diff --git a/SOURCES/0001-CVE-2022-42920.patch b/SOURCES/0001-CVE-2022-42920.patch new file mode 100644 index 0000000..57db8ec --- /dev/null +++ b/SOURCES/0001-CVE-2022-42920.patch @@ -0,0 +1,66 @@ +From d98245e5c808816f0ec1382ada2cb893b01101d2 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Thu, 1 Dec 2022 20:04:58 +0100 +Subject: [PATCH] CVE-2022-42920 + +--- + src/java/org/apache/bcel/classfile/ConstantPool.java | 11 +++++++++-- + src/java/org/apache/bcel/generic/ConstantPoolGen.java | 10 +++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/src/java/org/apache/bcel/classfile/ConstantPool.java b/src/java/org/apache/bcel/classfile/ConstantPool.java +index 8c666cf9..267227cd 100644 +--- a/src/java/org/apache/bcel/classfile/ConstantPool.java ++++ b/src/java/org/apache/bcel/classfile/ConstantPool.java +@@ -198,8 +198,15 @@ public class ConstantPool implements Cloneable, Node, Serializable { + * @throws IOException + */ + public void dump( DataOutputStream file ) throws IOException { +- file.writeShort(constant_pool_count); +- for (int i = 1; i < constant_pool_count; i++) { ++ /* ++ * Constants over the size of the constant pool shall not be written out. ++ * This is a redundant measure as the ConstantPoolGen should have already ++ * reported an error back in the situation. ++ */ ++ final int size = Math.min(constant_pool_count, Constants.MAX_CP_ENTRIES); ++ ++ file.writeShort(size); ++ for (int i = 1; i < size; i++) { + if (constant_pool[i] != null) { + constant_pool[i].dump(file); + } +diff --git a/src/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/java/org/apache/bcel/generic/ConstantPoolGen.java +index fd533be8..a6960e50 100644 +--- a/src/java/org/apache/bcel/generic/ConstantPoolGen.java ++++ b/src/java/org/apache/bcel/generic/ConstantPoolGen.java +@@ -76,7 +76,7 @@ public class ConstantPoolGen implements java.io.Serializable { + */ + public ConstantPoolGen(Constant[] cs) { + if (cs.length > size) { +- size = cs.length; ++ size = Math.min(cs.length, Constants.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + } + System.arraycopy(cs, 0, constants, 0, cs.length); +@@ -156,9 +156,17 @@ public class ConstantPoolGen implements java.io.Serializable { + /** Resize internal array of constants. + */ + protected void adjustSize() { ++ // 3 extra spaces are needed as some entries may take 3 slots ++ if (index + 3 >= Constants.MAX_CP_ENTRIES + 1) { ++ throw new IllegalStateException("The number of constants " + (index + 3) ++ + " is over the size of the constant pool: " ++ + Constants.MAX_CP_ENTRIES); ++ } + if (index + 3 >= size) { + Constant[] cs = constants; + size *= 2; ++ // the constant array shall not exceed the size of the constant pool ++ size = Math.min(size, Constants.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + System.arraycopy(cs, 0, constants, 0, index); + } +-- +2.38.1 + diff --git a/SPECS/bcel.spec b/SPECS/bcel.spec index 7dca4c5..682216a 100644 --- a/SPECS/bcel.spec +++ b/SPECS/bcel.spec @@ -1,6 +1,6 @@ Name: bcel Version: 5.2 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 0 Summary: Byte Code Engineering Library License: ASL 2.0 @@ -9,6 +9,7 @@ Source0: http://archive.apache.org/dist/commons/bcel/source/bcel-5.2-src. # Upstream uses Maven 1, which is not available in Fedora. # The following is upstream project.xml converted to Maven 2/3. Source1: %{name}-pom.xml +Patch1: 0001-CVE-2022-42920.patch BuildArch: noarch BuildRequires: maven-local @@ -40,6 +41,7 @@ This package provides %{summary}. %prep %setup -q +%patch1 -p1 cp -p %{SOURCE1} pom.xml %mvn_alias : bcel: %mvn_file : %{name} @@ -58,6 +60,10 @@ cp -p %{SOURCE1} pom.xml %doc LICENSE.txt NOTICE.txt %changelog +* Thu Dec 01 2022 Mikolaj Izdebski - 0:5.2-19 +- Fix arbitrary bytecode produced via out-of-bounds writing +- Resolves: CVE-2022-42920 + * Fri Dec 27 2013 Daniel Mach - 05.2-18 - Mass rebuild 2013-12-27