diff --git a/SOURCES/CVE-2015-7501.patch b/SOURCES/CVE-2015-7501.patch new file mode 100644 index 0000000..79b3153 --- /dev/null +++ b/SOURCES/CVE-2015-7501.patch @@ -0,0 +1,513 @@ +diff --git a/src/java/org/apache/commons/collections/functors/CloneTransformer.java b/src/java/org/apache/commons/collections/functors/CloneTransformer.java +index 7200402..3df18ff 100644 +--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java +@@ -16,6 +16,9 @@ + */ + package org.apache.commons.collections.functors; + ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.io.Serializable; + + import org.apache.commons.collections.Transformer; +@@ -24,6 +27,16 @@ import org.apache.commons.collections.Transformer; + * Transformer implementation that returns a clone of the input object. + *
+ * Clone is performed using PrototypeFactory.getInstance(input).create()
.
++ *
++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code CloneTransformer} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -68,4 +81,21 @@ public class CloneTransformer implements Transformer, Serializable { + return PrototypeFactory.getInstance(input).create(); + } + ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class); ++ is.defaultReadObject(); ++ } + } +diff --git a/src/java/org/apache/commons/collections/functors/ForClosure.java b/src/java/org/apache/commons/collections/functors/ForClosure.java +index f0355c4..e15475c 100644 +--- a/src/java/org/apache/commons/collections/functors/ForClosure.java ++++ b/src/java/org/apache/commons/collections/functors/ForClosure.java +@@ -16,12 +16,25 @@ + */ + package org.apache.commons.collections.functors; + ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.io.Serializable; + + import org.apache.commons.collections.Closure; + + /** + * Closure implementation that calls another closure n times, like a for loop. ++ *
++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code ForClosure} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -102,4 +115,22 @@ public class ForClosure implements Closure, Serializable { + return iCount; + } + ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(ForClosure.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(ForClosure.class); ++ is.defaultReadObject(); ++ } ++ + } +diff --git a/src/java/org/apache/commons/collections/functors/FunctorUtils.java b/src/java/org/apache/commons/collections/functors/FunctorUtils.java +index 75f8d9b..aa7bec3 100644 +--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java ++++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java +@@ -16,6 +16,8 @@ + */ + package org.apache.commons.collections.functors; + ++import java.security.AccessController; ++import java.security.PrivilegedAction; + import java.util.Collection; + import java.util.Iterator; + +@@ -33,7 +35,11 @@ import org.apache.commons.collections.Transformer; + * @author Matt Benson + */ + class FunctorUtils { +- ++ ++ /** System property key to enable unsafe serialization */ ++ final static String UNSAFE_SERIALIZABLE_PROPERTY ++ = "org.apache.commons.collections.enableUnsafeSerialization"; ++ + /** + * Restricted constructor. + */ +@@ -152,4 +158,33 @@ class FunctorUtils { + } + } + ++ /** ++ * Package-private helper method to check if serialization support is ++ * enabled for unsafe classes. ++ * ++ * @param clazz the clazz to check for serialization support ++ * @throws UnsupportedOperationException if unsafe serialization is disabled ++ */ ++ static void checkUnsafeSerialization(Class clazz) { ++ String unsafeSerializableProperty; ++ ++ try { ++ unsafeSerializableProperty = ++ (String) AccessController.doPrivileged(new PrivilegedAction() { ++ public Object run() { ++ return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY); ++ } ++ }); ++ } catch (SecurityException ex) { ++ unsafeSerializableProperty = null; ++ } ++ ++ if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) { ++ throw new UnsupportedOperationException( ++ "Serialization support for " + clazz.getName() + " is disabled for security reasons. " + ++ "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " + ++ "but you must ensure that your application does not de-serialize objects from untrusted sources."); ++ } ++ } ++ + } +diff --git a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java +index 5d375de..938d6dc 100644 +--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java ++++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java +@@ -16,6 +16,9 @@ + */ + package org.apache.commons.collections.functors; + ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.io.Serializable; + import java.lang.reflect.Constructor; + import java.lang.reflect.InvocationTargetException; +@@ -25,6 +28,16 @@ import org.apache.commons.collections.FunctorException; + + /** + * Factory implementation that creates a new object instance by reflection. ++ *
