diff --git a/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch b/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch new file mode 100644 index 0000000..e80e040 --- /dev/null +++ b/SOURCES/xmlrpc-honor-enabledForExceptions-in-client.patch @@ -0,0 +1,37 @@ +--- apache-xmlrpc-3.1.3-src.orig/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java 2010-02-06 16:44:49.000000000 +0100 ++++ apache-xmlrpc-3.1.3-src/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java 2019-12-12 23:41:03.935572209 +0100 +@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extend + getDocumentLocator()); + } + errorMessage = (String) map.get("faultString"); +- Object exception = map.get("faultCause"); +- if (exception != null) { +- try { +- byte[] bytes = (byte[]) exception; +- ByteArrayInputStream bais = new ByteArrayInputStream(bytes); +- ObjectInputStream ois = new ObjectInputStream(bais); +- errorCause = (Throwable) ois.readObject(); +- ois.close(); +- bais.close(); +- } catch (Throwable t) { +- // Ignore me +- } +- } ++ if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) { ++ Object exception = map.get("faultCause"); ++ if (exception != null) { ++ try { ++ byte[] bytes = (byte[]) exception; ++ ByteArrayInputStream bais = new ByteArrayInputStream(bytes); ++ ObjectInputStream ois = new ObjectInputStream(bais); ++ errorCause = (Throwable) ois.readObject(); ++ ois.close(); ++ bais.close(); ++ } catch (Throwable t) { ++ // Ignore me ++ } ++ } ++ } + } + } + diff --git a/SPECS/xmlrpc.spec b/SPECS/xmlrpc.spec index 9b85d15..a73e14b 100644 --- a/SPECS/xmlrpc.spec +++ b/SPECS/xmlrpc.spec @@ -4,7 +4,7 @@ Name: %{?scl_prefix}%{pkg_name} Version: 3.1.3 -Release: 8.16%{?dist} +Release: 8.17%{?dist} Epoch: 1 Summary: Java XML-RPC implementation License: ASL 2.0 @@ -16,6 +16,7 @@ Patch1: %{pkg_name}-common-addosgimanifest.patch Patch2: %{pkg_name}-javax-methods.patch Patch3: %{pkg_name}-server-addosgimanifest.patch Patch4: %{pkg_name}-disallow-deserialization-of-ex-serializable-tags.patch +Patch5: %{pkg_name}-honor-enabledForExceptions-in-client.patch BuildRequires: %{?scl_prefix}maven-local BuildRequires: %{?scl_prefix_maven}maven-resources-plugin @@ -82,6 +83,7 @@ pushd server %patch3 -b .sav popd %patch4 -p1 +%patch5 -p1 sed -i 's/\r//' LICENSE.txt @@ -124,6 +126,10 @@ set -e -x %changelog +* Fri Jan 24 2020 Marian Koncek - 1:3.1.3-8.17 +- Deserialization vulnerability +- Resolves: CVE-2019-17570 + * Wed May 23 2018 Michael Simacek - 1:3.1.3-8.16 - Disallow deserialization of tags by default - Resolves: CVE-2016-5003