rpms / hsqldb

Clone
Source Code
GIT

Blame SOURCES/hsqldb-1.8.0-CVE-2022-41853.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   c7
  2.   SOURCES
  3.   hsqldb-1.8.0-CVE-2022-41853.patch
Blob History Raw
145c0b 
From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001
145c0b 
From: Mikolaj Izdebski <mizdebsk@redhat.com>
145c0b 
Date: Mon, 7 Nov 2022 10:06:16 +0100
145c0b 
Subject: [PATCH] Fix CVE-2022-41853
145c0b
145c0b 
Backport upstream fix for CVE-2022-41853 from SVN r6614.
145c0b 
Java methods used in routines must now be in hsqldb.method_class_names
145c0b 
value string.
145c0b
145c0b 
https://sourceforge.net/p/hsqldb/svn/6614
145c0b 
---
145c0b 
 src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++-------
145c0b 
 1 file changed, 2 insertions(+), 7 deletions(-)
145c0b
145c0b 
diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
145c0b 
index 2033183..b2012c2 100644
145c0b 
--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java
145c0b 
+++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
145c0b 
@@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties {
145c0b
145c0b 
     private static String hsqldb_method_class_names =
145c0b 
         "hsqldb.method_class_names";
145c0b 
-    private static HashSet accessibleJavaMethodNames;
145c0b 
+    private static HashSet accessibleJavaMethodNames = new HashSet();
145c0b
145c0b 
     static {
145c0b 
         try {
145c0b 
             String prop = System.getProperty(hsqldb_method_class_names);
145c0b
145c0b 
             if (prop != null) {
145c0b 
-                accessibleJavaMethodNames = new HashSet();
145c0b
145c0b 
                 String[] names = StringUtil.split(prop, ";");
145c0b
145c0b 
@@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties {
145c0b
145c0b 
     /**
145c0b 
      * If the system property "hsqldb.method_class_names" is not set, then
145c0b 
-     * static methods of all available Java classes can be accessed as functions
145c0b 
+     * static methods of available Java classes cannot be accessed as functions
145c0b 
      * in HSQLDB. If the property is set, then only the list of semicolon
145c0b 
      * seperated method names becomes accessible. An empty property value means
145c0b 
      * no class is accessible.
145c0b 
@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties {
145c0b 
      */
145c0b 
     public static boolean supportsJavaMethod(String name) {
145c0b
145c0b 
-        if (accessibleJavaMethodNames == null) {
145c0b 
-            return true;
145c0b 
-        }
145c0b 
-
145c0b 
         if (name.startsWith("org.hsqldb.Library.")) {
145c0b 
             return true;
145c0b 
         }
145c0b 
--
145c0b 
2.37.3
145c0b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation