diff --git a/SOURCES/hsqldb-1.8.0-CVE-2022-41853.patch b/SOURCES/hsqldb-1.8.0-CVE-2022-41853.patch new file mode 100644 index 0000000..d8352cf --- /dev/null +++ b/SOURCES/hsqldb-1.8.0-CVE-2022-41853.patch @@ -0,0 +1,57 @@ +From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Mon, 7 Nov 2022 10:06:16 +0100 +Subject: [PATCH] Fix CVE-2022-41853 + +Backport upstream fix for CVE-2022-41853 from SVN r6614. +Java methods used in routines must now be in hsqldb.method_class_names +value string. + +https://sourceforge.net/p/hsqldb/svn/6614 +--- + src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +index 2033183..b2012c2 100644 +--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java ++++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +@@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties { + + private static String hsqldb_method_class_names = + "hsqldb.method_class_names"; +- private static HashSet accessibleJavaMethodNames; ++ private static HashSet accessibleJavaMethodNames = new HashSet(); + + static { + try { + String prop = System.getProperty(hsqldb_method_class_names); + + if (prop != null) { +- accessibleJavaMethodNames = new HashSet(); + + String[] names = StringUtil.split(prop, ";"); + +@@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties { + + /** + * If the system property "hsqldb.method_class_names" is not set, then +- * static methods of all available Java classes can be accessed as functions ++ * static methods of available Java classes cannot be accessed as functions + * in HSQLDB. If the property is set, then only the list of semicolon + * seperated method names becomes accessible. An empty property value means + * no class is accessible.

+@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties { + */ + public static boolean supportsJavaMethod(String name) { + +- if (accessibleJavaMethodNames == null) { +- return true; +- } +- + if (name.startsWith("org.hsqldb.Library.")) { + return true; + } +-- +2.37.3 + diff --git a/SPECS/hsqldb.spec b/SPECS/hsqldb.spec index 8067925..2da12d8 100644 --- a/SPECS/hsqldb.spec +++ b/SPECS/hsqldb.spec @@ -32,7 +32,7 @@ Name: hsqldb Version: 1.8.1.3 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 1 Summary: HyperSQL Database Engine License: BSD @@ -58,6 +58,7 @@ Patch0: %{name}-1.8.0-scripts.patch Patch1: hsqldb-tmp.patch Patch2: %{name}-1.8.0-specify-su-shell.patch Patch3: %{name}-jdbc-4.1.patch +Patch4: %{name}-1.8.0-CVE-2022-41853.patch BuildRequires: ant BuildRequires: jpackage-utils >= 0:1.5 @@ -134,6 +135,7 @@ chmod -R go=u-w * %patch1 -p1 %patch2 %patch3 -p1 +%patch4 -p1 cp %{SOURCE5} ./pom.xml @@ -256,6 +258,10 @@ popd %{_datadir}/%{name} %changelog +* Mon Nov 07 2022 Mikolaj Izdebski - 1:1.8.1.3-15 +- Fix possible remote code execution vulnerability +- Resolves: CVE-2022-41853 + * Thu Oct 8 2015 Mikolaj Izdebski - 1:1.8.1.3-14 - Remove dependency on initscripts - Add After=network.target to systemd service