[pkg-java] r19310 - in trunk/plexus-utils/debian: . patches
Markus Koschany
apo at moszumanska.debian.org
Tue Jan 9 20:42:29 UTC 2018
Author: apo
Date: 2018-01-09 20:42:28 +0000 (Tue, 09 Jan 2018)
New Revision: 19310
Added:
trunk/plexus-utils/debian/orig-tar.sh
trunk/plexus-utils/debian/patches/
trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch
trunk/plexus-utils/debian/patches/series
Modified:
trunk/plexus-utils/debian/changelog
trunk/plexus-utils/debian/compat
trunk/plexus-utils/debian/control
trunk/plexus-utils/debian/copyright
trunk/plexus-utils/debian/rules
trunk/plexus-utils/debian/watch
Log:
Release plexus-utils 1:1.5.15-5
Modified: trunk/plexus-utils/debian/changelog
===================================================================
--- trunk/plexus-utils/debian/changelog 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/changelog 2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,16 +1,18 @@
-plexus-utils (1:1.5.15-5) UNRELEASED; urgency=low
+plexus-utils (1:1.5.15-5) unstable; urgency=high
* Team upload.
- * debian/control:
- - Use canonical URLs for the Vcs-* fields
- - Updated Standards-Version to 3.9.4 (no changes)
- - Removed Michael Koch from the uploaders (Closes: #654127)
- * Build depend on debhelper >= 9
- * debian/rules: Improved the clean target
- * debian/watch: Updated to watch the new release tags on Github
- * Removed debian/orig-tar.sh and use the tarball from Github directly
+ * Switch to compat level 10.
+ * wrap-and-sort -sa.
+ * Declare compliance with Debian Policy 4.1.3.
+ * Remove Michael Koch from Uploaders because he is not active anymore.
+ (Closes: #654127)
+ * Use only Build-Depends field.
+ * Fix CVE-2017-1000487: Shell command injection vulnerability.
+ * Change homepage address to Git repository at github.com.
+ * Update watch file because codehaus.org is obsolete.
+ Use the same one as plexus-utils2.
- -- Emmanuel Bourg <ebourg at apache.org> Wed, 23 Oct 2013 12:25:00 +0200
+ -- Markus Koschany <apo at debian.org> Tue, 09 Jan 2018 20:59:32 +0100
plexus-utils (1:1.5.15-4) unstable; urgency=low
@@ -40,8 +42,8 @@
* Add the Maven POM to the package,
* Add a Build-Depends-Indep dependency on maven-repo-helper
* Use mh_installpom and mh_installjar to install the POM and the jar to the
- Maven repository
- * Remove the dependency on default-java and java2-runtime as this is a
+ Maven repository
+ * Remove the dependency on default-java and java2-runtime as this is a
library
-- Ludovic Claude <ludovic.claude at laposte.net> Thu, 02 Jul 2009 14:41:15 +0000
Modified: trunk/plexus-utils/debian/compat
===================================================================
--- trunk/plexus-utils/debian/compat 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/compat 2018-01-09 20:42:28 UTC (rev 19310)
@@ -1 +1 @@
-9
+10
Modified: trunk/plexus-utils/debian/control
===================================================================
--- trunk/plexus-utils/debian/control 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/control 2018-01-09 20:42:28 UTC (rev 19310)
@@ -2,18 +2,30 @@
Section: java
Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-Uploaders: Torsten Werner <twerner at debian.org>, Ludovic Claude <ludovic.claude at laposte.net>
-Build-Depends-Indep: libplexus-interpolation-java, libxalan2-java, maven-repo-helper
-Build-Depends: ant, cdbs (>= 0.4.5.3), debhelper (>= 9), default-jdk
-Standards-Version: 3.9.4
+Uploaders:
+ Torsten Werner <twerner at debian.org>,
+ Ludovic Claude <ludovic.claude at laposte.net>
+Build-Depends:
+ ant,
+ cdbs (>= 0.4.5.3),
+ debhelper (>= 10),
+ default-jdk,
+ libplexus-interpolation-java,
+ libxalan2-java,
+ maven-repo-helper
+Standards-Version: 4.1.3
