Fix CVE-2019-17570

(cherry picked from commit 86598f1c0ddbf91da18e3808ad8124c26708cfe4)
2022-02-25 20:31:55 +08:00 · 2022-02-25 20:31:55 +08:00 · 4eef6365a7
commit 4eef6365a7
parent 1af81374a3
2 changed files with 54 additions and 1 deletions
--- a/CVE-2019-17570.patch
+++ b/CVE-2019-17570.patch
@ -0,0 +1,48 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 27 Jan 2020 19:40:57 +0100
+Subject: CVE-2019-17570
+
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
+---
+ .../apache/xmlrpc/parser/XmlRpcResponseParser.java | 28 ++++++++++++----------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+index 087572b..f1b2427 100644
+--- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl {
+ 											getDocumentLocator());
+ 			}
+ 			errorMessage = (String) map.get("faultString");
+-            Object exception = map.get("faultCause");
+-            if (exception != null) {
+-                try {
+-                    byte[] bytes = (byte[]) exception;
+-                    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+-                    ObjectInputStream ois = new ObjectInputStream(bais);
+-                    errorCause = (Throwable) ois.readObject();
+-                    ois.close();
+-                    bais.close();
+-                } catch (Throwable t) {
+-                    // Ignore me
+-                }
+-            }
+			if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
+				Object exception = map.get("faultCause");
+				if (exception != null) {
+					try {
+						byte[] bytes = (byte[]) exception;
+						ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+						ObjectInputStream ois = new ObjectInputStream(bais);
+						errorCause = (Throwable) ois.readObject();
+						ois.close();
+						bais.close();
+					} catch (Throwable t) {
+						// Ignore me
+					}
+				}
+			}
+ 		}
+ 	}
+ 
--- a/xmlrpc.spec
+++ b/xmlrpc.spec
@ -1,6 +1,6 @@
 Name:                xmlrpc
 Version:             3.1.3
-Release:             1
+Release:             2
 Epoch:               1
 Summary:             Java XML-RPC implementation
 License:             ASL 2.0
@ -12,6 +12,7 @@ Patch2:              %{name}-javax-methods.patch
 Patch3:              %{name}-server-addosgimanifest.patch
 Patch4:              %{name}-disallow-deserialization-of-ex-serializable-tags.patch
 Patch5:              %{name}-disallow-loading-external-dtd.patch
+Patch6:              CVE-2019-17570.patch
 BuildRequires:       maven-local mvn(org.apache:apache:pom:)
 BuildRequires:       mvn(commons-httpclient:commons-httpclient) mvn(commons-logging:commons-logging)
 BuildRequires:       mvn(javax.servlet:servlet-api) mvn(org.apache.ws.commons.util:ws-commons-util)
@ -63,6 +64,7 @@ Provides:            %{name}3-server = 3.1.3-13
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 sed -i 's/\r//' LICENSE.txt
 %pom_disable_module dist
 %pom_remove_dep jaxme:jaxmeapi common
@ -87,5 +89,8 @@ sed -i 's/\r//' LICENSE.txt
 %license LICENSE.txt NOTICE.txt

 %changelog
+* Fri Feb 25 2022 yaoxin <yaoxin30@huawei.com> - 3.1.3-2
+- Fix CVE-2019-17570
+
 * Wed Aug 12 2020 leiju <leiju4@huawei.com> - 3.1.3-1
 - Package init