diff --git a/SOURCES/0001-CVE-2022-42920.patch b/SOURCES/0001-CVE-2022-42920.patch new file mode 100644 index 0000000..4bbb9ee --- /dev/null +++ b/SOURCES/0001-CVE-2022-42920.patch @@ -0,0 +1,71 @@ +From 3a4e355796891149adfd9228633f179015293dbd Mon Sep 17 00:00:00 2001 +From: Richard Atkins +Date: Wed, 21 Sep 2022 23:18:58 +1000 +Subject: [PATCH] CVE-2022-42920 + +--- + .../org/apache/bcel/classfile/ConstantPool.java | 15 +++++++++++---- + .../org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++- + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java +index f2c946a1..77ab0da4 100644 +--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java ++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java +@@ -218,10 +218,17 @@ public class ConstantPool implements Cloneable, Node { + * @throws IOException + */ + public void dump( final DataOutputStream file ) throws IOException { +- file.writeShort(constant_pool.length); +- for (int i = 1; i < constant_pool.length; i++) { +- if (constant_pool[i] != null) { +- constant_pool[i].dump(file); ++ /* ++ * Constants over the size of the constant pool shall not be written out. ++ * This is a redundant measure as the ConstantPoolGen should have already ++ * reported an error back in the situation. ++ */ ++ final int size = Math.min(constant_pool.length, Const.MAX_CP_ENTRIES); ++ ++ file.writeShort(size); ++ for (int i = 1; i < size; i++) { ++ if (constant_pool[i] != null) { ++ constant_pool[i].dump(file); + } + } + } +diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java +index fd0af47e..d3189ba4 100644 +--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java ++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java +@@ -95,7 +95,7 @@ public class ConstantPoolGen { + public ConstantPoolGen(final Constant[] cs) { + final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE); + +- size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64); ++ size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + + System.arraycopy(cs, 0, constants, 0, cs.length); +@@ -224,9 +224,18 @@ public class ConstantPoolGen { + /** Resize internal array of constants. + */ + protected void adjustSize() { ++ // 3 extra spaces are needed as some entries may take 3 slots ++ if (index + 3 >= Const.MAX_CP_ENTRIES + 1) { ++ throw new IllegalStateException("The number of constants " + (index + 3) ++ + " is over the size of the constant pool: " ++ + Const.MAX_CP_ENTRIES); ++ } ++ + if (index + 3 >= size) { + final Constant[] cs = constants; + size *= 2; ++ // the constant array shall not exceed the size of the constant pool ++ size = Math.min(size, Const.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + System.arraycopy(cs, 0, constants, 0, index); + } +-- +2.38.1 + diff --git a/SPECS/bcel.spec b/SPECS/bcel.spec index b2b4967..50805e8 100644 --- a/SPECS/bcel.spec +++ b/SPECS/bcel.spec @@ -1,6 +1,6 @@ Name: bcel Version: 6.4.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Byte Code Engineering Library License: ASL 2.0 URL: http://commons.apache.org/proper/commons-bcel/ @@ -8,6 +8,8 @@ BuildArch: noarch Source0: http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz +Patch1: 0001-CVE-2022-42920.patch + BuildRequires: maven-local BuildRequires: mvn(org.apache.commons:commons-parent:pom:) @@ -35,6 +37,7 @@ This package provides %{summary}. %prep %setup -q -n %{name}-%{version}-src +%patch1 -p1 %pom_remove_plugin :maven-source-plugin @@ -55,6 +58,10 @@ This package provides %{summary}. %license LICENSE.txt NOTICE.txt %changelog +* Thu Dec 01 2022 Mikolaj Izdebski - 6.4.1-9 +- Fix arbitrary bytecode produced via out-of-bounds writing +- Resolves: CVE-2022-42920 + * Mon Aug 09 2021 Mohan Boddu - 6.4.1-8 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688