From b840a6830bcdbbeccd8a976fc415740b95485ece Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 13 Dec 2023 15:31:38 +0800 Subject: [PATCH] Fix CVE-2022-41853 (cherry picked from commit 73e3cffbb5dee3118b65822df0190ddf52e4a2ec) --- hsqldb-1.8.0-CVE-2022-41853.patch | 59 +++++++++++++++++++++++++++++++ hsqldb1.spec | 12 +++++-- 2 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 hsqldb-1.8.0-CVE-2022-41853.patch diff --git a/hsqldb-1.8.0-CVE-2022-41853.patch b/hsqldb-1.8.0-CVE-2022-41853.patch new file mode 100644 index 0000000..49d5e74 --- /dev/null +++ b/hsqldb-1.8.0-CVE-2022-41853.patch @@ -0,0 +1,59 @@ +From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Mon, 7 Nov 2022 10:06:16 +0100 +Subject: [PATCH] Fix CVE-2022-41853 + +Backport upstream fix for CVE-2022-41853 from SVN r6614. +Java methods used in routines must now be in hsqldb.method_class_names +value string. + +Origin: https://git.centos.org/rpms/hsqldb/c/145c0b1fd04d9f3a3867d4ed210a5863fac28f57 + +https://sourceforge.net/p/hsqldb/svn/6614 +--- + src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +index 2033183..b2012c2 100644 +--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java ++++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +@@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties { + + private static String hsqldb_method_class_names = + "hsqldb.method_class_names"; +- private static HashSet accessibleJavaMethodNames; ++ private static HashSet accessibleJavaMethodNames = new HashSet(); + + static { + try { + String prop = System.getProperty(hsqldb_method_class_names); + + if (prop != null) { +- accessibleJavaMethodNames = new HashSet(); + + String[] names = StringUtil.split(prop, ";"); + +@@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties { + + /** + * If the system property "hsqldb.method_class_names" is not set, then +- * static methods of all available Java classes can be accessed as functions ++ * static methods of available Java classes cannot be accessed as functions + * in HSQLDB. If the property is set, then only the list of semicolon + * seperated method names becomes accessible. An empty property value means + * no class is accessible.

+@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties { + */ + public static boolean supportsJavaMethod(String name) { + +- if (accessibleJavaMethodNames == null) { +- return true; +- } +- + if (name.startsWith("org.hsqldb.Library.")) { + return true; + } +-- +2.37.3 + diff --git a/hsqldb1.spec b/hsqldb1.spec index 05c2742..2693333 100644 --- a/hsqldb1.spec +++ b/hsqldb1.spec @@ -2,13 +2,14 @@ %global majorversion 1 Name: hsqldb1 Version: 1.8.1.3 -Release: 1 +Release: 3 Summary: HyperSQL Database Engine -License: BSD +License: BSD-3-Clause URL: http://hsqldb.sourceforge.net/ Source0: http://downloads.sourceforge.net/hsqldb/hsqldb_%{cvs_version}.zip Source1: https://repo1.maven.org/maven2/org/hsqldb/hsqldb/1.8.0.10/hsqldb-1.8.0.10.pom Patch0: hsqldb-jdbc-4.1.patch +Patch1: hsqldb-1.8.0-CVE-2022-41853.patch BuildRequires: ant java-devel javapackages-local junit glassfish-servlet-api Requires: glassfish-servlet-api @@ -45,6 +46,7 @@ find . -name "*.class" -exec rm -f {} \; find . -name "*.war" -exec rm -f {} \; chmod -R go=u-w * %patch0 -p1 +%patch1 -p1 cp %{SOURCE1} ./pom.xml %mvn_file hsqldb:hsqldb %{name} %mvn_compat_version : %{majorversion} @@ -66,5 +68,11 @@ popd %license doc/hsqldb_lic.txt %changelog +* Wed Dec 13 2023 wangkai <13474090681@163.com> - 1.8.1.3-3 +- Fix CVE-2022-41853 + +* Mon May 9 2022 caodongxia - 1.8.1.3-2 +- License compliance rectification + * Mon Jul 27 2020 leiju - 1.8.1.3-1 - Package init -- Gitee