From 7e2bb6bd7f3a34cb15a934afdbdb12d80995e4cb Mon Sep 17 00:00:00 2001 From: zhanghua1831 Date: Tue, 9 Feb 2021 09:47:08 +0800 Subject: [PATCH] fix CVE-2020-27216 --- CVE-2020-27216.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++ jetty.spec | 8 ++++-- 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-27216.patch diff --git a/CVE-2020-27216.patch b/CVE-2020-27216.patch new file mode 100644 index 0000000..d58e913 --- /dev/null +++ b/CVE-2020-27216.patch @@ -0,0 +1,65 @@ +From 53e0e0e9b25a6309bf24ee3b10984f4145701edb Mon Sep 17 00:00:00 2001 +From: Joakim Erdfelt +Date: Thu, 15 Oct 2020 17:39:30 -0500 +Subject: [PATCH] Merge pull request from GHSA-g3wg-6mcf-8jj6 + +* Issue #5451 - Improving temp directory creation. + ++ Using new Files.createTempDirectory() instead + of nonsense around File.createTempFile() + +Signed-off-by: Joakim Erdfelt + +* Fixes #5451 - Restoring File.deleteOnExit +--- + .../jetty/webapp/WebInfConfiguration.java | 20 +++++++------------ + 1 file changed, 7 insertions(+), 13 deletions(-) + +diff --git a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java +index b94f788..f39432d 100644 +--- a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java ++++ b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java +@@ -24,6 +24,8 @@ import java.net.URI; + import java.net.URISyntaxException; + import java.net.URL; + import java.net.URLClassLoader; ++import java.nio.file.Files; ++import java.nio.file.Path; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.List; +@@ -384,14 +386,10 @@ public class WebInfConfiguration extends AbstractConfiguration + @Override + public void cloneConfigure(WebAppContext template, WebAppContext context) throws Exception + { +- File tmpDir=File.createTempFile(WebInfConfiguration.getCanonicalNameForWebAppTmpDir(context),"",template.getTempDirectory().getParentFile()); +- if (tmpDir.exists()) +- { +- IO.delete(tmpDir); +- } +- tmpDir.mkdir(); +- tmpDir.deleteOnExit(); +- context.setTempDirectory(tmpDir); ++ Path tmpDir = Files.createTempDirectory(template.getTempDirectory().getParentFile().toPath(), WebInfConfiguration.getCanonicalNameForWebAppTmpDir(context)); ++ File tmpDirAsFile = tmpDir.toFile(); ++ tmpDirAsFile.deleteOnExit(); ++ context.setTempDirectory(tmpDirAsFile); + } + + +@@ -522,11 +520,7 @@ public class WebInfConfiguration extends AbstractConfiguration + else + { + //ensure file will always be unique by appending random digits +- tmpDir = File.createTempFile(temp, ".dir", parent); +- //delete the file that was created +- tmpDir.delete(); +- //and make a directory of the same name +- tmpDir.mkdirs(); ++ tmpDir = Files.createTempDirectory(parent.toPath(), temp).toFile(); + } + configureTempDirectory(tmpDir, context); + +-- +2.23.0 + diff --git a/jetty.spec b/jetty.spec index 6bb83d6..1f2a192 100644 --- a/jetty.spec +++ b/jetty.spec @@ -14,15 +14,16 @@ %bcond_with spring Name: jetty Version: 9.4.15 -Release: 5 +Release: 6 Summary: Java Webserver and Servlet Container -License: ASL 2.0 or EPL-1.0 +License: ASL 2.0 or EPL-1.0 or EPL-2.0 URL: http://www.eclipse.org/jetty/ Source0: https://github.com/eclipse/%{name}.project/archive/%{name}-%{version}%{addver}.tar.gz Source1: jetty.sh Source3: jetty.logrotate Source5: %{name}.service Source6: LICENSE-MIT +Patch0: CVE-2020-27216.patch BuildRequires: maven-local mvn(javax.servlet:javax.servlet-api) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-shade-plugin) @@ -803,6 +804,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Mon Feb 8 2021 zhanghua - 9.4.15-6 +- fix CVE-2020-27216 + * Fri Nov 13 2020 wangyue - 9.4.15-5 - Change dependence: replace jetty-alpn with openjdk-1.8.0 -- Gitee