+Homepage: https://github.com/codehaus-plexus/plexus-utils/
Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/plexus-utils
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils
-Homepage: http://plexus.codehaus.org
+Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils
Package: libplexus-utils-java
Architecture: all
-Depends: libplexus-interpolation-java, libxalan2-java, ${misc:Depends}
-Suggests: libplexus-utils-java-doc
+Depends:
+ libplexus-interpolation-java,
+ libxalan2-java,
+ ${misc:Depends}
+Suggests:
+ libplexus-utils-java-doc
Description: utilities for the Plexus framework
The Plexus project provides a full software stack for creating and executing
software projects. Based on the Plexus container, the applications can
@@ -36,8 +48,11 @@
Package: libplexus-utils-java-doc
Architecture: all
Section: doc
-Depends: default-jdk-doc, ${misc:Depends}
-Suggests: libplexus-utils-java
+Depends:
+ default-jdk-doc,
+ ${misc:Depends}
+Suggests:
+ libplexus-utils-java
Description: API Documentation for plexus-utils
The Plexus project provides a full software stack for creating and executing
software projects. Based on the Plexus container, the applications can
Modified: trunk/plexus-utils/debian/copyright
===================================================================
--- trunk/plexus-utils/debian/copyright 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/copyright 2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,9 +1,9 @@
This package was debianized by Trygve Laugstøl <trygvis at codehaus.org> on
Tue, 19 Aug 2005 00:26:30 +0100.
-libplex-utils was downloaded from http://plexus.codehaus.org/
+The source for plexus-utils can be found at https://github.com/codehaus-plexus/plexus-utils/
-Upstream Authors:
+Upstream Authors:
Javolution
ThoughtWorks, Inc
The Apache Software Foundation
@@ -44,33 +44,33 @@
Copyright (c) 2002 Extreme! Lab, Indiana University. All rights reserved.
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
are met:
- 1. Redistributions of source code must retain the above copyright notice,
+ 1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distribution.
- 3. The end-user documentation included with the redistribution, if any,
+ 3. The end-user documentation included with the redistribution, if any,
must include the following acknowledgment:
- "This product includes software developed by the Indiana University
+ "This product includes software developed by the Indiana University
Extreme! Lab (http://www.extreme.indiana.edu/)."
- Alternately, this acknowledgment may appear in the software itself,
+ Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
- 4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab"
- must not be used to endorse or promote products derived from this
- software without prior written permission. For written permission,
+ 4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab"
+ must not be used to endorse or promote products derived from this
+ software without prior written permission. For written permission,
please contact http://www.extreme.indiana.edu/.
- 5. Products derived from this software may not use "Indiana Univeristy"
- name nor may "Indiana Univeristy" appear in their name, without prior
+ 5. Products derived from this software may not use "Indiana Univeristy"
+ name nor may "Indiana Univeristy" appear in their name, without prior
written permission of the Indiana University.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
@@ -99,17 +99,17 @@
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+
/********************************************************************************
* CruiseControl, a Continuous Integration Toolkit
* Copyright (c) 2001-2003, ThoughtWorks, Inc.
