diff --git a/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch b/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch new file mode 100644 index 0000000..f77a14e --- /dev/null +++ b/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch @@ -0,0 +1,44 @@ +From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Mon, 19 Mar 2018 16:01:57 +0100 +Subject: [PATCH] Disallow EventData deserialization by default + +--- + .../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +index dc5b502..fa5c125 100644 +--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java ++++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +@@ -76,12 +76,21 @@ public class EventData implements Serializable { + */ + @SuppressWarnings("unchecked") + public EventData(String xml) { +- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); +- try { +- XMLDecoder decoder = new XMLDecoder(bais); +- this.eventData = (Map) decoder.readObject(); +- } catch (Exception e) { +- throw new EventException("Error decoding " + xml, e); ++ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { ++ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); ++ try { ++ XMLDecoder decoder = new XMLDecoder(bais); ++ this.eventData = (Map) decoder.readObject(); ++ } catch (Exception e) { ++ throw new EventException("Error decoding " + xml, e); ++ } ++ } else { ++ throw new UnsupportedOperationException( ++ "Constructing EventData from XML is vulnerable to remote " + ++ "excution and is not allowed by default. If you're " + ++ "completely sure the source data is trusted, you can enable " + ++ "it by setting org.slf4j.ext.allowInsecureDeserialization " + ++ "JVM property to 1"); + } + } + +-- +2.14.3 + diff --git a/SPECS/slf4j.spec b/SPECS/slf4j.spec index afb9957..86eaf7d 100644 --- a/SPECS/slf4j.spec +++ b/SPECS/slf4j.spec @@ -33,7 +33,7 @@ Name: %{?scl_prefix}slf4j Version: 1.7.25 -Release: 1.2%{?dist} +Release: 1.3%{?dist} Epoch: 0 Summary: Simple Logging Facade for Java # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT @@ -41,6 +41,7 @@ License: MIT and ASL 2.0 URL: http://www.slf4j.org/ Source0: http://www.slf4j.org/dist/%{pkg_name}-%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt +Patch0: 0001-Disallow-EventData-deserialization-by-default.patch BuildArch: noarch BuildRequires: %{?scl_prefix}maven-local @@ -127,6 +128,7 @@ SLF4J Source JARs. %prep %setup -n %{pkg_name}-%{version} -q +%patch0 -p1 find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE @@ -221,6 +223,9 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{pkg_name}-manual %{_defaultdocdir}/%{pkg_name}-manual %changelog +* Tue Mar 20 2018 Michael Simacek - 0:1.7.25-1.3 +- Disallow EventData deserialization by default (CVE-2018-8088) + * Thu Jun 22 2017 Michael Simacek - 0:1.7.25-1.2 - Mass rebuild 2017-06-22