++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code InstantiateTransformer} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -136,5 +149,22 @@ public class InstantiateFactory implements Factory, Serializable { + throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex); + } + } +- ++ ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class); ++ is.defaultReadObject(); ++ } + } +diff --git a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java +index 73d6b2f..4927f05 100644 +--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java +@@ -16,6 +16,9 @@ + */ + package org.apache.commons.collections.functors; + ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.io.Serializable; + import java.lang.reflect.Constructor; + import java.lang.reflect.InvocationTargetException; +@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer; + + /** + * Transformer implementation that creates a new object instance by reflection. ++ *
++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code InstantiateTransformer} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -116,4 +129,22 @@ public class InstantiateTransformer implements Transformer, Serializable { + } + } + ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class); ++ is.defaultReadObject(); ++ } ++ + } +diff --git a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java +index 6f60961..75f48af 100644 +--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java +@@ -16,6 +16,9 @@ + */ + package org.apache.commons.collections.functors; + ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.io.Serializable; + import java.lang.reflect.InvocationTargetException; + import java.lang.reflect.Method; +@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer; + + /** + * Transformer implementation that creates a new object instance by reflection. ++ *
++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code InvokerTransformer} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -134,4 +147,21 @@ public class InvokerTransformer implements Transformer, Serializable { + } + } + ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class); ++ is.defaultReadObject(); ++ } + } +diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java +index 4fa4150..d9908fa 100644 +--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java ++++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java +@@ -49,6 +49,16 @@ public class PrototypeFactory { + *
++ * WARNING: This method will return a {@code Factory} ++ * that will throw an {@link UnsupportedOperationException} when trying to serialize ++ * or de-serialize it to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support the following system property ++ * can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @param prototype the object to clone each time in the factory + * @return the
prototype
factory
+@@ -144,6 +154,24 @@ public class PrototypeFactory {
+ throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
+ }
+ }
++
++ /**
++ * Overrides the default writeObject implementation to prevent
++ * serialization (see COLLECTIONS-580).
++ */
++ private void writeObject(ObjectOutputStream os) throws IOException {
++ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
++ os.defaultWriteObject();
++ }
++
++ /**
++ * Overrides the default readObject implementation to prevent
++ * de-serialization (see COLLECTIONS-580).
++ */
++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
++ is.defaultReadObject();
++ }
+ }
+
+ // PrototypeSerializationFactory
+@@ -204,6 +232,24 @@ public class PrototypeFactory {
+ }
+ }
+ }
++
++ /**
++ * Overrides the default writeObject implementation to prevent
++ * serialization (see COLLECTIONS-580).
++ */
++ private void writeObject(ObjectOutputStream os) throws IOException {
++ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
++ os.defaultWriteObject();
++ }
++
++ /**
++ * Overrides the default readObject implementation to prevent
++ * de-serialization (see COLLECTIONS-580).
++ */
++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
++ is.defaultReadObject();
++ }
+ }
+
+ }
+diff --git a/src/java/org/apache/commons/collections/functors/WhileClosure.java b/src/java/org/apache/commons/collections/functors/WhileClosure.java
+index 853e83a..596afc8 100644
+--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java
++++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java
+@@ -16,6 +16,9 @@
+ */
+ package org.apache.commons.collections.functors;
+
++import java.io.IOException;
++import java.io.ObjectInputStream;
++import java.io.ObjectOutputStream;
+ import java.io.Serializable;
+
+ import org.apache.commons.collections.Closure;
+@@ -24,6 +27,16 @@ import org.apache.commons.collections.Predicate;
+ /**
+ * Closure implementation that executes a closure repeatedly until a condition is met,
+ * like a do-while or while loop.