Added: trunk/plexus-utils/debian/orig-tar.sh
===================================================================
--- trunk/plexus-utils/debian/orig-tar.sh (rev 0)
+++ trunk/plexus-utils/debian/orig-tar.sh 2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1,16 @@
+#!/bin/sh -e
+
+TAR=../libplexus-utils_$2.orig.tar.gz
+DIR=plexus-utils-$2
+TAG=plexus-utils-$2
+
+svn export http://svn.codehaus.org/plexus/plexus-utils/tags/$TAG $DIR
+tar -c -z -f $TAR $DIR
+rm -rf $DIR ../$TAG
+
+# move to directory 'tarballs'
+if [ -r .svn/deb-layout ]; then
+ . .svn/deb-layout
+ mv $TAR $origDir
+ echo "moved $TAR to $origDir"
+fi
Property changes on: trunk/plexus-utils/debian/orig-tar.sh
___________________________________________________________________
Added: svn:executable
+ *
Added: trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch
===================================================================
--- trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch (rev 0)
+++ trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch 2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1,524 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 9 Jan 2018 20:45:31 +0100
+Subject: CVE-2017-1000487
+
+Bug-Upstream: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
+Origin: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
+---
+ .../org/codehaus/plexus/util/cli/Commandline.java | 38 +++++++++++---
+ .../plexus/util/cli/shell/BourneShell.java | 60 +++++++---------------
+ .../org/codehaus/plexus/util/cli/shell/Shell.java | 35 ++++++++++---
+ .../codehaus/plexus/util/cli/CommandlineTest.java | 37 +++++++------
+ .../plexus/util/cli/shell/BourneShellTest.java | 17 +++---
+ 5 files changed, 106 insertions(+), 81 deletions(-)
+
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
+index 5e0d5af..7346c7e 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
+@@ -139,6 +139,8 @@ public class Commandline
+ * Create a new command line object.
+ * Shell is autodetected from operating system
+ *
++ * Shell usage is only desirable when generating code for remote execution.
++ *
+ * @param toProcess
+ */
+ public Commandline( String toProcess, Shell shell )
+@@ -167,6 +169,8 @@ public class Commandline
+ /**
+ * Create a new command line object.
+ * Shell is autodetected from operating system
++ *
++ * Shell usage is only desirable when generating code for remote execution.
+ */
+ public Commandline( Shell shell )
+ {
+@@ -174,8 +178,7 @@ public class Commandline
+ }
+
+ /**
+- * Create a new command line object.
+- * Shell is autodetected from operating system
++ * Create a new command line object, given a command following POSIX sh quoting rules
+ *
+ * @param toProcess
+ */
+@@ -203,7 +206,6 @@ public class Commandline
+
+ /**
+ * Create a new command line object.
+- * Shell is autodetected from operating system
+ */
+ public Commandline()
+ {
+@@ -253,7 +255,7 @@ public class Commandline
+ {
+ if ( realPos == -1 )
+ {
+- realPos = ( getExecutable() == null ? 0 : 1 );
++ realPos = ( getLiteralExecutable() == null ? 0 : 1 );
+ for ( int i = 0; i < position; i++ )
+ {
+ Arg arg = (Arg) arguments.elementAt( i );
+@@ -404,6 +406,21 @@ public class Commandline
+ this.executable = executable;
+ }
+
++ /**
++ * @return Executable to be run, as a literal string (no shell quoting/munging)
++ */
++ public String getLiteralExecutable()
++ {
++ return executable;
++ }
++
++ /**
++ * Return an executable name, quoted for shell use.
++ *
++ * Shell usage is only desirable when generating code for remote execution.
++ *
++ * @return Executable to be run, quoted for shell interpretation
++ */
+ public String getExecutable()
+ {
+ String exec = shell.getExecutable();
+@@ -483,7 +500,7 @@ public class Commandline
+ public String[] getCommandline()
+ {
+ final String[] args = getArguments();
+- String executable = getExecutable();
++ String executable = getLiteralExecutable();
+
+ if ( executable == null )
+ {
+@@ -497,6 +514,8 @@ public class Commandline
+
+ /**
+ * Returns the shell, executable and all defined arguments.
++ *
++ * Shell usage is only desirable when generating code for remote execution.
+ */
+ public String[] getShellCommandline()
+ {
+@@ -633,7 +652,7 @@ public class Commandline
+ {
+ if ( workingDir == null )
+ {
+- process = Runtime.getRuntime().exec( getShellCommandline(), environment );
++ process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir );
+ }
+ else
+ {
+@@ -648,7 +667,7 @@ public class Commandline
+ + "\" does not specify a directory." );
+ }
+
+- process = Runtime.getRuntime().exec( getShellCommandline(), environment, workingDir );
++ process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir );
+ }
+ }
+ catch ( IOException ex )
+@@ -669,7 +688,7 @@ public class Commandline
+ shell.setWorkingDirectory( workingDir );
+ }
+
+- if ( shell.getExecutable() == null )
++ if ( shell.getOriginalExecutable() == null )
+ {
+ shell.setExecutable( executable );
+ }
+@@ -684,6 +703,8 @@ public class Commandline
+ /**
+ * Allows to set the shell to be used in this command line.
