From 496a27950bb3fbf7b92834f84206d44f67e5f0b2 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Fri, 19 Mar 2021 11:03:35 +0800 Subject: [PATCH] fix CVE-2019-14900 (cherry picked from commit 98d05f8ff1b5395be864100b944d5b85ea1c76a7) --- CVE-2019-14900.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++ hibernate4.spec | 11 ++++++--- 2 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 CVE-2019-14900.patch diff --git a/CVE-2019-14900.patch b/CVE-2019-14900.patch new file mode 100644 index 0000000..2f63639 --- /dev/null +++ b/CVE-2019-14900.patch @@ -0,0 +1,58 @@ +From 646b383f959eff18d58081b1a574f0d777d353da Mon Sep 17 00:00:00 2001 +From: Gail Badner +Date: Thu, 30 Apr 2020 16:26:56 -0700 +Subject: [PATCH] HHH-14077 : CVE-2019-14900 SQL injection issue in Hibernate ORM + +--- + .../expression/LiteralExpression.java | 30 +++++++++++++++---- + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java +index b2451e6..dc7cbc3 100644 +--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java ++++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java +@@ -72,17 +72,35 @@ public class LiteralExpression extends ExpressionImpl implements Serializa + return ':' + parameterName; + } + ++ /** ++ * Inline String literal. ++ * ++ * @return escaped String ++ */ ++ private String inlineLiteral(String literal) { ++ return String.format( "\'%s\'", escapeLiteral( literal ) ); ++ } ++ ++ /** ++ * Escape String literal. ++ * ++ * @return escaped String ++ */ ++ private String escapeLiteral(String literal) { ++ return literal.replace("'", "''"); ++ } ++ + @SuppressWarnings({ "unchecked" }) + public String renderProjection(RenderingContext renderingContext) { ++ if ( ValueHandlerFactory.isCharacter( literal ) ) { ++ // In case literal is a Character, pass literal.toString() as the argument. ++ return inlineLiteral( literal.toString() ); ++ } ++ + // some drivers/servers do not like parameters in the select clause + final ValueHandlerFactory.ValueHandler handler = + ValueHandlerFactory.determineAppropriateHandler( literal.getClass() ); +- if ( ValueHandlerFactory.isCharacter( literal ) ) { +- return '\'' + handler.render( literal ) + '\''; +- } +- else { +- return handler.render( literal ); +- } ++ return handler.render( literal ); + } + + @Override +-- +2.23.0 + diff --git a/hibernate4.spec b/hibernate4.spec index d8edd2c..7bdc964 100644 --- a/hibernate4.spec +++ b/hibernate4.spec @@ -3,7 +3,7 @@ %global pom_url http://repo1.maven.org/maven2/org/hibernate Name: hibernate4 Version: 4.3.11 -Release: 2 +Release: 3 Summary: Relational persistence and query service License: LGPLv2+ and ASL 2.0 URL: http://www.hibernate.org/ @@ -23,6 +23,7 @@ Source60: http://www.apache.org/licenses/LICENSE-2.0.txt Patch0: hibernate-4.3.11.Final-hibernate-commons-annotations5.patch Patch1: hibernate-4.3.11.Final-infinispan8.patch Patch2: CVE-2020-25638.patch +Patch3: CVE-2019-14900.patch BuildRequires: maven-local mvn(antlr:antlr) mvn(com.experlog:xapool) BuildRequires: mvn(com.fasterxml:classmate) mvn(com.mchange:c3p0) mvn(com.zaxxer:HikariCP) BuildRequires: mvn(dom4j:dom4j) mvn(java_cup:java_cup) mvn(javax.enterprise:cdi-api) @@ -128,6 +129,7 @@ rm -r documentation/* %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 cp -p %{SOURCE1} hibernate-c3p0/pom.xml cp -p %{SOURCE2} hibernate-core/pom.xml cp -p %{SOURCE3} hibernate-ehcache/pom.xml @@ -374,8 +376,11 @@ sed -i.jandex1.2.2 "s|classDotName, superName, access_flag, interfaces, map|clas %license lgpl.txt LICENSE-2.0.txt %changelog -* Wed Oct 28 2020 wangxiao65 - 4.3.11-2 -- fix CVE-2020-25638 +* Thu Mar 18 2021 wangxiao - 4.3.11-3 +- Fix CVE-2019-14900 + +* Wed Oct 28 2020 wangxiao - 4.3.11-2 +- Fix CVE-2020-25638 * Wed Oct 28 2020 shaoqiang kang - 4.3.11-1 - Package init -- Gitee