From c3050d6f944c3416424899b6fb1f80bde97d2864 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 02 2019 19:07:21 +0000 Subject: import log4j12-1.2.17-22.module+el8+2598+06babf2e --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..87eee08 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/v1_2_17.tar.gz diff --git a/.log4j12.metadata b/.log4j12.metadata new file mode 100644 index 0000000..3356fe3 --- /dev/null +++ b/.log4j12.metadata @@ -0,0 +1 @@ +c26767fd95556e124277d8555eaa4562831eabb3 SOURCES/v1_2_17.tar.gz diff --git a/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch b/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch new file mode 100644 index 0000000..704ecfc --- /dev/null +++ b/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch @@ -0,0 +1,127 @@ +From ea4609eca531916ac347686c048bebdb7b4b6e0d Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Fri, 2 Jun 2017 14:37:35 +0200 +Subject: [PATCH] Backport fix for CVE-2017-5645 + +--- + .../apache/log4j/FilteredObjectInputStream.java | 65 ++++++++++++++++++++++ + src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++- + 2 files changed, 80 insertions(+), 2 deletions(-) + create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java + +diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java +new file mode 100644 +index 0000000..b9ef20c +--- /dev/null ++++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java +@@ -0,0 +1,65 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache license, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the license for the specific language governing permissions and ++ * limitations under the license. ++ */ ++package org.apache.log4j; ++ ++import java.io.FileOutputStream; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.InvalidObjectException; ++import java.io.ObjectInputStream; ++import java.io.ObjectStreamClass; ++import java.util.Arrays; ++import java.util.Collection; ++import java.util.List; ++ ++/** ++ * Extended ObjectInputStream that only allows certain classes to be deserialized. ++ * ++ * Backported from 2.8.2 ++ */ ++public class FilteredObjectInputStream extends ObjectInputStream { ++ ++ private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] { ++ // Types of non-trainsient fields of LoggingEvent ++ "java.lang.String", ++ "java.util.Hashtable", ++ // ThrowableInformation ++ "[Ljava.lang.String;" ++ }); ++ ++ private final Collection allowedClasses; ++ ++ public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException { ++ super(in); ++ this.allowedClasses = allowedClasses; ++ } ++ ++ protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException { ++ String name = desc.getName(); ++ if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) { ++ throw new InvalidObjectException("Class is not allowed for deserialization: " + name); ++ } ++ return super.resolveClass(desc); ++ } ++ ++ private static boolean isAllowedByDefault(final String name) { ++ return name.startsWith("org.apache.log4j.") || ++ name.startsWith("[Lorg.apache.log4j.") || ++ REQUIRED_JAVA_CLASSES.contains(name); ++ } ++ ++} +diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java +index e977f13..f95bb10 100644 +--- a/src/main/java/org/apache/log4j/net/SocketNode.java ++++ b/src/main/java/org/apache/log4j/net/SocketNode.java +@@ -22,6 +22,10 @@ import