+ *
++ * Shell usage is only desirable when generating code for remote execution.
++ *
+ * @param shell
+ * @since 1.2
+ */
+@@ -695,6 +716,7 @@ public class Commandline
+ /**
+ * Get the shell to be used in this command line.
+ *
++ * Shell usage is only desirable when generating code for remote execution.
+ * @since 1.2
+ */
+ public Shell getShell()
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
+index afde64f..325ba0e 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
+@@ -17,7 +17,6 @@ package org.codehaus.plexus.util.cli.shell;
+ */
+
+ import org.codehaus.plexus.util.Os;
+-import org.codehaus.plexus.util.StringUtils;
+
+ import java.util.ArrayList;
+ import java.util.List;
+@@ -29,34 +28,18 @@ import java.util.List;
+ public class BourneShell
+ extends Shell
+ {
+- private static final char[] BASH_QUOTING_TRIGGER_CHARS = {
+- ' ',
+- '$',
+- ';',
+- '&',
+- '|',
+- '<',
+- '>',
+- '*',
+- '?',
+- '(',
+- ')',
+- '[',
+- ']',
+- '{',
+- '}',
+- '`' };
+
+ public BourneShell()
+ {
+- this( false );
++ this(false);
+ }
+
+ public BourneShell( boolean isLoginShell )
+ {
++ setUnconditionalQuoting( true );
+ setShellCommand( "/bin/sh" );
+ setArgumentQuoteDelimiter( '\'' );
+- setExecutableQuoteDelimiter( '\"' );
++ setExecutableQuoteDelimiter( '\'' );
+ setSingleQuotedArgumentEscaped( true );
+ setSingleQuotedExecutableEscaped( false );
+ setQuotedExecutableEnabled( true );
+@@ -75,7 +58,7 @@ public class BourneShell
+ return super.getExecutable();
+ }
+
+- return unifyQuotes( super.getExecutable());
++ return quoteOneItem( super.getOriginalExecutable(), true );
+ }
+
+ public List getShellArgsList()
+@@ -125,46 +108,41 @@ public class BourneShell
+ StringBuffer sb = new StringBuffer();
+ sb.append( "cd " );
+
+- sb.append( unifyQuotes( dir ) );
++ sb.append( quoteOneItem( dir, false ) );
+ sb.append( " && " );
+
+ return sb.toString();
+ }
+
+- protected char[] getQuotingTriggerChars()
+- {
+- return BASH_QUOTING_TRIGGER_CHARS;
+- }
+-
+ /**
+ * <p>Unify quotes in a path for the Bourne Shell.</p>
+ *
+ * <pre>
+- * BourneShell.unifyQuotes(null) = null
+- * BourneShell.unifyQuotes("") = (empty)
+- * BourneShell.unifyQuotes("/test/quotedpath'abc") = /test/quotedpath\'abc
+- * BourneShell.unifyQuotes("/test/quoted path'abc") = "/test/quoted path'abc"
+- * BourneShell.unifyQuotes("/test/quotedpath\"abc") = "/test/quotedpath\"abc"
+- * BourneShell.unifyQuotes("/test/quoted path\"abc") = "/test/quoted path\"abc"
+- * BourneShell.unifyQuotes("/test/quotedpath\"'abc") = "/test/quotedpath\"'abc"
+- * BourneShell.unifyQuotes("/test/quoted path\"'abc") = "/test/quoted path\"'abc"
++ * BourneShell.quoteOneItem(null) = null
++ * BourneShell.quoteOneItem("") = ''
++ * BourneShell.quoteOneItem("/test/quotedpath'abc") = '/test/quotedpath'"'"'abc'
++ * BourneShell.quoteOneItem("/test/quoted path'abc") = '/test/quoted pat'"'"'habc'
++ * BourneShell.quoteOneItem("/test/quotedpath\"abc") = '/test/quotedpath"abc'
++ * BourneShell.quoteOneItem("/test/quoted path\"abc") = '/test/quoted path"abc'
++ * BourneShell.quoteOneItem("/test/quotedpath\"'abc") = '/test/quotedpath"'"'"'abc'
++ * BourneShell.quoteOneItem("/test/quoted path\"'abc") = '/test/quoted path"'"'"'abc'
+ * </pre>
+ *
+ * @param path not null path.
