From 4919551242ee3c6ae3fe7db1da1ea06b1a0a0fb9 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 30 2015 04:33:47 +0000
Subject: import apache-commons-collections-3.2.1-22.el7_2


---

diff --git a/SOURCES/CVE-2015-7501.patch b/SOURCES/CVE-2015-7501.patch
new file mode 100644
index 0000000..79b3153
--- /dev/null
+++ b/SOURCES/CVE-2015-7501.patch
@@ -0,0 +1,513 @@
+diff --git a/src/java/org/apache/commons/collections/functors/CloneTransformer.java b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
+index 7200402..3df18ff 100644
+--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
+@@ -16,6 +16,9 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ 
+ import org.apache.commons.collections.Transformer;
+@@ -24,6 +27,16 @@ import org.apache.commons.collections.Transformer;
+  * Transformer implementation that returns a clone of the input object.
+  * <p>
+  * Clone is performed using <code>PrototypeFactory.getInstance(input).create()</code>.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code CloneTransformer}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -68,4 +81,21 @@ public class CloneTransformer implements Transformer, Serializable {
+         return PrototypeFactory.getInstance(input).create();
+     }
+ 
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
++        is.defaultReadObject();
++    }
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/ForClosure.java b/src/java/org/apache/commons/collections/functors/ForClosure.java
+index f0355c4..e15475c 100644
+--- a/src/java/org/apache/commons/collections/functors/ForClosure.java
++++ b/src/java/org/apache/commons/collections/functors/ForClosure.java
+@@ -16,12 +16,25 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ 
+ import org.apache.commons.collections.Closure;
+ 
+ /**
+  * Closure implementation that calls another closure n times, like a for loop.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code ForClosure}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -102,4 +115,22 @@ public class ForClosure implements Closure, Serializable {
+         return iCount;
+     }
+ 
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(ForClosure.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(ForClosure.class);
++        is.defaultReadObject();
++    }
++
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/FunctorUtils.java b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
+index 75f8d9b..aa7bec3 100644
+--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java
++++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
+@@ -16,6 +16,8 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.security.AccessController;
++import java.security.PrivilegedAction;
+ import java.util.Collection;
+ import java.util.Iterator;
+ 
+@@ -33,7 +35,11 @@ import org.apache.commons.collections.Transformer;
+  * @author Matt Benson
+  */
+ class FunctorUtils {
+-    
++
++    /** System property key to enable unsafe serialization */
++    final static String UNSAFE_SERIALIZABLE_PROPERTY
++        = "org.apache.commons.collections.enableUnsafeSerialization";
++
+     /**
+      * Restricted constructor.
+      */
+@@ -152,4 +158,33 @@ class FunctorUtils {
+         }
+     }
+ 
++    /**
++     * Package-private helper method to check if serialization support is
++     * enabled for unsafe classes.
++     *
++     * @param clazz  the clazz to check for serialization support
++     * @throws UnsupportedOperationException if unsafe serialization is disabled
++     */
++    static void checkUnsafeSerialization(Class clazz) {
++        String unsafeSerializableProperty;
++
++        try {
++            unsafeSerializableProperty = 
++                (String) AccessController.doPrivileged(new PrivilegedAction() {
++                    public Object run() {
++                        return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY);
++                    }
++                });
++        } catch (SecurityException ex) {
++            unsafeSerializableProperty = null;
++        }
++
++        if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) {
++            throw new UnsupportedOperationException(
++                    "Serialization support for " + clazz.getName() + " is disabled for security reasons. " +
++                    "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " +
++                    "but you must ensure that your application does not de-serialize objects from untrusted sources.");
++        }
++    }
++
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
+index 5d375de..938d6dc 100644
+--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
++++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
+@@ -16,6 +16,9 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ import java.lang.reflect.Constructor;
+ import java.lang.reflect.InvocationTargetException;
+@@ -25,6 +28,16 @@ import org.apache.commons.collections.FunctorException;
+ 
+ /**
