packages/logback
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 1.2.8 version for fix CVE-2021-42550

Browse Source 
(cherry picked from commit 9e2a51a34e3601a8ed135005900864d1223978a9)
This commit is contained in:
houyingchao 2021-12-27 17:11:46 +08:00 committed by openeuler-sync-bot
parent 83e93cc9aa
commit e58ab3aa01
7 changed files with 17 additions and 416 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

303
CVE-2017-5929.patch
View File

@ -1,303 +0,0 @@
From f46044b805bca91efe5fd6afe52257cd02f775f8 Mon Sep 17 00:00:00 2001
From: Ceki Gulcu <ceki@qos.ch>
Date: Tue, 7 Feb 2017 23:12:51 +0100
Subject: [PATCH] harden serialization
---
.../classic/net/SimpleSocketServer.java | 1 -
.../LogbackClassicSerializationHelper.java | 28 ++++++++
.../classic/LoggerSerializationTest.java | 10 ++-
.../core/net/HardenedObjectInputStream.java | 48 +++++++++++++
.../net/HardenedObjectInputStreamTest.java | 61 ++++++++++++++++
.../ch/qos/logback/core/net/Innocent.java | 69 +++++++++++++++++++
6 files changed, 214 insertions(+), 3 deletions(-)
create mode 100755 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
create mode 100755 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
create mode 100755 logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
create mode 100755 logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
index 6d39a2473..3083f45ce 100755
--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
@@ -14,7 +14,6 @@
package ch.qos.logback.classic.net;
import java.io.IOException;
-import java.lang.reflect.Constructor;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.ArrayList;
diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
new file mode 100755
index 000000000..00a974f81
--- /dev/null
+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
@@ -0,0 +1,28 @@
+package ch.qos.logback.classic.net.server;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.helpers.BasicMarker;
+
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.LoggerContextVO;
+import ch.qos.logback.classic.spi.LoggingEventVO;
+import ch.qos.logback.classic.spi.ThrowableProxyVO;
+
+public class LogbackClassicSerializationHelper {
+
+
+
+ static public List<String> getWhilelist() {
+ List<String> whitelist = new ArrayList<String>();
+ whitelist.add(LoggingEventVO.class.getName());
+ whitelist.add(LoggerContextVO.class.getName());
+ whitelist.add(ThrowableProxyVO.class.getName());
+ whitelist.add(StackTraceElement.class.getName());
+ whitelist.add(BasicMarker.class.getName());
+ whitelist.add(BasicMarker.class.getName());
+ whitelist.add(Logger.class.getName());
+ return whitelist;
+ }
+}
diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
index ec6cb01d7..618d1756e 100644
--- a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
+++ b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
@@ -14,7 +14,10 @@
package ch.qos.logback.classic;
import java.io.*;
+import java.util.List;
+import ch.qos.logback.classic.net.server.LogbackClassicSerializationHelper;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
import ch.qos.logback.core.util.CoreTestConstants;
import org.junit.After;
import org.junit.Before;
@@ -36,7 +39,8 @@
ByteArrayOutputStream bos;
ObjectOutputStream oos;
ObjectInputStream inputStream;
-
+ List<String> whitelist ;
+
@Before
public void setUp() throws Exception {
lc = new LoggerContext();
@@ -45,6 +49,8 @@ public void setUp() throws Exception {
// create the byte output stream
bos = new ByteArrayOutputStream();
oos = new ObjectOutputStream(bos);
+ whitelist = LogbackClassicSerializationHelper.getWhilelist();
+ whitelist.add(Foo.class.getName());
}
@After
@@ -110,7 +116,7 @@ public void deepTreeSerialization() throws IOException {
private Foo writeAndRead(Foo foo) throws IOException, ClassNotFoundException {
writeObject(oos, foo);
ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
- inputStream = new ObjectInputStream(bis);
+ inputStream = new HardenedObjectInputStream(bis, whitelist);
Foo fooBack = readFooObject(inputStream);
inputStream.close();
return fooBack;
diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
new file mode 100755
index 000000000..439e2bde5
--- /dev/null
+++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
@@ -0,0 +1,48 @@
+package ch.qos.logback.core.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ *
+ * @author Ceki G&uuml;lc&uuml;
+ * @since 1.2.0
+ */
+public class HardenedObjectInputStream extends ObjectInputStream {
+
+ List<String> whitelistedClassNames;
+ String[] javaPackages = new String[] {"java.lang", "java.util"};
+
+ public HardenedObjectInputStream(InputStream in, List<String> whilelist) throws IOException {
+ super(in);
+ this.whitelistedClassNames = Collections.synchronizedList(new ArrayList<String>(whilelist));
+ }
+
+ @Override
+ protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
+ String incomingClassName = anObjectStreamClass.getName();
+ if(!isWhitelisted(incomingClassName)) {
+ throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName());
+ }
+
+ return super.resolveClass(anObjectStreamClass);
+ }
+
+ private boolean isWhitelisted(String incomingClassName) {
+ for(int i = 0; i < javaPackages.length; i++) {
+ if(incomingClassName.startsWith(javaPackages[i]))
+ return true;
+ }
+ for(String className: whitelistedClassNames) {
+ if(incomingClassName.equals(className))
+ return true;
+ }
+ return false;
+ }
+}
diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
new file mode 100755
index 000000000..6a3489755
--- /dev/null
+++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
@@ -0,0 +1,61 @@
+package ch.qos.logback.core.net;
+
+import static org.junit.Assert.*;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class HardenedObjectInputStreamTest {
+
+ ByteArrayOutputStream bos;
+ ObjectOutputStream oos;
+ HardenedObjectInputStream inputStream;
+ List<String> whitelist = new ArrayList<String>();
+
+ @Before
+ public void setUp() throws Exception {
+ whitelist.add(Innocent.class.getName());
+ bos = new ByteArrayOutputStream();
+ oos = new ObjectOutputStream(bos);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ }
+
+ @Test
+ public void smoke() throws ClassNotFoundException, IOException {
+ Innocent innocent = new Innocent();
+ innocent.setAnInt(1);
+ innocent.setAnInteger(2);
+ innocent.setaString("smoke");
+ Innocent back = writeAndRead(innocent);
+ assertEquals(innocent, back);
+ }
+
+
+
+ private Innocent writeAndRead(Innocent innocent) throws IOException, ClassNotFoundException {
+ writeObject(oos, innocent);
+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
+ inputStream = new HardenedObjectInputStream(bis, whitelist);
+ Innocent fooBack = (Innocent) inputStream.readObject();
+ inputStream.close();
+ return fooBack;
+ }
+
+ private void writeObject(ObjectOutputStream oos, Object o) throws IOException {
+ oos.writeObject(o);
+ oos.flush();
+ oos.close();
+ }
+
+}
diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
new file mode 100755
index 000000000..2cef5a08e
--- /dev/null
+++ b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
@@ -0,0 +1,69 @@
+package ch.qos.logback.core.net;
+
+public class Innocent implements java.io.Serializable {
+
+ private static final long serialVersionUID = -1227008349289885025L;
+
+ int anInt;
+ Integer anInteger;
+ String aString;
+
+ public int getAnInt() {
+ return anInt;
+ }
+
+ public void setAnInt(int anInt) {
+ this.anInt = anInt;
+ }
+
+ public Integer getAnInteger() {
+ return anInteger;
+ }
+
+ public void setAnInteger(Integer anInteger) {
+ this.anInteger = anInteger;
+ }
+
+ public String getaString() {
+ return aString;
+ }
+
+ public void setaString(String aString) {
+ this.aString = aString;
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((aString == null) ? 0 : aString.hashCode());
+ result = prime * result + anInt;
+ result = prime * result + ((anInteger == null) ? 0 : anInteger.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ Innocent other = (Innocent) obj;
+ if (aString == null) {
+ if (other.aString != null)
+ return false;
+ } else if (!aString.equals(other.aString))
+ return false;
+ if (anInt != other.anInt)
+ return false;
+ if (anInteger == null) {
+ if (other.anInteger != null)
+ return false;
+ } else if (!anInteger.equals(other.anInteger))
+ return false;
+ return true;
+ }
+
+}