+ * @return the path unified correctly for the Bourne shell.
+ */
+- protected static String unifyQuotes( String path )
++ protected String quoteOneItem( String path, boolean isExecutable )
+ {
+ if ( path == null )
+ {
+ return null;
+ }
+
+- if ( path.indexOf( " " ) == -1 && path.indexOf( "'" ) != -1 && path.indexOf( "\"" ) == -1 )
+- {
+- return StringUtils.escape( path );
+- }
++ StringBuilder sb = new StringBuilder();
++ sb.append( "'" );
++ sb.append( path.replace( "'", "'\"'\"'" ) );
++ sb.append( "'" );
+
+- return StringUtils.quoteAndEscape( path, '\"', BASH_QUOTING_TRIGGER_CHARS );
++ return sb.toString();
+ }
+ }
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
+index f51f6ad..7041e28 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
+@@ -48,6 +48,8 @@ public class Shell
+
+ private boolean quotedArgumentsEnabled = true;
+
++ private boolean unconditionallyQuote = false;
++
+ private String executable;
+
+ private String workingDir;
+@@ -66,6 +68,16 @@ public class Shell
+
+ private char exeQuoteDelimiter = '\"';
+
++ /**
++ * Toggle unconditional quoting
++ *
++ * @param unconditionallyQuote
++ */
++ public void setUnconditionalQuoting(boolean unconditionallyQuote)
++ {
++ this.unconditionallyQuote = unconditionallyQuote;
++ }
++
+ /**
+ * Set the command to execute the shell (eg. COMMAND.COM, /bin/bash,...)
+ *
+@@ -98,6 +110,19 @@ public class Shell
+ this.shellArgs.addAll( Arrays.asList( shellArgs ) );
+ }
+
++ protected String quoteOneItem(String inputString, boolean isExecutable)
++ {
++ char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
++ return StringUtils.quoteAndEscape(
++ inputString,
++ isExecutable ? getExecutableQuoteDelimiter() : getArgumentQuoteDelimiter(),
++ escapeChars,
++ getQuotingTriggerChars(),
++ '\\',
++ unconditionallyQuote
++ );
++ }
++
+ /**
+ * Get the shell arguments
+ *
+@@ -142,9 +167,7 @@ public class Shell
+
+ if ( isQuotedExecutableEnabled() )
+ {
+- char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
+-
+- sb.append( StringUtils.quoteAndEscape( getExecutable(), getExecutableQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) );
++ sb.append( quoteOneItem( getOriginalExecutable(), true ) );
+ }
+ else
+ {
+@@ -160,9 +183,7 @@ public class Shell
+
+ if ( isQuotedArgumentsEnabled() )
+ {
+- char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
+-
+- sb.append( StringUtils.quoteAndEscape( arguments[i], getArgumentQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) );
++ sb.append( quoteOneItem( arguments[i], false ) );
+ }
+ else
+ {
+@@ -267,7 +288,7 @@ public class Shell
+ commandLine.addAll( getShellArgsList() );
+ }
+
+- commandLine.addAll( getCommandLine( getExecutable(), arguments ) );
++ commandLine.addAll( getCommandLine( getOriginalExecutable(), arguments ) );
+
+ return commandLine;
+
+diff --git a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
+index b22814b..42bbb7f 100644
+--- a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
++++ b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
+@@ -16,6 +16,7 @@ package org.codehaus.plexus.util.cli;
+ * limitations under the License.
