diff --git a/CVE-2017-5929.patch b/CVE-2017-5929.patch deleted file mode 100644 index 74756ac..0000000 --- a/CVE-2017-5929.patch +++ /dev/null @@ -1,303 +0,0 @@ -From f46044b805bca91efe5fd6afe52257cd02f775f8 Mon Sep 17 00:00:00 2001 -From: Ceki Gulcu -Date: Tue, 7 Feb 2017 23:12:51 +0100 -Subject: [PATCH] harden serialization - ---- - .../classic/net/SimpleSocketServer.java | 1 - - .../LogbackClassicSerializationHelper.java | 28 ++++++++ - .../classic/LoggerSerializationTest.java | 10 ++- - .../core/net/HardenedObjectInputStream.java | 48 +++++++++++++ - .../net/HardenedObjectInputStreamTest.java | 61 ++++++++++++++++ - .../ch/qos/logback/core/net/Innocent.java | 69 +++++++++++++++++++ - 6 files changed, 214 insertions(+), 3 deletions(-) - create mode 100755 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java - create mode 100755 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java - create mode 100755 logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java - create mode 100755 logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java - -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -index 6d39a2473..3083f45ce 100755 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -@@ -14,7 +14,6 @@ - package ch.qos.logback.classic.net; - - import java.io.IOException; --import java.lang.reflect.Constructor; - import java.net.ServerSocket; - import java.net.Socket; - import java.util.ArrayList; -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -new file mode 100755 -index 000000000..00a974f81 ---- /dev/null -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -@@ -0,0 +1,28 @@ -+package ch.qos.logback.classic.net.server; -+ -+import java.util.ArrayList; -+import java.util.List; -+ -+import org.slf4j.helpers.BasicMarker; -+ -+import ch.qos.logback.classic.Logger; -+import ch.qos.logback.classic.spi.LoggerContextVO; -+import ch.qos.logback.classic.spi.LoggingEventVO; -+import ch.qos.logback.classic.spi.ThrowableProxyVO; -+ -+public class LogbackClassicSerializationHelper { -+ -+ -+ -+ static public List getWhilelist() { -+ List whitelist = new ArrayList(); -+ whitelist.add(LoggingEventVO.class.getName()); -+ whitelist.add(LoggerContextVO.class.getName()); -+ whitelist.add(ThrowableProxyVO.class.getName()); -+ whitelist.add(StackTraceElement.class.getName()); -+ whitelist.add(BasicMarker.class.getName()); -+ whitelist.add(BasicMarker.class.getName()); -+ whitelist.add(Logger.class.getName()); -+ return whitelist; -+ } -+} -diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java -index ec6cb01d7..618d1756e 100644 ---- a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java -+++ b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java -@@ -14,7 +14,10 @@ - package ch.qos.logback.classic; - - import java.io.*; -+import java.util.List; - -+import ch.qos.logback.classic.net.server.LogbackClassicSerializationHelper; -+import ch.qos.logback.core.net.HardenedObjectInputStream; - import ch.qos.logback.core.util.CoreTestConstants; - import org.junit.After; - import org.junit.Before; -@@ -36,7 +39,8 @@ - ByteArrayOutputStream bos; - ObjectOutputStream oos; - ObjectInputStream inputStream; -- -+ List whitelist ; -+ - @Before - public void setUp() throws Exception { - lc = new LoggerContext(); -@@ -45,6 +49,8 @@ public void setUp() throws Exception { - // create the byte output stream - bos = new ByteArrayOutputStream(); - oos = new ObjectOutputStream(bos); -+ whitelist = LogbackClassicSerializationHelper.getWhilelist(); -+ whitelist.add(Foo.class.getName()); - } - - @After -@@ -110,7 +116,7 @@ public void deepTreeSerialization() throws IOException { - private Foo writeAndRead(Foo foo) throws IOException, ClassNotFoundException { - writeObject(oos, foo); - ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray()); -- inputStream = new ObjectInputStream(bis); -+ inputStream = new HardenedObjectInputStream(bis, whitelist); - Foo fooBack = readFooObject(inputStream); - inputStream.close(); - return fooBack; -diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -new file mode 100755 -index 000000000..439e2bde5 ---- /dev/null -+++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -@@ -0,0 +1,48 @@ -+package ch.qos.logback.core.net; -+ -+import java.io.IOException; -+import java.io.InputStream; -+import java.io.InvalidClassException; -+import java.io.ObjectInputStream; -+import java.io.ObjectStreamClass; -+import java.util.ArrayList; -+import java.util.Collections; -+import java.util.List; -+ -+/** -+ * -+ * @author Ceki Gülcü -+ * @since 1.2.0 -+ */ -+public class HardenedObjectInputStream extends ObjectInputStream { -+ -+ List whitelistedClassNames; -+ String[] javaPackages = new String[] {"java.lang", "java.util"}; -+ -+ public HardenedObjectInputStream(InputStream in, List whilelist) throws IOException { -+ super(in); -+ this.whitelistedClassNames = Collections.synchronizedList(new ArrayList(whilelist)); -+ } -+ -+ @Override -+ protected Class resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { -+ String incomingClassName = anObjectStreamClass.getName(); -+ if(!isWhitelisted(incomingClassName)) { -+ throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName()); -+ } -+ -+ return super.resolveClass(anObjectStreamClass); -+ } -+ -+ private boolean isWhitelisted(String incomingClassName) { -+ for(int i = 0; i < javaPackages.length; i++) { -+ if(incomingClassName.startsWith(javaPackages[i])) -+ return true; -+ } -+ for(String className: whitelistedClassNames) { -+ if(incomingClassName.equals(className)) -+ return true; -+ } -+ return false; -+ } -+} -diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java -new file mode 100755 -index 000000000..6a3489755 ---- /dev/null -+++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java -@@ -0,0 +1,61 @@ -+package ch.qos.logback.core.net; -+ -+import static org.junit.Assert.*; -+ -+import java.io.ByteArrayInputStream; -+import java.io.ByteArrayOutputStream; -+import java.io.IOException; -+import java.io.ObjectOutputStream; -+import java.util.ArrayList; -+import java.util.List; -+ -+import org.junit.After; -+import org.junit.Before; -+import org.junit.Test; -+ -+public class HardenedObjectInputStreamTest { -+ -+ ByteArrayOutputStream bos; -+ ObjectOutputStream oos; -+ HardenedObjectInputStream inputStream; -+ List whitelist = new ArrayList(); -+ -+ @Before -+ public void setUp() throws Exception { -+ whitelist.add(Innocent.class.getName()); -+ bos = new ByteArrayOutputStream(); -+ oos = new ObjectOutputStream(bos); -+ } -+ -+ @After -+ public void tearDown() throws Exception { -+ } -+ -+ @Test -+ public void smoke() throws ClassNotFoundException, IOException { -+ Innocent innocent = new Innocent(); -+ innocent.setAnInt(1); -+ innocent.setAnInteger(2); -+ innocent.setaString("smoke"); -+ Innocent back = writeAndRead(innocent); -+ assertEquals(innocent, back); -+ } -+ -+ -+ -+ private Innocent writeAndRead(Innocent innocent) throws IOException, ClassNotFoundException { -+ writeObject(oos, innocent); -+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray()); -+ inputStream = new HardenedObjectInputStream(bis, whitelist); -+ Innocent fooBack = (Innocent) inputStream.readObject(); -+ inputStream.close(); -+ return fooBack; -+ } -+ -+ private void writeObject(ObjectOutputStream oos, Object o) throws IOException { -+ oos.writeObject(o); -+ oos.flush(); -+ oos.close(); -+ } -+ -+} -diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java -new file mode 100755 -index 000000000..2cef5a08e ---- /dev/null -+++ b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java -@@ -0,0 +1,69 @@ -+package ch.qos.logback.core.net; -+ -+public class Innocent implements java.io.Serializable { -+ -+ private static final long serialVersionUID = -1227008349289885025L; -+ -+ int anInt; -+ Integer anInteger; -+ String aString; -+ -+ public int getAnInt() { -+ return anInt; -+ } -+ -+ public void setAnInt(int anInt) { -+ this.anInt = anInt; -+ } -+ -+ public Integer getAnInteger() { -+ return anInteger; -+ } -+ -+ public void setAnInteger(Integer anInteger) { -+ this.anInteger = anInteger; -+ } -+ -+ public String getaString() { -+ return aString; -+ } -+ -+ public void setaString(String aString) { -+ this.aString = aString; -+ } -+ -+ @Override -+ public int hashCode() { -+ final int prime = 31; -+ int result = 1; -+ result = prime * result + ((aString == null) ? 