[pkg-java] r17541 - trunk/libcommons-fileupload-java/debian/patches
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Tue Dec 3 07:41:15 UTC 2013
Author: ebourg-guest
Date: 2013-12-03 07:41:15 +0000 (Tue, 03 Dec 2013)
New Revision: 17541
Added:
trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch
Removed:
trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch
Modified:
trunk/libcommons-fileupload-java/debian/patches/series
Log:
Renamed the CVE patch for consistency
Copied: trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch (from rev 17534, trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch)
===================================================================
--- trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch (rev 0)
+++ trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch 2013-12-03 07:41:15 UTC (rev 17541)
@@ -0,0 +1,37 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400
++++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500
+@@ -656,6 +656,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException(format(
++ "The repository [%s] contains a null character",
++ repository.getPath()));
++ }
++ } else {
++ throw new IOException(format(
++ "The repository [%s] is not a directory",
++ repository.getAbsolutePath()));
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
Deleted: trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch
===================================================================
--- trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch 2013-12-03 07:38:04 UTC (rev 17540)
+++ trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch 2013-12-03 07:41:15 UTC (rev 17541)
@@ -1,37 +0,0 @@
-Description: fix arbitrary file overwrite via poison null byte
-Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
-Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
-
-Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
-===================================================================
---- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400
-+++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500
-@@ -656,6 +656,26 @@
- // read values
- in.defaultReadObject();
-
-+ /* One expected use of serialization is to migrate HTTP sessions
-+ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
-+ * on different machines It is possible that the repository location is
-+ * not valid so validate it.
-+ */
-+ if (repository != null) {
-+ if (repository.isDirectory()) {
-+ // Check path for nulls
-+ if (repository.getPath().contains("\0")) {
-+ throw new IOException(format(
-+ "The repository [%s] contains a null character",
-+ repository.getPath()));
-+ }
-+ } else {
-+ throw new IOException(format(
-+ "The repository [%s] is not a directory",
-+ repository.getAbsolutePath()));
-+ }
-+ }
-+
- OutputStream output = getOutputStream();
- if (cachedContent != null) {
- output.write(cachedContent);
Modified: trunk/libcommons-fileupload-java/debian/patches/series
===================================================================
--- trunk/libcommons-fileupload-java/debian/patches/series 2013-12-03 07:38:04 UTC (rev 17540)
+++ trunk/libcommons-fileupload-java/debian/patches/series 2013-12-03 07:41:15 UTC (rev 17541)
@@ -1,2 +1,2 @@
001_update-tests-for-servlet3-api.patch
-CVE-2013-2186.patch
+002_CVE-2013-2186.patch
More information about the pkg-java-commits
mailing list