Hello community,
here is the log from the commit of package jakarta-commons-fileupload for
openSUSE:Factory checked in at 2013-10-24 14:08:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jakarta-commons-fileupload (Old)
and /work/SRC/openSUSE:Factory/.jakarta-commons-fileupload.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jakarta-commons-fileupload"
Changes:
--------
---
/work/SRC/openSUSE:Factory/jakarta-commons-fileupload/jakarta-commons-fileupload.changes
2013-09-11 13:38:57.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.jakarta-commons-fileupload.new/jakarta-commons-fileupload.changes
2013-10-24 14:08:26.000000000 +0200
@@ -1,0 +2,12 @@
+Fri Oct 18 11:50:53 UTC 2013 - [email protected]
+
+- remove gcj part and deprecated macros
+
+-------------------------------------------------------------------
+Thu Oct 17 08:32:35 UTC 2013 - [email protected]
+
+- fix bnc#846174/CVE-2013-2186: null byte injection flaw
+ http://svn.apache.org/viewvc?view=revision&revision=1507048
+ * jakarta-commons-fileupload-CVE-2013-2186.patch
+
+-------------------------------------------------------------------
New:
----
jakarta-commons-fileupload-CVE-2013-2186.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jakarta-commons-fileupload.spec ++++++
--- /var/tmp/diff_new_pack.QkhCkt/_old 2013-10-24 14:08:27.000000000 +0200
+++ /var/tmp/diff_new_pack.QkhCkt/_new 2013-10-24 14:08:27.000000000 +0200
@@ -17,10 +17,8 @@
# icecream 0
-%define gcj_support
%{?_with_gcj_support:1}%{!?_with_gcj_support:%{?_without_gcj_support:0}%{!?_without_gcj_support:%{?_gcj_support:%{_gcj_support}}%{!?_gcj_support:0}}}
%define base_name fileupload
%define short_name commons-%{base_name}
-%define section free
Name: jakarta-commons-fileupload
Version: 1.1.1
@@ -32,10 +30,11 @@
Source0:
http://www.apache.org/dist/jakarta/commons/fileupload/source/commons-fileupload-1.1.1-src.tar.gz
Patch0: %{name}-build_xml.patch
Patch1: %{name}-%{version}-servletapi5.patch
+#PATCH-FIX-UPSTREAM: bnc#846174
+#DiskFileItem.java part of
http://svn.apache.org/viewvc?view=revision&revision=1507048
+Patch2: jakarta-commons-fileupload-CVE-2013-2186.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-%if ! %{gcj_support}
BuildArch: noarch
-%endif
BuildRequires: ant
BuildRequires: ant-junit
BuildRequires: jakarta-commons-io
@@ -47,15 +46,11 @@
BuildRequires: java-devel
BuildRequires: unzip
%endif
-%if %{gcj_support}
-BuildRequires: java-gcj-compat-devel
-Requires(post): java-gcj-compat
-Requires(postun): java-gcj-compat
-%endif
Requires: javapackages-tools
Requires: servletapi5
-Provides: %{short_name}
-Obsoletes: %{short_name}
+# FIXME: correct on update of fileuploads
+Provides: %{short_name} = 1.1.2
+Obsoletes: %{short_name} <= 1.1.1
%description
The javax.servlet package lacks support for RFC 1867, HTML file upload.
@@ -87,6 +82,7 @@
%setup -q -n %{short_name}-%{version}
%patch0 -b .build.xml
%patch1 -p0 -b .servletapi5
+%patch2 -p0
# -----------------------------------------------------------------------------
%build
@@ -96,7 +92,6 @@
-Dbuild.sysclasspath=only \
-Dfinal.name=%{name}-%{version} \
-Dservletapi.javadoc=%{_javadocdir}/servletapi5 \
- -Dant.build.javac.source=1.4 -Dant.build.javac.target=1.4 \
dist
# -----------------------------------------------------------------------------
@@ -120,37 +115,13 @@
# javadoc
%{__mkdir} -p $RPM_BUILD_ROOT%{_javadocdir}/%{name}
%{__cp} -pr dist/docs/api/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}
-%if %{gcj_support}
-%{_bindir}/aot-compile-rpm
-%endif
-
-%clean
-%{__rm} -rf $RPM_BUILD_ROOT
-# -----------------------------------------------------------------------------
-%if %{gcj_support}
-
-%post
-if [ -x %{_bindir}/rebuild-gcj-db ]; then
- %{_bindir}/rebuild-gcj-db
-fi
-%endif
-%if %{gcj_support}
-%postun
-if [ -x %{_bindir}/rebuild-gcj-db ]; then
- %{_bindir}/rebuild-gcj-db
-fi
-%endif
# -----------------------------------------------------------------------------
%files
%defattr(0644,root,root,0755)
%doc LICENSE.txt NOTICE.txt RELEASE-NOTES.txt
%{_javadir}/*
-%if %{gcj_support}
-%attr(-,root,root) %dir %{_libdir}/gcj/%{name}
-%attr(-,root,root) %{_libdir}/gcj/%{name}/%{name}-%{version}.jar.*
-%endif
%files javadoc
%defattr(0644,root,root,0755)
++++++ jakarta-commons-fileupload-CVE-2013-2186.patch ++++++
Index: src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
===================================================================
--- src/java/org/apache/commons/fileupload/disk/DiskFileItem.java.orig
+++ src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
@@ -674,6 +674,26 @@ public class DiskFileItem
// read values
in.defaultReadObject();
+ /* One expected use of serialization is to migrate HTTP sessions
+ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
+ * on different machines It is possible that the repository location is
+ * not valid so validate it.
+ */
+ if (repository != null) {
+ if (repository.isDirectory()) {
+ // Check path for nulls
+ if (repository.getPath().contains("\0")) {
+ throw new IOException(java.lang.String.format(
+ "The repository [%s] contains a null character",
+ repository.getPath()));
+ }
+ } else {
+ throw new IOException(java.lang.String.format(
+ "The repository [%s] is not a directory",
+ repository.getAbsolutePath()));
+ }
+ }
+
OutputStream output = getOutputStream();
if (cachedContent != null) {
output.write(cachedContent);
Index: src/java/org/apache/commons/fileupload/DiskFileUpload.java
===================================================================
--- src/java/org/apache/commons/fileupload/DiskFileUpload.java.orig
+++ src/java/org/apache/commons/fileupload/DiskFileUpload.java
@@ -19,6 +19,8 @@ import java.io.File;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import static java.lang.String.format;
+
/**
* <p>High level API for processing file uploads.</p>
*
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
