From 09900d67593d95d36e18409d8091c47255a6548f Mon Sep 17 00:00:00 2001 From: root Date: Fri, 31 Mar 2023 15:57:09 +0800 Subject: [PATCH 1/2] fix CVE-2023-1108 --- CVE-2023-1108.patch | 31 +++++++++++++++++++++++++++++++ undertow.spec | 7 ++++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-1108.patch diff --git a/CVE-2023-1108.patch b/CVE-2023-1108.patch new file mode 100644 index 0000000..b0ad976 --- /dev/null +++ b/CVE-2023-1108.patch @@ -0,0 +1,31 @@ +From cca4003e7329322f02ddcaf2d6a4e2bf1e27ca06 Mon Sep 17 00:00:00 2001 +From: root +Date: Fri, 31 Mar 2023 15:35:48 +0800 +Subject: [PATCH] Please enter the commit message for your changes. Lines + starting with '' will be ignored, and an empty message aborts the commit. + + Committer: root + + On branch master + Changes to be committed: + modified: core/src/main/java/io/undertow/protocols/ssl/SslConduit.java +--- + core/src/main/java/io/undertow/protocols/ssl/SslConduit.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java +index 3084915..dde0e0c 100644 +--- a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java ++++ b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java +@@ -852,7 +852,7 @@ public class SslConduit implements StreamSourceConduit, StreamSinkConduit { + } + try { + SSLEngineResult result = null; +- while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) { ++ while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) { + if (userBuffers == null) { + result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer()); + } else { +-- +2.36.1 + diff --git a/undertow.spec b/undertow.spec index e370e2e..d8de932 100644 --- a/undertow.spec +++ b/undertow.spec @@ -2,7 +2,7 @@ %global namedversion %{version}%{?namedreltag} Name: undertow Version: 1.4.0 -Release: 4 +Release: 5 Summary: Java web server using non-blocking IO License: ASL 2.0 URL: http://undertow.io/ @@ -12,6 +12,7 @@ Patch0: undertow-1.4.0-jetty-alpn-api-1.1.0.patch Patch1: CVE-2020-10705.patch Patch2: CVE-2019-3888.patch Patch3: CVE-2020-10719.patch +Patch4: CVE-2023-1108.patch BuildArch: noarch Epoch: 1 BuildRequires: maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api) @@ -38,6 +39,7 @@ This package contains the API documentation for %{name}. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 rm -rf mac-jdk-fix %pom_disable_module examples %pom_remove_plugin -r :maven-checkstyle-plugin @@ -66,6 +68,9 @@ done %license LICENSE.txt %changelog +* Fri Mar 31 2023 mayanping - 1.4.0-5 +- Fix CVE-2023-1108 + * Wed Oct 29 2021 wangkai - 1.4.0-4 - Fix CVE-2020-10719 -- Gitee From 3a1b007e17721637c132cf514ce7123f7a19963a Mon Sep 17 00:00:00 2001 From: mayp Date: Mon, 3 Apr 2023 02:05:51 +0000 Subject: [PATCH 2/2] update CVE-2023-1108.patch. Signed-off-by: mayp --- CVE-2023-1108.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CVE-2023-1108.patch b/CVE-2023-1108.patch index b0ad976..4aae305 100644 --- a/CVE-2023-1108.patch +++ b/CVE-2023-1108.patch @@ -1,10 +1,10 @@ From cca4003e7329322f02ddcaf2d6a4e2bf1e27ca06 Mon Sep 17 00:00:00 2001 -From: root +From: mayanping Date: Fri, 31 Mar 2023 15:35:48 +0800 Subject: [PATCH] Please enter the commit message for your changes. Lines starting with '' will be ignored, and an empty message aborts the commit. - Committer: root + Committer: mayanping On branch master Changes to be committed: -- Gitee