java.io.IOException; + import java.io.InterruptedIOException; + import java.io.ObjectInputStream; + import java.net.Socket; ++import java.util.ArrayList; ++import java.util.Arrays; ++import java.util.Collection; ++import org.apache.log4j.FilteredObjectInputStream; + + import org.apache.log4j.Logger; + import org.apache.log4j.spi.LoggerRepository; +@@ -53,8 +57,9 @@ public class SocketNode implements Runnable { + this.socket = socket; + this.hierarchy = hierarchy; + try { +- ois = new ObjectInputStream( +- new BufferedInputStream(socket.getInputStream())); ++ ois = new FilteredObjectInputStream( ++ new BufferedInputStream(socket.getInputStream()), ++ getAllowedClasses()); + } catch(InterruptedIOException e) { + Thread.currentThread().interrupt(); + logger.error("Could not open ObjectInputStream to "+socket, e); +@@ -65,6 +70,14 @@ public class SocketNode implements Runnable { + } + } + ++ private Collection getAllowedClasses() { ++ Collection allowedClasses = new ArrayList(); ++ String property = System.getProperty("org.apache.log4j.net.allowedClasses"); ++ if (property != null) ++ allowedClasses.addAll(Arrays.asList(property.split(","))); ++ return allowedClasses; ++ } ++ + //public + //void finalize() { + //System.err.println("-------------------------Finalize called"); +-- +2.9.4 + diff --git a/SOURCES/0001-logfactor5-changed-userdir.patch b/SOURCES/0001-logfactor5-changed-userdir.patch new file mode 100644 index 0000000..95aa5fa --- /dev/null +++ b/SOURCES/0001-logfactor5-changed-userdir.patch @@ -0,0 +1,56 @@ +From bf8f55bbc9baddcb67d0b89edd859f93ce3c949f Mon Sep 17 00:00:00 2001 +From: Stanislav Ochotnicky +Date: Mon, 17 May 2010 12:57:36 +0200 +Subject: [PATCH 01/10] logfactor5 changed userdir + +--- + .../lf5/viewer/configure/ConfigurationManager.java | 2 +- + .../log4j/lf5/viewer/configure/MRUFileManager.java | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/main/java/org/apache/log4j/lf5/viewer/configure/ConfigurationManager.java b/src/main/java/org/apache/log4j/lf5/viewer/configure/ConfigurationManager.java +index a94ffab..81191f2 100644 +--- a/src/main/java/org/apache/log4j/lf5/viewer/configure/ConfigurationManager.java ++++ b/src/main/java/org/apache/log4j/lf5/viewer/configure/ConfigurationManager.java +@@ -344,7 +344,7 @@ public class ConfigurationManager extends Object { + String home = System.getProperty("user.home"); + String sep = System.getProperty("file.separator"); + +- return home + sep + "lf5" + sep + CONFIG_FILE_NAME; ++ return home + sep + ".logfactor5" + sep + CONFIG_FILE_NAME; + } + + //-------------------------------------------------------------------------- +diff --git a/src/main/java/org/apache/log4j/lf5/viewer/configure/MRUFileManager.java b/src/main/java/org/apache/log4j/lf5/viewer/configure/MRUFileManager.java +index 6ff275d..ca40d5a 100644 +--- a/src/main/java/org/apache/log4j/lf5/viewer/configure/MRUFileManager.java ++++ b/src/main/java/org/apache/log4j/lf5/viewer/configure/MRUFileManager.java +@@ -175,14 +175,14 @@ public class MRUFileManager { + + /** + * Creates the directory where the MRU file list will be written. +- * The "lf5" directory is created in the Documents and Settings ++ * The ".logfactor5" directory is created in the Documents and Settings + * directory on Windows 2000 machines and where ever the user.home + * variable points on all other