Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package velocity for openSUSE:Factory checked in at 2021-03-15 10:54:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/velocity (Old) and /work/SRC/openSUSE:Factory/.velocity.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "velocity" Mon Mar 15 10:54:30 2021 rev:24 rq:878595 version:1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/velocity/velocity.changes 2019-10-04 11:22:27.752938688 +0200 +++ /work/SRC/openSUSE:Factory/.velocity.new.2401/velocity.changes 2021-03-15 10:54:32.077184083 +0100 @@ -1,0 +2,8 @@ +Fri Mar 12 08:18:50 UTC 2021 - Fridrich Strba <[email protected]> + +- Added patch: + * velocity-1.7-CVE-2020-13936.patch + + Backport fixes for bsc#1183360, CVE-2020-13936: arbitrary + code execution when attacker is able to modify templates + +------------------------------------------------------------------- New: ---- velocity-1.7-CVE-2020-13936.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ velocity.spec ++++++ --- /var/tmp/diff_new_pack.SDt5n3/_old 2021-03-15 10:54:32.605184894 +0100 +++ /var/tmp/diff_new_pack.SDt5n3/_new 2021-03-15 10:54:32.605184894 +0100 @@ -1,7 +1,7 @@ # # spec file for package velocity # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,6 +26,7 @@ Source0: http://www.apache.org/dist/velocity/engine/%{version}/%{name}-%{version}.tar.gz Source1: %{name}-%{version}.pom Patch0: velocity-build_xml.patch +Patch1: velocity-1.7-CVE-2020-13936.patch BuildRequires: ant >= 1.6.5 BuildRequires: ant-junit BuildRequires: antlr @@ -161,6 +162,7 @@ mv $j $j.no done %patch0 -b .sav0 +%patch1 -p1 cp %{SOURCE1} pom.xml ++++++ velocity-1.7-CVE-2020-13936.patch ++++++ --- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties +++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties @@ -245,15 +245,15 @@ # accessed. # ---------------------------------------------------------------------------- +# Prohibit reflection introspector.restrict.packages = java.lang.reflect -# The two most dangerous classes +# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl -introspector.restrict.classes = java.lang.Class -introspector.restrict.classes = java.lang.ClassLoader - -# Restrict these for extra safety +# Restrict these system classes. Note that anything in this list is matched exactly. +# (Subclasses must be explicitly named to be included). +introspector.restrict.classes = java.lang.Class introspector.restrict.classes = java.lang.Compiler introspector.restrict.classes = java.lang.InheritableThreadLocal introspector.restrict.classes = java.lang.Package @@ -262,8 +262,15 @@ introspector.restrict.classes = java.lang.RuntimePermission introspector.restrict.classes = java.lang.SecurityManager introspector.restrict.classes = java.lang.System -introspector.restrict.classes = java.lang.Thread introspector.restrict.classes = java.lang.ThreadGroup introspector.restrict.classes = java.lang.ThreadLocal +# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty) + +introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager +introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager +introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager +introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory + + --- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java @@ -122,6 +122,15 @@ } /** + * Always disallow ClassLoader, Thread and subclasses + */ + if (ClassLoader.class.isAssignableFrom(clazz) || + Thread.class.isAssignableFrom(clazz)) + { + return false; + } + + /** * check the classname (minus any array info) * whether it matches disallowed classes or packages */
