183.patch
 Patch0040:           CVE-2021-20190.patch
+Patch0041:           CVE-2019-17531.patch
 
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@@ -99,6 +100,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE
 
 %changelog
+* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.9.8-9
+- Fix CVE-2019-17531
+
 * Wed Jan 27 2021 wangyue <wangyue92@huawei.com> - 2.9.8-8
 - fix CVE-2021-20190