From cb596425ed6e4d966a54e4840faa62c32f8061f3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 08 2017 07:24:36 +0000 Subject: import rh-java-common-log4j-1.2.17-15.15.el7 --- diff --git a/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch b/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch new file mode 100644 index 0000000..704ecfc --- /dev/null +++ b/SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch @@ -0,0 +1,127 @@ +From ea4609eca531916ac347686c048bebdb7b4b6e0d Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Fri, 2 Jun 2017 14:37:35 +0200 +Subject: [PATCH] Backport fix for CVE-2017-5645 + +--- + .../apache/log4j/FilteredObjectInputStream.java | 65 ++++++++++++++++++++++ + src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++- + 2 files changed, 80 insertions(+), 2 deletions(-) + create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java + +diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java +new file mode 100644 +index 0000000..b9ef20c +--- /dev/null ++++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java +@@ -0,0 +1,65 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache license, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the license for the specific language governing permissions and ++ * limitations under the license. ++ */ ++package org.apache.log4j; ++ ++import java.io.FileOutputStream; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.InvalidObjectException; ++import java.io.ObjectInputStream; ++import java.io.ObjectStreamClass; ++import java.util.Arrays; ++import java.util.Collection; ++import java.util.List; ++ ++/** ++ * Extended ObjectInputStream that only allows certain classes to be deserialized. ++ * ++ * Backported from 2.8.2 ++ */ ++public class FilteredObjectInputStream extends ObjectInputStream { ++ ++ private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] { ++ // Types of non-trainsient fields of LoggingEvent ++ "java.lang.String", ++ "java.util.Hashtable", ++ // ThrowableInformation ++ "[Ljava.lang.String;" ++ }); ++ ++ private final Collection allowedClasses; ++ ++ public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException { ++ super(in); ++ this.allowedClasses = allowedClasses; ++ } ++ ++ protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException { ++ String name = desc.getName(); ++ if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) { ++ throw new InvalidObjectException("Class is not allowed for deserialization: " + name); ++ } ++ return super.resolveClass(desc); ++ } ++ ++ private static boolean isAllowedByDefault(final String name) { ++ return name.startsWith("org.apache.log4j.") || ++ name.startsWith("[Lorg.apache.log4j.") || ++ REQUIRED_JAVA_CLASSES.contains(name); ++ } ++ ++} +diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java +index e977f13..f95bb10 100644 +--- a/src/main/java/org/apache/log4j/net/SocketNode.java ++++ b/src/main/java/org/apache/log4j/net/SocketNode.java +@@ -22,6 +22,10 @@ import java.io.IOException; + import java.io.InterruptedIOException; + import java.io.ObjectInputStream; + import java.net.Socket; ++import java.util.ArrayList; ++import java.util.Arrays; ++import java.util.Collection; ++import org.apache.log4j.FilteredObjectInputStream; + + import org.apache.log4j.Logger; + import org.apache.log4j.spi.LoggerRepository; +@@ -53,8 +57,9 @@ public class SocketNode implements Runnable { + this.socket = socket; + this.hierarchy = hierarchy; + try { +- ois = new ObjectInputStream( +- new BufferedInputStream(socket.getInputStream())); ++ ois = new FilteredObjectInputStream( ++ new BufferedInputStream(socket.getInputStream()), ++ getAllowedClasses()); + } catch(InterruptedIOException e) { + Thread.currentThread().interrupt(); + logger.error("Could not open ObjectInputStream to "+socket, e); +@@ -65,6 +70,14 @@ public class SocketNode implements Runnable { + } + } + ++ private Collection getAllowedClasses() { ++ Collection allowedClasses = new ArrayList(); ++ String property = System.getProperty("org.apache.log4j.net.allowedClasses"); ++ if (property != null) ++ allowedClasses.addAll(Arrays.asList(property.split(","))); ++ return allowedClasses; ++ } ++ + //public + //void finalize() { + //System.err.println("-------------------------Finalize called"); +-- +2.9.4 + diff --git a/SPECS/log4j.spec b/SPECS/log4j.spec index 2cd8092..f9485a4 100644 --- a/SPECS/log4j.spec +++ b/SPECS/log4j.spec @@ -7,7 +7,7 @@ Name: %{?scl_prefix}%{pkg_name} Version: 1.2.17 -Release: 15.14%{?dist} +Release: 15.15%{?dist} Epoch: 0 Summary: Java logging package BuildArch: noarch @@ -27,6 +27,7 @@ Patch2: 0009-Fix-tests.patch Patch3: 0010-Fix-javadoc-link.patch Patch4: 0011-Remove-openejb.patch Patch5: 0012-Add-proper-bundle-symbolicname.patch +Patch6: 0001-Backport-fix-for-CVE-2017-5645.patch BuildRequires: perl BuildRequires: %{?scl_prefix}maven-local @@ -65,6 +66,7 @@ set -e -x %patch3 -p1 -b .xlink-javadoc %patch4 -p1 -b .openejb %patch5 -p1 -b .bundlename +%patch6 -p1 -b .cve %pom_remove_plugin :maven-site-plugin sed -i "s|groupId>ant<|groupId>org.apache.ant<|g" pom.xml @@ -142,6 +144,9 @@ contribs/KitchingSimon/udpserver.pl %changelog +* Fri Jun 02 2017 Michael Simacek - 0:1.2.17-15.15 +- Backport fix for CVE-2017-5645 + * Tue Jan 13 2015 Michael Simacek - 0:1.2.17-15.14 - Mass rebuild 2015-01-13