!2 Fix CVE-2020-26945

From: @ultra_planet
Reviewed-by: @wangchong1995924
Signed-off-by: @wangchong1995924

CVE-2020-26945.patch

@@ -0,0 +1,117 @@
+From 9caf480e05c389548c9889362c2cb080d728b5d8 Mon Sep 17 00:00:00 2001
+From: Iwao AVE! <harawata@gmail.com>
+Date: Sat, 3 Oct 2020 23:58:09 +0900
+Subject: [PATCH] Output warning when deserializing object stream with no
+ JEP-290 filter defined
+
+---
+ .../cache/decorators/SerializedCache.java     |  2 +
+ .../loader/AbstractSerialStateHolder.java     |  6 ++
+ .../apache/ibatis/io/SerialFilterChecker.java | 54 +++++++++++++++++++
+ 3 files changed, 61 insertions(+), 33 deletions(-)
+ create mode 100644 src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+
+diff --git a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
+index aeb3d09de7a..664b214aa65 100644
+--- a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
++++ b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
+@@ -28,6 +28,7 @@
+ import org.apache.ibatis.cache.Cache;
+ import org.apache.ibatis.cache.CacheException;
+ import org.apache.ibatis.io.Resources;
++import org.apache.ibatis.io.SerialFilterChecker;
+ 
+ /**
+  * @author Clinton Begin
+@@ -104,6 +105,7 @@ public boolean equals(Object obj) {
+   }
+ 
+   private Serializable deserialize(byte[] value) {
++    SerialFilterChecker.check();
+     Serializable result;
+     try {
+       ByteArrayInputStream bis = new ByteArrayInputStream(value);
+diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
+index f1edbaa146a..414fe5db391 100644
+--- a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
++++ b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
+@@ -31,6 +31,7 @@
+ import java.util.List;
+ import java.util.Map;
+ 
++import org.apache.ibatis.io.SerialFilterChecker;
+ import org.apache.ibatis.reflection.factory.ObjectFactory;
+ 
+ /**
+@@ -106,9 +107,11 @@ protected final Object readResolve() throws ObjectStreamException {
+       return this.userBean;
+     }
+ 
++    SerialFilterChecker.check();
++
+     /* First run */
+     try {
+       final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(this.userBeanBytes));
+       this.userBean = in.readObject();
+       this.unloadedProperties = (Map<String, ResultLoaderMap.LoadPair>) in.readObject();
+       this.objectFactory = (ObjectFactory) in.readObject();
+diff --git a/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+new file mode 100644
+index 00000000000..abacac68332
+--- /dev/null
++++ b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+@@ -0,0 +1,54 @@
++/**
++ *    Copyright 2009-2020 the original author or authors.
++ *
++ *    Licensed under the Apache License, Version 2.0 (the "License");
++ *    you may not use this file except in compliance with the License.
++ *    You may obtain a copy of the License at
++ *
++ *       http://www.apache.org/licenses/LICENSE-2.0
++ *
++ *    Unless required by applicable law or agreed to in writing, software
++ *    distributed under the License is distributed on an "AS IS" BASIS,
++ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ *    See the License for the specific language governing permissions and
++ *    limitations under the License.
++ */
++
++package org.apache.ibatis.io;
++
++import java.security.Security;
++
++import org.apache.ibatis.logging.Log;
++import org.apache.ibatis.logging.LogFactory;
++
++public final class SerialFilterChecker {
++  private static final Log log = LogFactory.getLog(SerialFilterChecker.class);
++  /* Property key for the JEP-290 serialization filters */
++  private static final String JDK_SERIAL_FILTER = "jdk.serialFilter";
++  private static final boolean SERIAL_FILTER_MISSING;
++  private static boolean firstInvocation = true;
++
++  static {
++    Object serialFilter;
++    try {
++      Class<?> objectFilterConfig = Class.forName("java.io.ObjectInputFilter$Config");
++      serialFilter = objectFilterConfig.getMethod("getSerialFilter").invoke(null);
++    } catch (ReflectiveOperationException e) {
++      // Java 1.8
++      serialFilter = System.getProperty(JDK_SERIAL_FILTER, Security.getProperty(JDK_SERIAL_FILTER));
++    }
++    SERIAL_FILTER_MISSING = serialFilter == null;
++  }
++
++  public static void check() {
++    if (firstInvocation && SERIAL_FILTER_MISSING) {
++      firstInvocation = false;
++      log.warn(
++          "As you are using functionality that deserializes object streams, it is recommended to define the JEP-290 serial filter. "
++              + "Please refer to https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66");
++    }
++  }
++
++  private SerialFilterChecker() {
++  }
++}

mybatis.spec

@@ -1,13 +1,14 @@
 %bcond_with test
 Name:                mybatis
 Version:             3.2.8
-Release:             1
+Release:             2
 Summary:             SQL Mapping Framework for Java
 License:             Apache 2.0
 URL:                 https://github.com/mybatis/mybatis-3
 Source0:             https://github.com/mybatis/mybatis-3/archive/%{name}-%{version}.tar.gz
 Patch0:              %{name}-%{version}-commons-ognl.patch
 Patch1:              mybatis-3.2.8-log4j2.6.patch
+Patch2:              CVE-2020-26945.patch
 BuildRequires:       maven-local mvn(cglib:cglib) mvn(commons-logging:commons-logging)
 BuildRequires:       mvn(log4j:log4j:1.2.17) mvn(org.apache.commons:commons-ognl)
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@@ -82,5 +83,8 @@ opts="-f"
 %license LICENSE NOTICE
 
 %changelog
+* Sat Jun 19 2021 lingsheng <lingsheng@huawei.com> - 3.2.8-2
+- Fix CVE-2020-26945
+
 * Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 3.2.8-1
 - Package init