++ * ++ * WARNING: This class will throw an ++ * {@link UnsupportedOperationException} when trying to serialize or ++ * de-serialize an instance to prevent potential remote code execution exploits. ++ *
++ * In order to re-enable serialization support for {@code WhileClosure} ++ * the following system property can be used (via -Dproperty=true): ++ *
++ * org.apache.commons.collections.enableUnsafeSerialization ++ *+ * + * @since Commons Collections 3.0 + * @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $ +@@ -120,4 +133,22 @@ public class WhileClosure implements Closure, Serializable { + return iDoLoop; + } + ++ /** ++ * Overrides the default writeObject implementation to prevent ++ * serialization (see COLLECTIONS-580). ++ */ ++ private void writeObject(ObjectOutputStream os) throws IOException { ++ FunctorUtils.checkUnsafeSerialization(WhileClosure.class); ++ os.defaultWriteObject(); ++ } ++ ++ /** ++ * Overrides the default readObject implementation to prevent ++ * de-serialization (see COLLECTIONS-580). ++ */ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(WhileClosure.class); ++ is.defaultReadObject(); ++ } ++ + } +diff --git a/src/test/org/apache/commons/collections/TestFactoryUtils.java b/src/test/org/apache/commons/collections/TestFactoryUtils.java +index 0895903..bc7d729 100644 +--- a/src/test/org/apache/commons/collections/TestFactoryUtils.java ++++ b/src/test/org/apache/commons/collections/TestFactoryUtils.java +@@ -136,15 +136,6 @@ public class TestFactoryUtils extends junit.framework.TestCase { + Object created = factory.create(); + assertTrue(proto != created); + assertEquals(proto, created); +- +- // check serialisation works +- ByteArrayOutputStream buffer = new ByteArrayOutputStream(); +- ObjectOutputStream out = new ObjectOutputStream(buffer); +- out.writeObject(factory); +- out.close(); +- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray())); +- Object dest = in.readObject(); +- in.close(); + } + + public void testPrototypeFactoryPublicCopyConstructor() throws Exception { +@@ -154,23 +145,6 @@ public class TestFactoryUtils extends junit.framework.TestCase { + Object created = factory.create(); + assertTrue(proto != created); + assertEquals(proto, created); +- +- // check serialisation works +- ByteArrayOutputStream buffer = new ByteArrayOutputStream(); +- ObjectOutputStream out = new ObjectOutputStream(buffer); +- try { +- out.writeObject(factory); +- } catch (NotSerializableException ex) { +- out.close(); +- } +- factory = FactoryUtils.prototypeFactory(new Mock2("S")); +- buffer = new ByteArrayOutputStream(); +- out = new ObjectOutputStream(buffer); +- out.writeObject(factory); +- out.close(); +- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray())); +- Object dest = in.readObject(); +- in.close(); + } + + public void testPrototypeFactoryPublicSerialization() throws Exception { +@@ -180,15 +154,6 @@ public class TestFactoryUtils extends junit.framework.TestCase { + Object created = factory.create(); + assertTrue(proto != created); + assertEquals(proto, created); +- +- // check serialisation works +- ByteArrayOutputStream buffer = new ByteArrayOutputStream(); +- ObjectOutputStream out = new ObjectOutputStream(buffer); +- out.writeObject(factory); +- out.close(); +- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray())); +- Object dest = in.readObject(); +- in.close(); + } + + public void testPrototypeFactoryPublicSerializationError() { diff --git a/SPECS/apache-commons-collections.spec b/SPECS/apache-commons-collections.spec index c0f8593..cd658ac 100644 --- a/SPECS/apache-commons-collections.spec +++ b/SPECS/apache-commons-collections.spec @@ -3,7 +3,7 @@ Name: apache-%{short_name} Version: 3.2.1 -Release: 21%{?dist} +Release: 22%{?dist} Summary: Provides new interfaces, implementations and utilities for Java Collections License: ASL 2.0 Group: Development/Libraries @@ -12,6 +12,7 @@ Source0: http://www.apache.org/dist/commons/%{base_name}/source/%{short_n Patch0: jakarta-%{short_name}-javadoc-nonet.patch Patch4: commons-collections-3.2-build_xml.patch +Patch5: CVE-2015-7501.patch BuildArch: noarch @@ -87,6 +88,7 @@ find . -name "*.jar" -exec rm -f {} \; %patch0 -p1 %patch4 -b .sav +%patch5 -p1 # Fix file eof %{__sed} -i 's/\r//' LICENSE.txt @@ -130,6 +132,10 @@ cp -pr build/docs/testframework/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-testfram %changelog +* Fri Nov 20 2015 Michal Srb