57
logback-1.1.7-servlet.patch
View File

@ -1,57 +0,0 @@
diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java
--- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java 2016-02-25 22:15:50.000000000 +0100
+++ logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java 2016-06-23 17:00:02.886622532 +0200
@@ -18,6 +18,7 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
@@ -71,4 +71,19 @@
byte[] getInputBuffer() {
return inputBuffer;
}
+
+ @Override
+ public boolean isReady() {
+ return false;
+ }
+
+ @Override
+ public boolean isFinished() {
+ return false;
+ }
+
+ @Override
+ public void setReadListener(ReadListener listener) {
+ throw new UnsupportedOperationException("Not implemented yet.");
+ }
}
diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java
--- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java 2016-02-25 22:15:50.000000000 +0100
+++ logback-1.1.7.servlet/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java 2016-06-23 16:56:24.056883117 +0200
@@ -18,6 +18,7 @@ import java.io.IOException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletResponse;
+import javax.servlet.WriteListener;
public class TeeServletOutputStream extends ServletOutputStream {
@@ -82,4 +82,14 @@
underlyingStream.flush();
baosCopy.flush();
}
+
+ @Override
+ public boolean isReady() {
+ return false;
+ }
+
+ @Override
+ public void setWriteListener(WriteListener listener) {
+ throw new UnsupportedOperationException("Not implemented yet.");
+ }
}

15
logback-1.1.7-tomcat.patch
View File

@ -1,15 +0,0 @@
diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java logback-1.1.7.tomcat/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java
--- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java 2016-03-11 09:16:10.000000000 +0100
+++ logback-1.1.7.tomcat/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java 2016-06-23 17:21:04.765375897 +0200
@@ -328,11 +328,6 @@
return aai.detachAppender(name);
}
- @Override
- public String getInfo() {
- return "Logback's implementation of ValveBase";
- }
-
// Methods from ContextBase:
@Override
public StatusManager getStatusManager() {

25
logback-1.1.7-jetty.patch → logback-1.2.8-jetty.patch
View File

@ -1,7 +1,6 @@
diff -Nru logback-1.1.7/logback-access/pom.xml logback-1.1.7.jetty/logback-access/pom.xml --- logback-1.2.8/logback-access/pom.xml 2021-12-14 12:55:51.000000000 +0100
--- logback-1.1.7/logback-access/pom.xml 2016-03-29 22:09:38.000000000 +0200 +++ logback-1.2.8/logback-access/pom.xml 2021-12-16 15:35:11.255651389 +0100
+++ logback-1.1.7.jetty/logback-access/pom.xml 2016-06-23 17:18:59.640249538 +0200 @@ -47,6 +47,12 @@
@@ -46,6 +46,12 @@
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>
<dependency> <dependency>
@ -14,17 +13,9 @@ diff -Nru logback-1.1.7/logback-access/pom.xml logback-1.1.7.jetty/logback-acces
<groupId>org.codehaus.janino</groupId> <groupId>org.codehaus.janino</groupId>
<artifactId>janino</artifactId> <artifactId>janino</artifactId>
<scope>compile</scope> <scope>compile</scope>
@@ -173,4 +179,4 @@ --- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100
</profile> +++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100
</profiles> @@ -209,11 +209,6 @@
-</project>
\ Manca newline alla fine del file
+</project>
diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java logback-1.1.7.jetty/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java
--- logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2016-02-25 22:15:50.000000000 +0100
+++ logback-1.1.7.jetty/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2016-06-23 17:04:46.410310065 +0200
@@ -210,11 +210,6 @@
started = false; started = false;
} }
@ -36,7 +27,7 @@ diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty
public void setFileName(String fileName) { public void setFileName(String fileName) {
this.fileName = fileName; this.fileName = fileName;
} }
@@ -228,26 +223,6 @@ @@ -227,26 +222,6 @@
return started; return started;
} }
@ -63,7 +54,7 @@ diff -Nru logback-1.1.7/logback-access/src/main/java/ch/qos/logback/access/jetty
public boolean isQuiet() { public boolean isQuiet() {
return quiet; return quiet;
} }
@@ -311,13 +286,7 @@ @@ -310,13 +285,7 @@
return fai.getFilterChainDecision(event); return fai.getFilterChainDecision(event);
} }