+  * Factory implementation that creates a new object instance by reflection.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code InstantiateTransformer}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -136,5 +149,22 @@ public class InstantiateFactory implements Factory, Serializable {
+             throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex);
+         }
+     }
+-    
++
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
++        is.defaultReadObject();
++    }
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
+index 73d6b2f..4927f05 100644
+--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
+@@ -16,6 +16,9 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ import java.lang.reflect.Constructor;
+ import java.lang.reflect.InvocationTargetException;
+@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer;
+ 
+ /**
+  * Transformer implementation that creates a new object instance by reflection.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code InstantiateTransformer}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -116,4 +129,22 @@ public class InstantiateTransformer implements Transformer, Serializable {
+         }
+     }
+ 
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
++        is.defaultReadObject();
++    }
++
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
+index 6f60961..75f48af 100644
+--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
+@@ -16,6 +16,9 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer;
+ 
+ /**
+  * Transformer implementation that creates a new object instance by reflection.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code InvokerTransformer}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -134,4 +147,21 @@ public class InvokerTransformer implements Transformer, Serializable {
+         }
+     }
+ 
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
++        is.defaultReadObject();
++    }
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
+index 4fa4150..d9908fa 100644
+--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
++++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
+@@ -49,6 +49,16 @@ public class PrototypeFactory {
+      * <li>public copy constructor
+      * <li>serialization clone
+      * <ul>
++     * <p>
++     * <b>WARNING:</b> This method will return a {@code Factory}
++     * that will throw an {@link UnsupportedOperationException} when trying to serialize
++     * or de-serialize it to prevent potential remote code execution exploits.
++     * <p>
++     * In order to re-enable serialization support the following system property
++     * can be used (via -Dproperty=true):
++     * <pre>
++     * org.apache.commons.collections.enableUnsafeSerialization
++     * </pre>
+      *
+      * @param prototype  the object to clone each time in the factory
+      * @return the <code>prototype</code> factory
+@@ -144,6 +154,24 @@ public class PrototypeFactory {
+                 throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
+             }
+         }
++
++        /**
++         * Overrides the default writeObject implementation to prevent
++         * serialization (see COLLECTIONS-580).
++         */
++        private void writeObject(ObjectOutputStream os) throws IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
++            os.defaultWriteObject();
++        }
++
++        /**
++         * Overrides the default readObject implementation to prevent
++         * de-serialization (see COLLECTIONS-580).
++         */
++        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
++            is.defaultReadObject();
++        }
+     }
+ 
+     // PrototypeSerializationFactory
+@@ -204,6 +232,24 @@ public class PrototypeFactory {
+                 }
+             }
+         }
++
++        /**
++         * Overrides the default writeObject implementation to prevent
++         * serialization (see COLLECTIONS-580).
++         */
++        private void writeObject(ObjectOutputStream os) throws IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
++            os.defaultWriteObject();
++        }
++
++        /**
++         * Overrides the default readObject implementation to prevent
++         * de-serialization (see COLLECTIONS-580).
++         */
++        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
++            is.defaultReadObject();
++        }
+     }
+ 
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/WhileClosure.java b/src/java/org/apache/commons/collections/functors/WhileClosure.java
+index 853e83a..596afc8 100644
+--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java
++++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java
+@@ -16,6 +16,9 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+ 
+ import org.apache.commons.collections.Closure;
+@@ -24,6 +27,16 @@ import org.apache.commons.collections.Predicate;
+ /**
+  * Closure implementation that executes a closure repeatedly until a condition is met,
+  * like a do-while or while loop.
++ * <p>
++ * <b>WARNING:</b> This class will throw an
++ * {@link UnsupportedOperationException} when trying to serialize or
