From ad881b33f580094cc7792cc4902c99b9e6c4a190 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 04 2018 10:25:35 +0000
Subject: import rh-java-common-xmlrpc-3.1.3-8.16.el7


---

diff --git a/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
new file mode 100644
index 0000000..6c76c69
--- /dev/null
+++ b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
@@ -0,0 +1,35 @@
+From 267f84e3c3db8559efc93b349a8462ce110e337b Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Fri, 18 May 2018 15:22:49 +0200
+Subject: [PATCH] Disallow deserialization of <ex:serializable> tags
+
+Can be reenabled by setting JVM property
+org.apache.xmlrpc.allowInsecureDeserialization to 1.
+
+- Resolves CVE-2016-5003
+---
+ .../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+index 18f25ac..c8bb7ed 100644
+--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
++++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
+  */
+ public class SerializableParser extends ByteArrayParser {
+ 	public Object getResult() throws XmlRpcException {
++                if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
++                    throw new UnsupportedOperationException(
++                            "Deserialization of ex:serializable objects is vulnerable to " +
++                            "remote execution attacks and is disabled by default. " +
++                            "If you are sure the source data is trusted, you can enable " +
++                            "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
++                            "JVM property to 1");
++                }
+ 		try {
+ 			byte[] res = (byte[]) super.getResult();
+ 			ByteArrayInputStream bais = new ByteArrayInputStream(res);
+-- 
+2.17.0
+
diff --git a/SPECS/xmlrpc.spec b/SPECS/xmlrpc.spec
index e7d5538..9b85d15 100644
--- a/SPECS/xmlrpc.spec
+++ b/SPECS/xmlrpc.spec
@@ -4,7 +4,7 @@
 
 Name:       %{?scl_prefix}%{pkg_name}
 Version:    3.1.3
-Release:    8.15%{?dist}
+Release:    8.16%{?dist}
 Epoch:      1
 Summary:    Java XML-RPC implementation
 License:    ASL 2.0
@@ -15,6 +15,7 @@ Patch0:     %{pkg_name}-client-addosgimanifest.patch
 Patch1:     %{pkg_name}-common-addosgimanifest.patch
 Patch2:     %{pkg_name}-javax-methods.patch
 Patch3:     %{pkg_name}-server-addosgimanifest.patch
+Patch4:     %{pkg_name}-disallow-deserialization-of-ex-serializable-tags.patch
 
 BuildRequires:  %{?scl_prefix}maven-local
 BuildRequires:  %{?scl_prefix_maven}maven-resources-plugin
@@ -80,6 +81,7 @@ popd
 pushd server
 %patch3 -b .sav
 popd
+%patch4 -p1
 
 sed -i 's/\r//' LICENSE.txt
 
@@ -122,6 +124,10 @@ set -e -x
 
 
 %changelog
+* Wed May 23 2018 Michael Simacek <msimacek@redhat.com> - 1:3.1.3-8.16
+- Disallow deserialization of <ex:serializable> tags by default
+- Resolves: CVE-2016-5003
+
 * Thu Jul 02 2015 Michael Simacek <msimacek@redhat.com> - 1:3.1.3-8.15
 - Fix OSGi manifest metadata (rhbz#1238335)