rpms / plexus-digest

Clone
Source Code
GIT

Blame SOURCES/0001-Do-not-use-algorithm-name-as-regular-expression.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   d4c15a678d151aa45df1e6884e427aa2258bf37b
  2.   SOURCES
  3.   0001-Do-not-use-algorithm-name-as-regular-expression.patch
Blob History Raw
d4c15a 
From 10955c0d72fc11324cebcb2bd8fe4bf56f0f8887 Mon Sep 17 00:00:00 2001
d4c15a 
From: Mikolaj Izdebski <mizdebsk@redhat.com>
d4c15a 
Date: Fri, 27 Sep 2013 12:49:53 +0200
d4c15a 
Subject: [PATCH] Do not use algorithm name as regular expression
d4c15a
d4c15a 
In org.codehaus.plexus.digest.DigestUtils.cleanChecksum(String,
d4c15a 
String, String), the second parameter is used as part of the regular
d4c15a 
expression.  Compiling the resulting regular expression can result in
d4c15a 
a VM error with a crafted algorithm name.  The regular expression
d4c15a 
should be a constant, with a capture group for the algorithm name, and
d4c15a 
the name should be checked after matching.
d4c15a
d4c15a 
Originally reported by Florian Weimer in:
d4c15a 
https://bugzilla.redhat.com/show_bug.cgi?id=959454
d4c15a 
---
d4c15a 
 src/main/java/org/codehaus/plexus/digest/DigestUtils.java | 9 +++++----
d4c15a 
 1 file changed, 5 insertions(+), 4 deletions(-)
d4c15a
d4c15a 
diff --git a/src/main/java/org/codehaus/plexus/digest/DigestUtils.java b/src/main/java/org/codehaus/plexus/digest/DigestUtils.java
d4c15a 
index a54a8c0..430c3a8 100644
d4c15a 
--- a/src/main/java/org/codehaus/plexus/digest/DigestUtils.java
d4c15a 
+++ b/src/main/java/org/codehaus/plexus/digest/DigestUtils.java
d4c15a 
@@ -51,16 +51,17 @@ public class DigestUtils
d4c15a 
         String trimmedChecksum = checksum.replace( '\n', ' ' ).trim();
d4c15a
d4c15a 
         // Free-BSD / openssl
d4c15a 
-        String regex = algorithm.replaceAll( "-", "" ) + "\\s*\\((.*?)\\)\\s*=\\s*([a-fA-F0-9]+)";
d4c15a 
+        algorithm = algorithm.replaceAll( "-", "" );
d4c15a 
+        String regex = "(.{" + algorithm.length() + "})\\s*\\((.*?)\\)\\s*=\\s*([a-fA-F0-9]+)";
d4c15a 
         Matcher m = Pattern.compile( regex ).matcher( trimmedChecksum );
d4c15a 
-        if ( m.matches() )
d4c15a 
+        if ( m.matches() && m.group( 1 ).equals( algorithm ) )
d4c15a 
         {
d4c15a 
-            String filename = m.group( 1 );
d4c15a 
+            String filename = m.group( 2 );
d4c15a 
             if ( !isValidChecksumPattern( filename, path ) )
d4c15a 
             {
d4c15a 
                 throw new DigesterException( "Supplied checksum does not match checksum pattern" );
d4c15a 
             }
d4c15a 
-            trimmedChecksum = m.group( 2 );
d4c15a 
+            trimmedChecksum = m.group( 3 );
d4c15a 
         }
d4c15a 
         else
d4c15a 
         {
d4c15a 
--
d4c15a 
1.8.3.1
d4c15a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation