Fix CVE-2019-17570

(cherry picked from commit 86598f1c0ddbf91da18e3808ad8124c26708cfe4)
2022-02-25 20:31:55 +08:00 · 2022-02-25 20:31:55 +08:00 · 4eef6365a7
commit 4eef6365a7
parent 1af81374a3
2 changed files with 54 additions and 1 deletions
--- a/CVE-2019-17570.patch
+++ b/CVE-2019-17570.patch
@ -0,0 +1,48 @@
 From: Markus Koschany <apo@debian.org>
 Date: Mon, 27 Jan 2020 19:40:57 +0100
 Subject: CVE-2019-17570
 Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
 ---
 .../apache/xmlrpc/parser/XmlRpcResponseParser.java | 28 ++++++++++++----------
 1 file changed, 15 insertions(+), 13 deletions(-)
 diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
 index 087572b..f1b2427 100644
 --- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
 +++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl {
 											getDocumentLocator());
 			}
 			errorMessage = (String) map.get("faultString");
 -            Object exception = map.get("faultCause");
 -            if (exception != null) {
 -                try {
 -                    byte[] bytes = (byte[]) exception;
 -                    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 -                    ObjectInputStream ois = new ObjectInputStream(bais);
 -                    errorCause = (Throwable) ois.readObject();
 -                    ois.close();
 -                    bais.close();
 -                } catch (Throwable t) {
 -                    // Ignore me
 -                }
 -            }
 +			if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
 +				Object exception = map.get("faultCause");
 +				if (exception != null) {
 +					try {
 +						byte[] bytes = (byte[]) exception;
 +						ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 +						ObjectInputStream ois = new ObjectInputStream(bais);
 +						errorCause = (Throwable) ois.readObject();
 +						ois.close();
 +						bais.close();
 +					} catch (Throwable t) {
 +						// Ignore me
 +					}
 +				}
 +			}
 		}
 	}
--- a/xmlrpc.spec
+++ b/xmlrpc.spec
@ -1,6 +1,6 @@
 Name:                xmlrpc
 Version:             3.1.3
-Release:             1
+Release:             2
 Epoch:               1
 Summary:             Java XML-RPC implementation
 License:             ASL 2.0
@ -12,6 +12,7 @@ Patch2:              %{name}-javax-methods.patch
 Patch3:              %{name}-server-addosgimanifest.patch
 Patch4:              %{name}-disallow-deserialization-of-ex-serializable-tags.patch
 Patch5:              %{name}-disallow-loading-external-dtd.patch
 Patch6:              CVE-2019-17570.patch
 BuildRequires:       maven-local mvn(org.apache:apache:pom:)
 BuildRequires:       mvn(commons-httpclient:commons-httpclient) mvn(commons-logging:commons-logging)
 BuildRequires:       mvn(javax.servlet:servlet-api) mvn(org.apache.ws.commons.util:ws-commons-util)
@ -63,6 +64,7 @@ Provides:            %{name}3-server = 3.1.3-13
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 sed -i 's/\r//' LICENSE.txt
 %pom_disable_module dist
 %pom_remove_dep jaxme:jaxmeapi common
@ -87,5 +89,8 @@ sed -i 's/\r//' LICENSE.txt
 %license LICENSE.txt NOTICE.txt
 %changelog
 * Fri Feb 25 2022 yaoxin <yaoxin30@huawei.com> - 3.1.3-2
 - Fix CVE-2019-17570
 * Wed Aug 12 2020 leiju <leiju4@huawei.com> - 3.1.3-1
 - Package init