++ * de-serialize an instance to prevent potential remote code execution exploits.
++ * <p>
++ * In order to re-enable serialization support for {@code WhileClosure}
++ * the following system property can be used (via -Dproperty=true):
++ * <pre>
++ * org.apache.commons.collections.enableUnsafeSerialization
++ * </pre>
+  * 
+  * @since Commons Collections 3.0
+  * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
+@@ -120,4 +133,22 @@ public class WhileClosure implements Closure, Serializable {
+         return iDoLoop;
+     }
+ 
++    /**
++     * Overrides the default writeObject implementation to prevent
++     * serialization (see COLLECTIONS-580).
++     */
++    private void writeObject(ObjectOutputStream os) throws IOException {
++        FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
++        os.defaultWriteObject();
++    }
++
++    /**
++     * Overrides the default readObject implementation to prevent
++     * de-serialization (see COLLECTIONS-580).
++     */
++    private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++        FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
++        is.defaultReadObject();
++    }
++
+ }
+diff --git a/src/test/org/apache/commons/collections/TestFactoryUtils.java b/src/test/org/apache/commons/collections/TestFactoryUtils.java
+index 0895903..bc7d729 100644
+--- a/src/test/org/apache/commons/collections/TestFactoryUtils.java
++++ b/src/test/org/apache/commons/collections/TestFactoryUtils.java
+@@ -136,15 +136,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
+         Object created = factory.create();
+         assertTrue(proto != created);
+         assertEquals(proto, created);
+-        
+-        // check serialisation works
+-        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+-        ObjectOutputStream out = new ObjectOutputStream(buffer);
+-        out.writeObject(factory);
+-        out.close();
+-        ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
+-        Object dest = in.readObject();
+-        in.close();
+     }
+ 
+     public void testPrototypeFactoryPublicCopyConstructor() throws Exception {
+@@ -154,23 +145,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
+         Object created = factory.create();
+         assertTrue(proto != created);
+         assertEquals(proto, created);
+-        
+-        // check serialisation works
+-        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+-        ObjectOutputStream out = new ObjectOutputStream(buffer);
+-        try {
+-            out.writeObject(factory);
+-        } catch (NotSerializableException ex) {
+-            out.close();
+-        }
+-        factory = FactoryUtils.prototypeFactory(new Mock2("S"));
+-        buffer = new ByteArrayOutputStream();
+-        out = new ObjectOutputStream(buffer);
+-        out.writeObject(factory);
+-        out.close();
+-        ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
+-        Object dest = in.readObject();
+-        in.close();
+     }
+ 
+     public void testPrototypeFactoryPublicSerialization() throws Exception {
+@@ -180,15 +154,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
+         Object created = factory.create();
+         assertTrue(proto != created);
+         assertEquals(proto, created);
+-        
+-        // check serialisation works
+-        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+-        ObjectOutputStream out = new ObjectOutputStream(buffer);
+-        out.writeObject(factory);
+-        out.close();
+-        ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
+-        Object dest = in.readObject();
+-        in.close();
+     }
+ 
+     public void testPrototypeFactoryPublicSerializationError() {
diff --git a/SPECS/apache-commons-collections.spec b/SPECS/apache-commons-collections.spec
index c0f8593..cd658ac 100644
--- a/SPECS/apache-commons-collections.spec
+++ b/SPECS/apache-commons-collections.spec
@@ -3,7 +3,7 @@
 
 Name:           apache-%{short_name}
 Version:        3.2.1
-Release:        21%{?dist}
+Release:        22%{?dist}
 Summary:        Provides new interfaces, implementations and utilities for Java Collections
 License:        ASL 2.0
 Group:          Development/Libraries
@@ -12,6 +12,7 @@ Source0:        http://www.apache.org/dist/commons/%{base_name}/source/%{short_n
 
 Patch0:         jakarta-%{short_name}-javadoc-nonet.patch
 Patch4:         commons-collections-3.2-build_xml.patch
+Patch5:         CVE-2015-7501.patch
 
 BuildArch:      noarch
 
@@ -87,6 +88,7 @@ find . -name "*.jar" -exec rm -f {} \;
 
 %patch0 -p1
 %patch4 -b .sav
+%patch5 -p1
 
 # Fix file eof
 %{__sed} -i 's/\r//' LICENSE.txt
@@ -130,6 +132,10 @@ cp -pr build/docs/testframework/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-testfram
 
 
 %changelog
+* Fri Nov 20 2015 Michal Srb <msrb@redhat.com> - 3.2.1-22
+- Fix Java object de-serialization vulnerability
+- Resolves: CVE-2015-7501
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.2.1-21
 - Mass rebuild 2013-12-27