+ */
+
++import junit.framework.TestCase;
+ import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.Os;
+ import org.codehaus.plexus.util.StringUtils;
+@@ -23,15 +24,7 @@ import org.codehaus.plexus.util.cli.shell.BourneShell;
+ import org.codehaus.plexus.util.cli.shell.CmdShell;
+ import org.codehaus.plexus.util.cli.shell.Shell;
+
+-import java.io.File;
+-import java.io.FileWriter;
+-import java.io.IOException;
+-import java.io.InputStreamReader;
+-import java.io.Reader;
+-import java.io.StringWriter;
+-import java.io.Writer;
+-
+-import junit.framework.TestCase;
++import java.io.*;
+
+ public class CommandlineTest
+ extends TestCase
+@@ -252,7 +245,7 @@ public class CommandlineTest
+
+ assertEquals( "/bin/sh", shellCommandline[0] );
+ assertEquals( "-c", shellCommandline[1] );
+- String expectedShellCmd = "/bin/echo \'hello world\'";
++ String expectedShellCmd = "'/bin/echo' 'hello world'";
+ if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+ {
+ expectedShellCmd = "\\bin\\echo \'hello world\'";
+@@ -282,12 +275,12 @@ public class CommandlineTest
+
+ assertEquals( "/bin/sh", shellCommandline[0] );
+ assertEquals( "-c", shellCommandline[1] );
+- String expectedShellCmd = "cd \"" + root.getAbsolutePath()
+- + "path with spaces\" && /bin/echo \'hello world\'";
++ String expectedShellCmd = "cd '" + root.getAbsolutePath()
++ + "path with spaces' && '/bin/echo' 'hello world'";
+ if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+ {
+- expectedShellCmd = "cd \"" + root.getAbsolutePath()
+- + "path with spaces\" && \\bin\\echo \'hello world\'";
++ expectedShellCmd = "cd '" + root.getAbsolutePath()
++ + "path with spaces' && '\\bin\\echo' 'hello world'";
+ }
+ assertEquals( expectedShellCmd, shellCommandline[2] );
+ }
+@@ -311,7 +304,7 @@ public class CommandlineTest
+
+ assertEquals( "/bin/sh", shellCommandline[0] );
+ assertEquals( "-c", shellCommandline[1] );
+- String expectedShellCmd = "/bin/echo \'hello world\'";
++ String expectedShellCmd = "'/bin/echo' ''\"'\"'hello world'\"'\"''";
+ if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+ {
+ expectedShellCmd = "\\bin\\echo \'hello world\'";
+@@ -341,7 +334,7 @@ public class CommandlineTest
+ }
+ else
+ {
+- assertEquals( "/usr/bin a b", shellCommandline[2] );
++ assertEquals( "'/usr/bin' 'a' 'b'", shellCommandline[2] );
+ }
+ }
+
+@@ -387,6 +380,18 @@ public class CommandlineTest
+ createAndCallScript( dir, "echo Quoted" );
+ }
+
++ /**
++ * Test an executable with shell-expandable content in its path.
++ *
++ * @throws Exception
++ */
++ public void testPathWithShellExpansionStrings()
++ throws Exception
++ {
++ File dir = new File( System.getProperty( "basedir" ), "target/test/dollar$test" );
++ createAndCallScript( dir, "echo Quoted" );
++ }
++
+ /**
+ * Test an executable with a single quotation mark <code>\"</code> in its path only for non Windows box.
+ *
+diff --git a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
+index 807bff5..f1645b6 100644
+--- a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
++++ b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
+@@ -16,14 +16,13 @@ package org.codehaus.plexus.util.cli.shell;
+ * limitations under the License.
