From dfe4e4d9f0f5fc54a596ceecc3b1d2f8bb513882 Mon Sep 17 00:00:00 2001 From: liujing Date: Tue, 26 Dec 2023 11:49:53 +0800 Subject: [PATCH] [Backport]jersey:fix CVE-2021-28168 CVE:CVE-2021-28168 Reference:https://github.com/eclipse-ee4j/jersey/commit/f3cadb38dcc5b20e515706fae68dce533ad6c737 Type:CVE reason:fix CVE-2021-28168 --- CVE-2021-28168.patch | 143 +++++++++++++++++++++++++++++++++++++++++++ jersey.spec | 7 ++- 2 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-28168.patch diff --git a/CVE-2021-28168.patch b/CVE-2021-28168.patch new file mode 100644 index 0000000..576714d --- /dev/null +++ b/CVE-2021-28168.patch @@ -0,0 +1,143 @@ +From f3cadb38dcc5b20e515706fae68dce533ad6c737 Mon Sep 17 00:00:00 2001 +From: Maxim Nesen <24524084+senivam@users.noreply.github.com> +Date: Thu, 4 Mar 2021 11:36:50 +0100 +Subject: [PATCH] switching to NIO tmp file creation approach (#4712) + +Signed-off-by: Maxim Nesen +--- + .../jersey/message/internal/Utils.java | 26 +++++++++-- + .../jersey/message/internal/UtilsTest.java | 45 +++++++++++++++++++ + .../src/test/resources/surefire.policy | 4 +- + 3 files changed, 70 insertions(+), 5 deletions(-) + create mode 100644 core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java + +diff --git a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java b/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java +index c4f035ee1..dcae91950 100644 +--- a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java ++++ b/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2012, 2021 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at +@@ -18,6 +18,10 @@ package org.glassfish.jersey.message.internal; + + import java.io.File; + import java.io.IOException; ++import java.nio.file.Files; ++import java.security.AccessController; ++import java.security.PrivilegedAction; ++import java.util.concurrent.atomic.AtomicReference; + + /** + * Utility class. +@@ -46,9 +50,23 @@ public final class Utils { + * @throws IOException if a file could not be created. + */ + public static File createTempFile() throws IOException { +- final File file = File.createTempFile("rep", "tmp"); +- // Make sure the file is deleted when JVM is shutdown at last. +- file.deleteOnExit(); ++ final AtomicReference exceptionReference = new AtomicReference<>(); ++ final File file = AccessController.doPrivileged(new PrivilegedAction() { ++ public File run() { ++ File tempFile = null; ++ try { ++ tempFile = Files.createTempFile("rep", "tmp").toFile(); ++ // Make sure the file is deleted when JVM is shutdown at last. ++ tempFile.deleteOnExit(); ++ } catch (IOException e) { ++ exceptionReference.set(e); ++ } ++ return tempFile; ++ } ++ }); ++ if (exceptionReference.get() != null) { ++ throw exceptionReference.get(); ++ } + return file; + } + +diff --git a/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java b/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java +new file mode 100644 +index 000000000..e6baf4c40 +--- /dev/null ++++ b/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java +@@ -0,0 +1,45 @@ ++/* ++ * Copyright (c) 2021 Oracle and/or its affiliates. All rights reserved. ++ * ++ * This program and the accompanying materials are made available under the ++ * terms of the Eclipse Public License v. 2.0, which is available at ++ * http://www.eclipse.org/legal/epl-2.0. ++ * ++ * This Source Code may also be made available under the following Secondary ++ * Licenses when the conditions for such availability set forth in the ++ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, ++ * version 2 with the GNU Classpath Exception, which is available at ++ * https://www.gnu.org/software/classpath/license.html. ++ * ++ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 ++ */ ++ ++package org.glassfish.jersey.message.internal; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++import java.io.BufferedOutputStream; ++import java.io.ByteArrayInputStream; ++import java.io.File; ++import java.io.FileOutputStream; ++import java.io.IOException; ++import java.io.OutputStream; ++ ++public class UtilsTest { ++ ++ @Test ++ public void createTempFile() throws IOException { ++ final File file = Utils.createTempFile(); ++ final OutputStream stream = new BufferedOutputStream(new FileOutputStream(file)); ++ ++ try { ++ final ByteArrayInputStream entityStream = new ByteArrayInputStream("Test stream byte input".getBytes()); ++ ReaderWriter.writeTo(entityStream, stream); ++ } finally { ++ stream.close(); ++ } ++ Assert.assertTrue(file.exists()); ++ } ++ ++} +diff --git a/core-common/src/test/resources/surefire.policy b/core-common/src/test/resources/surefire.policy +index 77fa02af3..27602ae4c 100644 +--- a/core-common/src/test/resources/surefire.policy ++++ b/core-common/src/test/resources/surefire.policy +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2014, 2019 Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2014, 2021 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at +@@ -30,6 +30,7 @@ grant codebase "file:${project.build.directory}/test-classes/-" { + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.util.PropertyPermission "*", "write"; ++ permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*"; +@@ -43,6 +44,7 @@ grant codebase "file:${project.build.directory}/classes/-" { + permission java.lang.RuntimePermission "modifyThread"; + permission java.util.PropertyPermission "*", "read"; + permission java.io.FilePermission "<>", "read"; ++ permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +-- +2.42.0.windows.2 + diff --git a/jersey.spec b/jersey.spec index c303abc..abec6b3 100644 --- a/jersey.spec +++ b/jersey.spec @@ -1,7 +1,7 @@ %bcond_with jp_minimal Name: jersey Version: 2.29.1 -Release: 1 +Release: 2 Summary: JAX-RS (JSR 311) production quality Reference Implementation License: (EPL-2.0 or GPLv2 with exceptions) and ASL 2.0 URL: https://github.com/eclipse-ee4j/jersey @@ -11,6 +11,7 @@ Patch0: jersey-2.17-mvc-jsp-servlet31.patch Patch1: 0001-Patch-out-dependency-on-JMockit.patch Patch2: 0002-Port-to-glassfish-jsonp-1.0.patch Patch3: 0001-Port-to-hibernate-validation-5.x.patch +Patch4: CVE-2021-28168.patch BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) BuildRequires: mvn(com.fasterxml.jackson.module:jackson-module-jaxb-annotations) @@ -74,6 +75,7 @@ This package contains javadoc for %{name}. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 find . -name "*.jar" -print -delete find . -name "*.class" -print -delete cp -p %{SOURCE1} . @@ -220,6 +222,9 @@ sed -i -e 's/javax\.activation\.\*;/javax.activation.*;resolution:=optional;/' c %license LICENSE.md NOTICE.md LICENSE-2.0.txt %changelog +* Tue Dec 26 2023 liujing - 2.29.1-2 +- fix CVE-2021-28168 + * Tue May 18 2021 guoxiaoqi2 - 2.29.1-1 - update to 2.29.1 -- Gitee