0 : aString.hashCode()); -+ result = prime * result + anInt; -+ result = prime * result + ((anInteger == null) ? 0 : anInteger.hashCode()); -+ return result; -+ } -+ -+ @Override -+ public boolean equals(Object obj) { -+ if (this == obj) -+ return true; -+ if (obj == null) -+ return false; -+ if (getClass() != obj.getClass()) -+ return false; -+ Innocent other = (Innocent) obj; -+ if (aString == null) { -+ if (other.aString != null) -+ return false; -+ } else if (!aString.equals(other.aString)) -+ return false; -+ if (anInt != other.anInt) -+ return false; -+ if (anInteger == null) { -+ if (other.anInteger != null) -+ return false; -+ } else if (!anInteger.equals(other.anInteger)) -+ return false; -+ return true; -+ } -+ -+} diff --git a/logback-1.1.7-servlet.patch b/logback-1.1.7-servlet.patch deleted file mode 100644 index 7d227bd..0000000 --- a/logback-1.1.7-servlet.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java ---- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java 2016-02-25 22:15:50.000000000 +0100 -+++ logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java 2016-06-23 17:00:02.886622532 +0200 -@@ -18,6 +18,7 @@ import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.io.InputStream; - -+import javax.servlet.ReadListener; - import javax.servlet.ServletInputStream; - import javax.servlet.http.HttpServletRequest; - -@@ -71,4 +71,19 @@ - byte[] getInputBuffer() { - return inputBuffer; - } -+ -+ @Override -+ public boolean isReady() { -+ return false; -+ } -+ -+ @Override -+ public boolean isFinished() { -+ return false; -+ } -+ -+ @Override -+ public void setReadListener(ReadListener listener) { -+ throw new UnsupportedOperationException("Not implemented yet."); -+ } - } -diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java ---- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java 2016-02-25 22:15:50.000000000 +0100 -+++ logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java 2016-06-23 16:56:24.056883117 +0200 -@@ -18,6 +18,7 @@ import java.io.IOException; - - import javax.servlet.ServletOutputStream; - import javax.servlet.ServletResponse; -+import javax.servlet.WriteListener; - - public class TeeServletOutputStream extends ServletOutputStream { - -@@ -82,4 +82,14 @@ - underlyingStream.flush(); - baosCopy.flush(); - } -+ -+ @Override -+ public boolean isReady() { -+ return false; -+ } -+ -+ @Override -+ public void setWriteListener(WriteListener listener) { -+ throw new UnsupportedOperationException("Not implemented yet."); -+ } - } diff --git a/logback-1.1.7-tomcat.patch b/logback-1.1.7-tomcat.patch deleted file mode 100644 index cc51913..0000000 --- a/logback-1.1.7-tomcat.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java logback-1.1.7.tomcat/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java ---- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java 2016-03-11 09:16:10.000000000 +0100 -+++ logback-1.1.7.tomcat/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java 2016-06-23 17:21:04.765375897 +0200 -@@ -328,11 +328,6 @@ - return aai.detachAppender(name); - } - -- @Override -- public String getInfo() { -- return "Logback's implementation of ValveBase"; -- } -- - // Methods from ContextBase: - @Override - public StatusManager getStatusManager() { diff --git a/logback-1.1.7-jetty.patch b/logback-1.2.8-jetty.patch similarity index 60% rename from logback-1.1.7-jetty.patch rename to logback-1.2.8-jetty.patch index 801dcbd..f021be4 100644 --- a/logback-1.1.7-jetty.patch +++ b/logback-1.2.8-jetty.patch @@ -1,7 +1,6 @@ -diff -Nru logback-1.1.7/logback-access/pom.xml logback-1.1.7.jetty/logback-access/pom.xml ---- logback-1.1.7/logback-access/pom.xml 2016-03-29 22:09:38.000000000 +0200 -+++ logback-1.1.7.jetty/logback-access/pom.xml 2016-06-23 17:18:59.640249538 +0200 -@@ -46,6 +46,12 @@ +--- logback-1.2.8/logback-access/pom.xml 2021-12-14 12:55:51.000000000 +0100 ++++ logback-1.2.8/logback-access/pom.xml 2021-12-16 15:35:11.255651389 +0100 +@@ -47,6 +47,12 @@ true @@ -14,17 +13,9 @@ diff -Nru logback-1.1.7/logback-access/pom.xml logback-1.1.7.jetty/logback-acces org.codehaus.janino janino compile -@@ -173,4 +179,4 @@ - - - -- -\ Manca newline alla fine del file -+ -diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java logback-1.1.7.jetty/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java ---- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2016-02-25 22:15:50.000000000 +0100 -+++ logback-1.1.7.jetty/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2016-06-23 17:04:46.410310065 +0200 -@@ -210,11 +210,6 @@ +--- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100 ++++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100 +@@ -209,11 +209,6 @@ started = false; } @@ -36,7 +27,7 @@ diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty public void setFileName(String fileName) { this.fileName = fileName; } -@@ -228,26 +223,6 @@ +@@ -227,26 +222,6 @@ return started; } @@ -63,7 +54,7 @@ diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty public boolean isQuiet() { return quiet; } -@@ -311,13 +286,7 @@ +@@ -310,13 +285,7 @@ return fai.getFilterChainDecision(event); } diff --git a/logback.spec b/logback.spec index 834ca50..a1d61dd 100644 --- a/logback.spec +++ b/logback.spec @@ -1,17 +1,12 @@ Name: logback -Version: 1.1.7 -Release: 7 +Version: 1.2.8 +Release: 1 Summary: A Java logging library License: LGPLv2 or EPL URL: http://logback.qos.ch/ Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz -# servlet 3.1 support -Patch0001: %{name}-1.1.7-servlet.patch -# Remove deprecate methods,otherwise it will cause compilation to fail -Patch0002: %{name}-1.1.7-jetty.patch -Patch0003: %{name}-1.1.7-tomcat.patch -Patch0004: CVE-2017-5929.patch +Patch0001: logback-1.2.8-jetty.patch BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail) BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17) @@ -79,9 +74,8 @@ find . -name "*.jar" -delete %pom_remove_plugin -r :maven-dependency-plugin %pom_remove_plugin -r :cobertura-maven-plugin -sed -i 's/\r//' LICENSE.txt README.txt +sed -i 's/\r//' LICENSE.txt -%pom_change_dep -r :servlet-api javax.servlet:javax.servlet-api:3.1.0 sed -i 's#javax.servlet.*;version="2.5"#javax.servlet.*;version="3.1"#' %{name}-access/pom.xml rm -r %{name}-*/src/test/java/* @@ -94,24 +88,13 @@ rm -r %{name}-*/src/test/java/* %pom_xpath_remove "pom:project/pom:profiles" %{name}-classic %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']" +%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic +%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic %pom_disable_module logback-site %pom_xpath_remove "pom:build/pom:extensions" -%pom_remove_plugin :maven-compiler-plugin logback-classic -%pom_add_plugin org.codehaus.gmavenplus:gmavenplus-plugin:1.5 logback-classic " - - - - generateStubs - testGenerateStubs - - - - " - %mvn_package ":%{name}-access" access %mvn_package ":%{name}-examples" examples @@ -127,7 +110,6 @@ install -d -m 755 %{buildroot}%{_datadir}/%{name}/examples cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{name}/examples %files -f .mfiles -%doc README.txt %license LICENSE.txt %files access -f .mfiles-access @@ -140,6 +122,9 @@ cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{na %files help -f .mfiles-javadoc %changelog +* Mon Dec 27 2021 houyingchao - 1.2.8-1 +- Upgrade to 1.2.8 +- Fix CVE-2021-42550 * Sat Sep 19 2020 wangxiao - 1.1.7-7 - fix CVE-2017-5929 * Wed Mar 4 2020 dingyiming - 1.1.7-6 diff --git a/v_1.1.7.tar.gz b/v_1.1.7.tar.gz deleted file mode 100644 index 7162846..0000000 Binary files a/v_1.1.7.tar.gz and /dev/null differ diff --git a/v_1.2.8.tar.gz b/v_1.2.8.tar.gz new file mode 100644 index 0000000..e658579 Binary files /dev/null and b/v_1.2.8.tar.gz differ