+ */
+
++import junit.framework.TestCase;
+ import org.codehaus.plexus.util.StringUtils;
+ import org.codehaus.plexus.util.cli.Commandline;
+
+ import java.util.Arrays;
+ import java.util.List;
+
+-import junit.framework.TestCase;
+-
+ public class BourneShellTest
+ extends TestCase
+ {
+@@ -42,7 +41,7 @@ public class BourneShellTest
+
+ String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+
+- assertEquals( "/bin/sh -c cd /usr/local/bin && chmod", executable );
++ assertEquals( "/bin/sh -c cd '/usr/local/bin' && 'chmod'", executable );
+ }
+
+ public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes()
+@@ -54,7 +53,7 @@ public class BourneShellTest
+
+ String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+
+- assertEquals( "/bin/sh -c cd \"/usr/local/\'something else\'\" && chmod", executable );
++ assertEquals( "/bin/sh -c cd '/usr/local/'\"'\"'something else'\"'\"'' && 'chmod'", executable );
+ }
+
+ public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep()
+@@ -66,7 +65,7 @@ public class BourneShellTest
+
+ String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+
+- assertEquals( "/bin/sh -c cd \"\\usr\\local\\\'something else\'\" && chmod", executable );
++ assertEquals( "/bin/sh -c cd '\\usr\\local\\\'\"'\"'something else'\"'\"'' && 'chmod'", executable );
+ }
+
+ public void testPreserveSingleQuotesOnArgument()
+@@ -82,7 +81,7 @@ public class BourneShellTest
+
+ String cli = StringUtils.join( shellCommandLine.iterator(), " " );
+ System.out.println( cli );
+- assertTrue( cli.endsWith( args[0] ) );
++ assertTrue( cli.endsWith("''\"'\"'some arg with spaces'\"'\"''"));
+ }
+
+ public void testAddSingleQuotesOnArgumentWithSpaces()
+@@ -130,7 +129,7 @@ public class BourneShellTest
+
+ assertEquals( "/bin/sh", lines[0] );
+ assertEquals( "-c", lines[1] );
+- assertEquals( "chmod --password ';password'", lines[2] );
++ assertEquals( "'chmod' '--password' ';password'", lines[2] );
+
+ commandline = new Commandline( newShell() );
+ commandline.setExecutable( "chmod" );
+@@ -142,7 +141,7 @@ public class BourneShellTest
+
+ assertEquals( "/bin/sh", lines[0] );
+ assertEquals( "-c", lines[1] );
+- assertEquals( "chmod --password ';password'", lines[2] );
++ assertEquals( "'chmod' '--password' ';password'", lines[2] );
+
+ commandline = new Commandline( new CmdShell() );
+ commandline.getShell().setQuotedArgumentsEnabled( true );
+@@ -190,7 +189,7 @@ public class BourneShellTest
+
+ assertEquals( "/bin/sh", lines[0] );
+ assertEquals( "-c", lines[1] );
+- assertEquals( "chmod ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'",
++ assertEquals( "'chmod' ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'",
+ lines[2] );
+
+ }
Added: trunk/plexus-utils/debian/patches/series
===================================================================
--- trunk/plexus-utils/debian/patches/series (rev 0)
+++ trunk/plexus-utils/debian/patches/series 2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1 @@
+CVE-2017-1000487.patch
Modified: trunk/plexus-utils/debian/rules
===================================================================
--- trunk/plexus-utils/debian/rules 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/rules 2018-01-09 20:42:28 UTC (rev 19310)
@@ -24,6 +24,5 @@
dh_install -plibplexus-utils-java-doc $(API_DOCS) usr/share/doc/libplexus-utils-java
clean::
- mh_clean
-rm -rf debian/tmp
Modified: trunk/plexus-utils/debian/watch
===================================================================
--- trunk/plexus-utils/debian/watch 2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/watch 2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,2 +1,4 @@
version=3
-https://github.com/sonatype/plexus-utils/releases .*/plexus-utils-(.*).tar.gz
+opts="uversionmangle=s/-(alpha|beta)-/~$1/" \
+ https://github.com/codehaus-plexus/plexus-utils/tags .*/plexus-utils-(\d.*).tar.gz
+
More information about the pkg-java-commits
mailing list