33
logback.spec
View File

@ -1,17 +1,12 @@
Name: logback Name: logback
Version: 1.1.7 Version: 1.2.8
Release: 7 Release: 1
Summary: A Java logging library Summary: A Java logging library
License: LGPLv2 or EPL License: LGPLv2 or EPL
URL: http://logback.qos.ch/ URL: http://logback.qos.ch/
Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz
# servlet 3.1 support Patch0001: logback-1.2.8-jetty.patch
Patch0001: %{name}-1.1.7-servlet.patch
# Remove deprecate methods,otherwise it will cause compilation to fail
Patch0002: %{name}-1.1.7-jetty.patch
Patch0003: %{name}-1.1.7-tomcat.patch
Patch0004: CVE-2017-5929.patch
BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail) BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail)
BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17) BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17)
@ -79,9 +74,8 @@ find . -name "*.jar" -delete
%pom_remove_plugin -r :maven-dependency-plugin %pom_remove_plugin -r :maven-dependency-plugin
%pom_remove_plugin -r :cobertura-maven-plugin %pom_remove_plugin -r :cobertura-maven-plugin
sed -i 's/\r//' LICENSE.txt README.txt sed -i 's/\r//' LICENSE.txt
%pom_change_dep -r :servlet-api javax.servlet:javax.servlet-api:3.1.0
sed -i 's#javax.servlet.*;version="2.5"#javax.servlet.*;version="3.1"#' %{name}-access/pom.xml sed -i 's#javax.servlet.*;version="2.5"#javax.servlet.*;version="3.1"#' %{name}-access/pom.xml
rm -r %{name}-*/src/test/java/* rm -r %{name}-*/src/test/java/*
@ -94,24 +88,13 @@ rm -r %{name}-*/src/test/java/*
%pom_xpath_remove "pom:project/pom:profiles" %{name}-classic %pom_xpath_remove "pom:project/pom:profiles" %{name}-classic
%pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']" %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']"
%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic
%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic
%pom_disable_module logback-site %pom_disable_module logback-site
%pom_xpath_remove "pom:build/pom:extensions" %pom_xpath_remove "pom:build/pom:extensions"
%pom_remove_plugin :maven-compiler-plugin logback-classic
%pom_add_plugin org.codehaus.gmavenplus:gmavenplus-plugin:1.5 logback-classic "
<executions>
<execution>
<goals>
<goal>generateStubs</goal>
<goal>testGenerateStubs</goal>
<!--goal>compile</goal>
<goal>testCompile</goal-->
</goals>
</execution>
</executions>"
%mvn_package ":%{name}-access" access %mvn_package ":%{name}-access" access
%mvn_package ":%{name}-examples" examples %mvn_package ":%{name}-examples" examples
@ -127,7 +110,6 @@ install -d -m 755 %{buildroot}%{_datadir}/%{name}/examples
cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{name}/examples cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{name}/examples
%files -f .mfiles %files -f .mfiles
%doc README.txt
%license LICENSE.txt %license LICENSE.txt
%files access -f .mfiles-access %files access -f .mfiles-access
@ -140,6 +122,9 @@ cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{na
%files help -f .mfiles-javadoc %files help -f .mfiles-javadoc
%changelog %changelog
* Mon Dec 27 2021 houyingchao <houyingchao@huawei.com> - 1.2.8-1
- Upgrade to 1.2.8
- Fix CVE-2021-42550
* Sat Sep 19 2020 wangxiao <wangxiao65@huawei.com> - 1.1.7-7 * Sat Sep 19 2020 wangxiao <wangxiao65@huawei.com> - 1.1.7-7
- fix CVE-2017-5929 - fix CVE-2017-5929
* Wed Mar 4 2020 dingyiming <dingyiming3@huawei.com> - 1.1.7-6 * Wed Mar 4 2020 dingyiming <dingyiming3@huawei.com> - 1.1.7-6

BIN
v_1.1.7.tar.gz
View File

Binary file not shown.

BIN
v_1.2.8.tar.gz Normal file
View File

Binary file not shown.