Fix CVE-2020-26945

2021-06-19 11:45:58 +08:00 · 2021-06-19 11:45:58 +08:00 · b6cab65b9c
commit b6cab65b9c
parent b9c6affc1b
2 changed files with 122 additions and 1 deletions
--- a/CVE-2020-26945.patch
+++ b/CVE-2020-26945.patch
@ -0,0 +1,117 @@
+From 9caf480e05c389548c9889362c2cb080d728b5d8 Mon Sep 17 00:00:00 2001
+From: Iwao AVE! <harawata@gmail.com>
+Date: Sat, 3 Oct 2020 23:58:09 +0900
+Subject: [PATCH] Output warning when deserializing object stream with no
+ JEP-290 filter defined
+
+---
+ .../cache/decorators/SerializedCache.java     |  2 +
+ .../loader/AbstractSerialStateHolder.java     |  6 ++
+ .../apache/ibatis/io/SerialFilterChecker.java | 54 +++++++++++++++++++
+ 3 files changed, 61 insertions(+), 33 deletions(-)
+ create mode 100644 src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+
+diff --git a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
+index aeb3d09de7a..664b214aa65 100644
+--- a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
+++ b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
+@@ -28,6 +28,7 @@
+ import org.apache.ibatis.cache.Cache;
+ import org.apache.ibatis.cache.CacheException;
+ import org.apache.ibatis.io.Resources;
+import org.apache.ibatis.io.SerialFilterChecker;
+ 
+ /**
+  * @author Clinton Begin
+@@ -104,6 +105,7 @@ public boolean equals(Object obj) {
+   }
+ 
+   private Serializable deserialize(byte[] value) {
+    SerialFilterChecker.check();
+     Serializable result;
+     try {
+       ByteArrayInputStream bis = new ByteArrayInputStream(value);
+diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
+index f1edbaa146a..414fe5db391 100644
+--- a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
+++ b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
+@@ -31,6 +31,7 @@
+ import java.util.List;
+ import java.util.Map;
+ 
+import org.apache.ibatis.io.SerialFilterChecker;
+ import org.apache.ibatis.reflection.factory.ObjectFactory;
+ 
+ /**
+@@ -106,9 +107,11 @@ protected final Object readResolve() throws ObjectStreamException {
+       return this.userBean;
+     }
+ 
+    SerialFilterChecker.check();
+
+     /* First run */
+     try {
+       final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(this.userBeanBytes));
+       this.userBean = in.readObject();
+       this.unloadedProperties = (Map<String, ResultLoaderMap.LoadPair>) in.readObject();
+       this.objectFactory = (ObjectFactory) in.readObject();
+diff --git a/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+new file mode 100644
+index 00000000000..abacac68332
+--- /dev/null
+++ b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
+@@ -0,0 +1,54 @@
+/**
+ *    Copyright 2009-2020 the original author or authors.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+package org.apache.ibatis.io;
+
+import java.security.Security;
+
+import org.apache.ibatis.logging.Log;
+import org.apache.ibatis.logging.LogFactory;
+
+public final class SerialFilterChecker {
+  private static final Log log = LogFactory.getLog(SerialFilterChecker.class);
+  /* Property key for the JEP-290 serialization filters */
+  private static final String JDK_SERIAL_FILTER = "jdk.serialFilter";
+  private static final boolean SERIAL_FILTER_MISSING;
+  private static boolean firstInvocation = true;
+
+  static {
+    Object serialFilter;
+    try {
+      Class<?> objectFilterConfig = Class.forName("java.io.ObjectInputFilter$Config");
+      serialFilter = objectFilterConfig.getMethod("getSerialFilter").invoke(null);
+    } catch (ReflectiveOperationException e) {
+      // Java 1.8
+      serialFilter = System.getProperty(JDK_SERIAL_FILTER, Security.getProperty(JDK_SERIAL_FILTER));
+    }
+    SERIAL_FILTER_MISSING = serialFilter == null;
+  }
+
+  public static void check() {
+    if (firstInvocation && SERIAL_FILTER_MISSING) {
+      firstInvocation = false;
+      log.warn(
+          "As you are using functionality that deserializes object streams, it is recommended to define the JEP-290 serial filter. "
+              + "Please refer to https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66");
+    }
+  }
+
+  private SerialFilterChecker() {
+  }
+}
--- a/mybatis.spec
+++ b/mybatis.spec
@ -1,13 +1,14 @@
 %bcond_with test
 Name:                mybatis
 Version:             3.2.8
-Release:             1
+Release:             2
 Summary:             SQL Mapping Framework for Java
 License:             Apache 2.0
 URL:                 https://github.com/mybatis/mybatis-3
 Source0:             https://github.com/mybatis/mybatis-3/archive/%{name}-%{version}.tar.gz
 Patch0:              %{name}-%{version}-commons-ognl.patch
 Patch1:              mybatis-3.2.8-log4j2.6.patch
+Patch2:              CVE-2020-26945.patch
 BuildRequires:       maven-local mvn(cglib:cglib) mvn(commons-logging:commons-logging)
 BuildRequires:       mvn(log4j:log4j:1.2.17) mvn(org.apache.commons:commons-ognl)
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@ -82,5 +83,8 @@ opts="-f"
 %license LICENSE NOTICE

 %changelog
+* Sat Jun 19 2021 lingsheng <lingsheng@huawei.com> - 3.2.8-2
+- Fix CVE-2020-26945
+
 * Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 3.2.8-1
 - Package init