[pkg-java] r18203 - in trunk/libstruts1.2-java/debian: . patches

Sat May 31 11:33:09 UTC 2014

Author: henrich
Date: 2014-05-31 11:33:09 +0000 (Sat, 31 May 2014)
New Revision: 18203

Added:
   trunk/libstruts1.2-java/debian/patches/struts-1.2.9-CVE-2014-0114.patch
Modified:
   trunk/libstruts1.2-java/debian/changelog
   trunk/libstruts1.2-java/debian/patches/series
Log:
fix CVE-2014-0114, patch taken from RHEL


Modified: trunk/libstruts1.2-java/debian/changelog
===================================================================

--- trunk/libstruts1.2-java/debian/changelog	2014-05-30 12:01:21 UTC (rev 18202)
+++ trunk/libstruts1.2-java/debian/changelog	2014-05-31 11:33:09 UTC (rev 18203)
@@ -1,3 +1,12 @@
+libstruts1.2-java (1.2.9-9) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches
+    - add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114
+      (Closes: #745897) 
+
+ -- Hideki Yamane <henrich at debian.org>  Sat, 31 May 2014 12:28:56 +0900
+
 libstruts1.2-java (1.2.9-8) unstable; urgency=medium
 
   * Team upload.

Modified: trunk/libstruts1.2-java/debian/patches/series
===================================================================
--- trunk/libstruts1.2-java/debian/patches/series	2014-05-30 12:01:21 UTC (rev 18202)
+++ trunk/libstruts1.2-java/debian/patches/series	2014-05-31 11:33:09 UTC (rev 18203)
@@ -1,3 +1,4 @@
 01_build_javac_target.patch
 02_CVE-2008-2025.patch
 03_servlet-api-3.0.patch
+struts-1.2.9-CVE-2014-0114.patch

Added: trunk/libstruts1.2-java/debian/patches/struts-1.2.9-CVE-2014-0114.patch
===================================================================
--- trunk/libstruts1.2-java/debian/patches/struts-1.2.9-CVE-2014-0114.patch	                        (rev 0)
+++ trunk/libstruts1.2-java/debian/patches/struts-1.2.9-CVE-2014-0114.patch	2014-05-31 11:33:09 UTC (rev 18203)
@@ -0,0 +1,34 @@
+diff -up ./src/share/org/apache/struts/util/RequestUtils.java.sav ./src/share/org/apache/struts/util/RequestUtils.java
+--- ./src/share/org/apache/struts/util/RequestUtils.java.sav	2014-05-02 15:20:59.022457459 -0400
++++ ./src/share/org/apache/struts/util/RequestUtils.java	2014-05-02 15:22:15.669580263 -0400
+@@ -26,6 +26,7 @@ import java.util.HashMap;
+ import java.util.Hashtable;
+ import java.util.Locale;
+ import java.util.Map;
++import java.util.regex.Pattern;
+ 
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -72,6 +73,12 @@ public class RequestUtils {
+      */
+     protected static Log log = LogFactory.getLog(RequestUtils.class);
+ 
++    /**
++     * <p>Pattern matching 'class' access.</p>
++     */
++    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
++            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
++                    Pattern.CASE_INSENSITIVE);
+ 
+     // --------------------------------------------------------- Public Methods
+ 
+@@ -483,7 +490,8 @@ public class RequestUtils {
+ 
+             // Populate parameters, except "standard" struts attributes
+             // such as 'org.apache.struts.action.CANCEL'
+-            if (!(stripped.startsWith("org.apache.struts."))) {
++            if (!(stripped.startsWith("org.apache.struts."))
++                    && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
+                 properties.put(stripped, parameterValue);
+             }
+         }


