From 807320e33faa0b1c08d01027b18b3a615768516e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 30 2020 19:05:27 +0000
Subject: import rh-java-common-xmlrpc-3.1.3-8.17.el7


---

diff --git a/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch b/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch
new file mode 100644
index 0000000..e80e040
--- /dev/null
+++ b/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch
@@ -0,0 +1,37 @@
+--- apache-xmlrpc-3.1.3-src.orig/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java	2010-02-06 16:44:49.000000000 +0100
++++ apache-xmlrpc-3.1.3-src/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java	2019-12-12 23:41:03.935572209 +0100
+@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extend
+ 											getDocumentLocator());
+ 			}
+ 			errorMessage = (String) map.get("faultString");
+-            Object exception = map.get("faultCause");
+-            if (exception != null) {
+-                try {
+-                    byte[] bytes = (byte[]) exception;
+-                    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+-                    ObjectInputStream ois = new ObjectInputStream(bais);
+-                    errorCause = (Throwable) ois.readObject();
+-                    ois.close();
+-                    bais.close();
+-                } catch (Throwable t) {
+-                    // Ignore me
+-                }
+-            }
++			if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
++				Object exception = map.get("faultCause");
++				if (exception != null) {
++					try {
++						byte[] bytes = (byte[]) exception;
++						ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
++						ObjectInputStream ois = new ObjectInputStream(bais);
++						errorCause = (Throwable) ois.readObject();
++						ois.close();
++						bais.close();
++					} catch (Throwable t) {
++						// Ignore me
++					}
++				}
++			}
+ 		}
+ 	}
+ 
diff --git a/SPECS/xmlrpc.spec b/SPECS/xmlrpc.spec
index 9b85d15..a73e14b 100644
--- a/SPECS/xmlrpc.spec
+++ b/SPECS/xmlrpc.spec
@@ -4,7 +4,7 @@
 
 Name:       %{?scl_prefix}%{pkg_name}
 Version:    3.1.3
-Release:    8.16%{?dist}
+Release:    8.17%{?dist}
 Epoch:      1
 Summary:    Java XML-RPC implementation
 License:    ASL 2.0
@@ -16,6 +16,7 @@ Patch1:     %{pkg_name}-common-addosgimanifest.patch
 Patch2:     %{pkg_name}-javax-methods.patch
 Patch3:     %{pkg_name}-server-addosgimanifest.patch
 Patch4:     %{pkg_name}-disallow-deserialization-of-ex-serializable-tags.patch
+Patch5:     %{pkg_name}-honor-enabledForExceptions-in-client.patch
 
 BuildRequires:  %{?scl_prefix}maven-local
 BuildRequires:  %{?scl_prefix_maven}maven-resources-plugin
@@ -82,6 +83,7 @@ pushd server
 %patch3 -b .sav
 popd
 %patch4 -p1
+%patch5 -p1
 
 sed -i 's/\r//' LICENSE.txt
 
@@ -124,6 +126,10 @@ set -e -x
 
 
 %changelog
+* Fri Jan 24 2020 Marian Koncek <mkoncek@redhat.com> - 1:3.1.3-8.17
+- Deserialization vulnerability
+- Resolves: CVE-2019-17570
+
 * Wed May 23 2018 Michael Simacek <msimacek@redhat.com> - 1:3.1.3-8.16
 - Disallow deserialization of <ex:serializable> tags by default
 - Resolves: CVE-2016-5003