platforms. + */ + public static void createConfigurationDirectory() { + String home = System.getProperty("user.home"); + String sep = System.getProperty("file.separator"); +- File f = new File(home + sep + "lf5"); ++ File f = new File(home + sep + ".logfactor5"); + if (!f.exists()) { + try { + f.mkdir(); +@@ -268,7 +268,7 @@ public class MRUFileManager { + String home = System.getProperty("user.home"); + String sep = System.getProperty("file.separator"); + +- return home + sep + "lf5" + sep + CONFIG_FILE_NAME; ++ return home + sep + ".logfactor5" + sep + CONFIG_FILE_NAME; + } + + /** +-- +1.6.6.1 + diff --git a/SOURCES/0009-Fix-tests.patch b/SOURCES/0009-Fix-tests.patch new file mode 100644 index 0000000..3918a50 --- /dev/null +++ b/SOURCES/0009-Fix-tests.patch @@ -0,0 +1,34 @@ +From 91349164c1d44eec50ac1b09ef3e2ff41b4aa468 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Thu, 11 Jul 2013 11:13:45 +0200 +Subject: [PATCH] Fix tests + +--- + tests/build.xml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tests/build.xml b/tests/build.xml +index 74a7139..9149da2 100644 +--- a/tests/build.xml ++++ b/tests/build.xml +@@ -31,13 +31,13 @@ + the Maven repository can provide all the dependencies. --> + + +- ++ + + +- +- ++ ++ + +- ++ + + + +-- +1.8.1.4 + diff --git a/SOURCES/0010-Fix-javadoc-link.patch b/SOURCES/0010-Fix-javadoc-link.patch new file mode 100644 index 0000000..e60ed57 --- /dev/null +++ b/SOURCES/0010-Fix-javadoc-link.patch @@ -0,0 +1,25 @@ +From 4753784d3e8ed5ec9973f67e9017bcb7ef41b4b1 Mon Sep 17 00:00:00 2001 +From: Stanislav Ochotnicky +Date: Tue, 18 May 2010 15:07:00 +0200 +Subject: [PATCH 10/10] Fix javadoc link + +--- + build.xml | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +diff --git a/build.xml b/build.xml +index 54bad8f..c775a68 100644 +--- a/build.xml ++++ b/build.xml +@@ -517,8 +517,7 @@ + -->' + bottom="Copyright 2000-2007 Apache Software Foundation."> + +- +- ++ + + + +-- +1.6.6.1 \ No newline at end of file diff --git a/SOURCES/log4j.catalog b/SOURCES/log4j.catalog new file mode 100644 index 0000000..16dca75 --- /dev/null +++ b/SOURCES/log4j.catalog @@ -0,0 +1,5 @@ +-- log4j DTD catalog -- +-- JPackage Project -- + +DOCTYPE log4j:configuration log4j.dtd +PUBLIC "-//APACHE//DTD LOG4J 1.2//EN" log4j.dtd \ No newline at end of file diff --git a/SPECS/log4j12.spec b/SPECS/log4j12.spec new file mode 100644 index 0000000..f8e5508 --- /dev/null +++ b/SPECS/log4j12.spec @@ -0,0 +1,248 @@ +%global archiversion %(echo %{version} | tr . _ ) + +%bcond_without dtd + +Name: log4j12 +Version: 1.2.17 +Release: 22%{?dist} +Summary: Java logging package +License: ASL 2.0 +URL: http://logging.apache.org/log4j/1.2/ +BuildArch: noarch + +Source0: https://github.com/apache/log4j/archive/v%{archiversion}.tar.gz +Source1: log4j.catalog + +Patch0: 0001-logfactor5-changed-userdir.patch +Patch1: 0009-Fix-tests.patch +Patch2: 0010-Fix-javadoc-link.patch +Patch3: 0001-Backport-fix-for-CVE-2017-5645.patch + +BuildRequires: maven-local +BuildRequires: mvn(ant-contrib:ant-contrib) +BuildRequires: mvn(javax.mail:mail) +BuildRequires: mvn(junit:junit) +BuildRequires: mvn(org.apache.ant:ant-junit) +BuildRequires: mvn(org.apache.ant:ant-nodeps) +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(org.apache.geronimo.specs:geronimo-jms_1.1_spec) +BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) +BuildRequires: mvn(oro:oro) + +Obsoletes: log4j <= 0:1.2.17-14 + +%description +Log4j is a tool to help the programmer output log statements to a +variety of output targets. + +%package javadoc +Summary: Javadoc for %{name} + +%description javadoc +This package contains javadoc for %{name}. + +%prep +%setup -q -n log4j-%{archiversion} +# Cleanup +find . -name "*.jar" -print -delete +find . -name "*.class" -print -delete +find . -name "*.dll" -print -delete +rm -rf docs/api + +%patch0 -p1 -b .logfactor-home +%patch1 -p1 -b .fix-tests +%patch2 -p1 -b .xlink-javadoc +%patch3 -p1 + +# Remove unavailable plugin +%pom_remove_plugin :clirr-maven-plugin +# Remove unwanted plugin +%pom_remove_plugin :maven-site-plugin +%pom_remove_plugin :maven-source-plugin +%pom_remove_plugin :rat-maven-plugin +# Disable javadoc jar +%pom_xpath_remove "pom:build/pom:plugins/pom:plugin[pom:artifactId = 'maven-javadoc-plugin']/pom:executions" + +# Remove openejb from dependencies +%pom_remove_dep org.apache.openejb:javaee-api + +# Fix ant gId +sed -i.ant "s|groupId>ant<|groupId>org.apache.ant<|g" pom.xml + +sed -i.javac "s|1.4|1.6|g" pom.xml build.xml +sed -i.javac "s|1.4|1.6|g" pom.xml build.xml +sed -i.javac "s|1.1|1.6|g" tests/build.xml +sed -i.javac "s|1.1|1.6|g" tests/build.xml + +# Fix OSGi manifest +sed -i.javax.jmdns "s|javax.jmdns.*;resolution:=optional,|!javax.jmdns.*,|g" pom.xml +# Add proper bundle symbolicname +%pom_xpath_inject "pom:build/pom:plugins/pom:plugin[pom:artifactId = 'maven-bundle-plugin']/pom:configuration/pom:instructions" " + org.apache.log4j + <_nouses>true" + +# Disable build unwanted dll library +%pom_xpath_remove "pom:build/pom:plugins/pom:plugin[pom:artifactId = 'maven-antrun-plugin']/pom:executions/pom:execution[pom:phase = 'process-classes' ]" + +# Don't use deprecated "assembly" goal of Maven Assembly Plugin, which +# was removed in version 3.0.0. +%pom_xpath_set "pom:plugin[pom:artifactId='maven-assembly-plugin']/pom:executions/pom:execution/pom:goals/pom:goal[text()='assembly']" single + +sed -i 's/\r//g' LICENSE NOTICE src/site/resources/css/*.css + +# fix encoding of mailbox files +for i in contribs/JimMoore/mail*;do + iconv --from=ISO-8859-1 --to=UTF-8 "$i" > new + mv new "$i" +done + +# Needed by tests +mkdir -p tests/lib/ +(cd tests/lib/ + ln -s `build-classpath jakarta-oro` + ln -s `build-classpath javamail/mail` + ln -s `build-classpath junit` +) + +%mvn_compat_version log4j:log4j 1.2.17 1.2.16 1.2.15 1.2.14 1.2.13 1.2.12 12 +# Remove Microsoft Windows platform specific files +rm -r src/main/java/org/apache/log4j/nt/NTEventLogAppender.java \ + tests/src/java/org/apache/log4j/nt/NTEventLogAppenderTest.java + +# AssertionFailedError +rm tests/src/java/org/apache/log4j/net/TelnetAppenderTest.java +sed -i '/TelnetAppenderTest/d' tests/src/java/org/apache/log4j/CoreTestSuite.java + +%mvn_file log4j:log4j log4j %{name} + +%build + +%mvn_build + +%install +%mvn_install -X + +# log4j-1 symlink for use with build-classpath et al. +ln -s log4j-%{version}.jar %{buildroot}%{_javadir}/log4j-1.jar + +%if %{with dtd} +# DTD and the SGML catalog (XML catalog handled in scriptlets) +install -pD -T -m 644 src/main/javadoc/org/apache/log4j/xml/doc-files/log4j.dtd \ + %{buildroot}%{_datadir}/sgml/log4j/log4j.dtd +install -pD -T -m 644 %{SOURCE1} \ + %{buildroot}%{_datadir}/sgml/log4j/catalog + +%post +# Note that we're using versioned catalog, so this is always ok. +if [ -x %{_bindir}/install-catalog -a -d %{_sysconfdir}/sgml ]; then + %{_bindir}/install-catalog --add \ + %{_sysconfdir}/sgml/log4j-%{version}-%{release}.cat \ + %{_datadir}/sgml/log4j/catalog > /dev/null || : +fi +if [ -x %{_bindir}/xmlcatalog -a -w %{_sysconfdir}/xml/catalog ]; then + %{_bindir}/xmlcatalog --noout --add public "-//APACHE//DTD LOG4J 1.2//EN" \ + file://%{_datadir}/sgml/log4j/log4j.dtd %{_sysconfdir}/xml/catalog \ + > /dev/null + %{_bindir}/xmlcatalog --noout --add system log4j.dtd \ + file://%{_datadir}/sgml/log4j/log4j.dtd %{_sysconfdir}/xml/catalog \ + > /dev/null || : +fi + +%preun +if [ $1 -eq 0 ]; then + if [ -x %{_bindir}/xmlcatalog -a -w %{_sysconfdir}/xml/catalog ]; then + %{_bindir}/xmlcatalog --noout --del \ + file://%{_datadir}/sgml/log4j/log4j.dtd \ + %{_sysconfdir}/xml/catalog > /dev/null || : + fi +fi + +%postun +# Note that we're using versioned catalog, so this is always ok. +if [ -x %{_bindir}/install-catalog -a -d %{_sysconfdir}/sgml ]; then + %{_bindir}/install-catalog --remove \ + %{_sysconfdir}/sgml/log4j-%{version}-%{release}.cat \ + %{_datadir}/sgml/log4j/catalog > /dev/null || : +fi + +%endif # with dtd + +%files -f .mfiles +%{_javadir}/log4j-1.jar +%if %{with dtd} +%{_datadir}/sgml/log4j +%endif +%license LICENSE NOTICE + +%files javadoc -f .mfiles-javadoc +%license LICENSE NOTICE + +%changelog +* Thu Feb 08 2018 Fedora Release Engineering - 1.2.17-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 9 2018 Mikolaj Izdebski - 1.2.17-21 +- Remove unneeded BR on xmvn + +* Wed Jul 26 2017 Fedora Release Engineering - 1.2.17-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 02 2017 Michael Simacek - 1.2.17-19 +- Backport fix for CVE-2017-5645 + +* Wed Mar 15 2017 Michael Simacek - 1.2.17-18 +- Add dtd conditional + +* Mon Feb 13 2017 Michael Simacek - 1.2.17-17 +- Add more compat versions + +* Fri Feb 10 2017 Fedora Release Engineering - 1.2.17-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Nov 17 2016 Mikolaj Izdebski - 1.2.17-15 +- Don't use deprecated goal of maven-assembly-plugin + +* Wed Aug 10 2016 gil cattaneo 1.2.17-14 +- add missing build requires: xmvn +- remove test failure +- increase to 1.6 javac source/target + +* Wed Jun 15 2016 Mikolaj Izdebski - 1.2.17-13 +- Add missing build-requires + +* Thu Feb 04 2016 Fedora Release Engineering - 1.2.17-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Jan 30 2016 gil cattaneo 1.2.17-11 +- rebuilt + +* Wed Jun 17 2015 Fedora Release Engineering - 1.2.17-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Feb 10 2015 gil cattaneo 1.2.17-9 +- introduce license macro + +* Fri Jan 23 2015 Mikolaj Izdebski - 1.2.17-8 +- Add symlink log4j-1 + +* Fri Sep 05 2014 gil cattaneo 1.2.17-7 +- fix rhbz#1120854 + +* Fri Jul 18 2014 gil cattaneo 1.2.17-6 +- enabling XMvn debugging output rhbz#1120854 + +* Thu Jul 10 2014 gil cattaneo 1.2.17-5 +- fix conflict rhbz#1114135 + +* Wed Jun 18 2014 Mikolaj Izdebski - 1.2.17-4 +- Add compat version 1.2.12 (used by velocity and xbean) + +* Sat Jun 07 2014 Fedora Release Engineering - 1.2.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 22 2014 gil cattaneo 1.2.17-2 +- fix compat version + +* Thu May 22 2014 gil cattaneo 1.2.17-1 +- initial rpm