[Git][java-team/derby][master] 3 commits: Add patch for CVE-2022-46337 (Closes: #1056755)

Tony Mancill (@tmancill) gitlab at salsa.debian.org
Sun Nov 26 05:38:11 GMT 2023



Tony Mancill pushed to branch master at Debian Java Maintainers / derby


Commits:
49c33ccb by tony mancill at 2023-11-25T20:11:01-08:00
Add patch for CVE-2022-46337 (Closes: #1056755)

- - - - -
d03031ea by tony mancill at 2023-11-25T21:28:27-08:00
Update lintian-overrides for derby source package

- - - - -
890648ca by tony mancill at 2023-11-25T21:28:27-08:00
Prepare changelog for upload

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/06-CVE-2022-46337.patch
- debian/patches/series
- debian/source/lintian-overrides


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+derby (10.14.2.0-3) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for CVE-2022-46337 (Closes: #1056755)
+  * Update lintian-overrides for derby source package
+
+ -- tony mancill <tmancill at debian.org>  Sat, 25 Nov 2023 21:25:10 -0800
+
 derby (10.14.2.0-2) unstable; urgency=medium
 
   * Team upload


=====================================
debian/patches/06-CVE-2022-46337.patch
=====================================
@@ -0,0 +1,159 @@
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1905586
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
+Forwarded: not-needed
+
+--
+--- a/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
++++ b/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
+@@ -191,6 +191,54 @@
+ 	
+ 
+     /**
++     * Given an LDAP search string, returns the string with certain characters
++     * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
++     *
++     * The character mapping is as follows:
++     *     char ->  Replacement
++     *    ---------------------------
++     *     *  -> \2a
++     *     (  -> \28
++     *     )  -> \29
++     *     \  -> \5c
++     *     \0 -> \00
++     *
++     * @param inString string to escape according to RFC 2254 guidelines
++     *
++     * @return String the escaped/encoded result
++     */
++    protected String doFilterEscaping(String inString) {
++        if (inString == null) {
++            return null;
++        }
++        StringBuilder buf = new StringBuilder(inString.length());
++        for (int i = 0; i < inString.length(); i++) {
++            char c = inString.charAt(i);
++            switch (c) {
++                case '\\':
++                    buf.append("\\5c");
++                    break;
++                case '*':
++                    buf.append("\\2a");
++                    break;
++                case '(':
++                    buf.append("\\28");
++                    break;
++                case ')':
++                    buf.append("\\29");
++                    break;
++                case '\0':
++                    buf.append("\\00");
++                    break;
++                default:
++                    buf.append(c);
++                    break;
++            }
++        }
++        return buf.toString();
++    }
++
++    /**
+      * Call new InitialDirContext in a privilege block
+      * @param env environment used to create the initial DirContext. Null indicates an empty environment.
+      * @return an initial DirContext using the supplied environment. 
+@@ -411,7 +459,10 @@
+ 	private String getDNFromUID(String uid)
+ 		throws javax.naming.NamingException
+ 	{
+-		//
++            // Escape the uid as a defense against LDAP injection. See DERBY-7147.
++            uid = doFilterEscaping(uid);
++
++                //
+ 		// We bind to the LDAP server here
+ 		// Note that this bind might be anonymous (if anonymous searches
+ 		// are allowed in the LDAP server, or authenticated if we were
+--- /dev/null
++++ b/tools/release/notices/tomcat.txt
+@@ -0,0 +1,72 @@
++Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
++routine from the Apache Tomcat project. The following notice covers
++the Tomcat sources:
++
++Apache Tomcat
++Copyright 1999-2022 The Apache Software Foundation
++
++This product includes software developed at
++The Apache Software Foundation (https://www.apache.org/).
++
++This software contains code derived from netty-native
++developed by the Netty project
++(https://netty.io, https://github.com/netty/netty-tcnative/)
++and from finagle-native developed at Twitter
++(https://github.com/twitter/finagle).
++
++This software contains code derived from jgroups-kubernetes
++developed by the JGroups project (http://www.jgroups.org/).
++
++The Windows Installer is built with the Nullsoft
++Scriptable Install System (NSIS), which is
++open source software.  The original software and
++related information is available at
++http://nsis.sourceforge.net.
++
++Java compilation software for JSP pages is provided by the Eclipse
++JDT Core Batch Compiler component, which is open source software.
++The original software and related information is available at
++https://www.eclipse.org/jdt/core/.
++
++org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
++for JSON written by Robert Fischer.
++https://github.com/RobertFischer/json-parser
++
++For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
++The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
++are derivative work originating from the Netty project and the finagle-native
++project developed at Twitter
++* Copyright 2014 The Netty Project
++* Copyright 2014 Twitter
++
++For portions of the Tomcat cloud support
++The org.apache.catalina.tribes.membership.cloud package contains derivative
++work originating from the jgroups project.
++https://github.com/jgroups-extras/jgroups-kubernetes
++Copyright 2002-2018 Red Hat Inc.
++
++The original XML Schemas for Java EE Deployment Descriptors:
++ - javaee_5.xsd
++ - javaee_web_services_1_2.xsd
++ - javaee_web_services_client_1_2.xsd
++ - javaee_6.xsd
++ - javaee_web_services_1_3.xsd
++ - javaee_web_services_client_1_3.xsd
++ - jsp_2_2.xsd
++ - web-app_3_0.xsd
++ - web-common_3_0.xsd
++ - web-fragment_3_0.xsd
++ - javaee_7.xsd
++ - javaee_web_services_1_4.xsd
++ - javaee_web_services_client_1_4.xsd
++ - jsp_2_3.xsd
++ - web-app_3_1.xsd
++ - web-common_3_1.xsd
++ - web-fragment_3_1.xsd
++ - javaee_8.xsd
++ - web-app_4_0.xsd
++ - web-common_4_0.xsd
++ - web-fragment_4_0.xsd
++
++may be obtained from:
++http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
+--- a/build.xml
++++ b/build.xml
+@@ -2022,6 +2022,7 @@
+      <antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
+      <antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
+      <antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
++     <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
+      
+       <antcall target="checkinfile">
+          <param name="checkinComment" value="Check in NOTICE as part of building a release."/>


=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@
 03-offline-package-list.patch
 04-java10-compatibility.patch
 json-simple-3.patch
+06-CVE-2022-46337.patch


=====================================
debian/source/lintian-overrides
=====================================
@@ -1 +1,3 @@
 derby source: source-contains-prebuilt-java-object java/testing/*
+# source contains long lines
+derby source: source-is-missing [java/demo/nserverdemo/readme.html]



View it on GitLab: https://salsa.debian.org/java-team/derby/-/compare/83378a9957e98bbe9e3ba66c71988c4a04073bc5...890648caa826dffd50dafdfd6d96f46a5f04e40e

-- 
View it on GitLab: https://salsa.debian.org/java-team/derby/-/compare/83378a9957e98bbe9e3ba66c71988c4a04073bc5...890648caa826dffd50dafdfd6d96f46a5f04e40e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231126/77ab7311/attachment.htm>


More information about the pkg-java-commits mailing list