Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bcel5_3 for openSUSE:Factory checked in at 2022-11-12 17:41:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bcel5_3 (Old) and /work/SRC/openSUSE:Factory/.bcel5_3.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bcel5_3" Sat Nov 12 17:41:28 2022 rev:14 rq:1035319 version:5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/bcel5_3/bcel5_3.changes 2018-07-07 21:59:10.807258176 +0200 +++ /work/SRC/openSUSE:Factory/.bcel5_3.new.1597/bcel5_3.changes 2022-11-12 17:41:50.586408723 +0100 @@ -1,0 +2,8 @@ +Thu Nov 10 11:02:08 UTC 2022 - Pedro Monreal <pmonr...@suse.com> + +- Security fix: [bsc#1205125, CVE-2022-42920] + * Apache Commons BCEL prior to 6.6.0 allows producing + arbitrary bytecode via out-of-bounds writing + * Add bcel-CVE-2022-42920.patch + +------------------------------------------------------------------- New: ---- bcel-CVE-2022-42920.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bcel5_3.spec ++++++ --- /var/tmp/diff_new_pack.ucREhH/_old 2022-11-12 17:41:50.934410795 +0100 +++ /var/tmp/diff_new_pack.ucREhH/_new 2022-11-12 17:41:50.938410819 +0100 @@ -1,7 +1,7 @@ # # spec file for package bcel5_3 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -23,12 +23,14 @@ Summary: Byte Code Engineering Library License: Apache-2.0 Group: Development/Libraries/Java -Url: http://jakarta.apache.org/bcel/ +URL: http://jakarta.apache.org/bcel/ # svn co -r417157 http://svn.apache.org/repos/asf/jakarta/bcel/trunk bcel Source0: http://www.apache.org/dist/jakarta/bcel/source/bcel.tar.bz2 # from bcel package Source1000: build.xml Source1001: manifest.txt +#PATCH-FIX-UPSTREAM bsc#1205125 CVE-2022-42920 Out-of-bounds writing issue +Patch0: bcel-CVE-2022-42920.patch BuildRequires: ant BuildRequires: fdupes BuildRequires: java-devel >= 1.8 @@ -74,7 +76,8 @@ being the Xalan XSLT processor at Apache. %prep -%setup -q -n bcel +%autosetup -p1 -n bcel + chmod -x NOTICE.txt cp %{SOURCE1000} %{SOURCE1001} . @@ -101,7 +104,8 @@ %fdupes %{buildroot}%{_javadocdir} %files -%doc LICENSE.txt NOTICE.txt README.txt RELEASE-NOTES.txt TODO.JustIce +%license LICENSE.txt +%doc NOTICE.txt README.txt RELEASE-NOTES.txt TODO.JustIce %{_javadir}/* %files javadoc ++++++ bcel-CVE-2022-42920.patch ++++++ >From f3267cbcc900f80851d561bdd16b239d936947f5 Mon Sep 17 00:00:00 2001 From: Richard Atkins <rjatkins...@gmail.com> Date: Wed, 21 Sep 2022 23:18:58 +1000 Subject: [PATCH] BCEL-363 Enforce MAX_CP_ENTRIES in ConstantPoolGen and ConstantPool.dump (#147) * BCEL-363 Enforce MAX_CP_ENTRIES in ConstantPoolGen and ConstantPool.dump * BCEL-363 Add test coverage for enforced size limit * BCEL-363 Throw IllegalStateException instead of RuntimeException * BCEL-363 Use final --- .../org/apache/bcel/classfile/ConstantPool.java | 11 +++++++++-- .../org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++- .../bcel/classfile/ConstantPoolTestCase.java | 15 +++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) Index: bcel/src/main/java/org/apache/bcel/classfile/ConstantPool.java =================================================================== --- bcel.orig/src/main/java/org/apache/bcel/classfile/ConstantPool.java +++ bcel/src/main/java/org/apache/bcel/classfile/ConstantPool.java @@ -198,10 +198,17 @@ public class ConstantPool implements Clo * @throws IOException */ public void dump( DataOutputStream file ) throws IOException { - file.writeShort(constant_pool_count); - for (int i = 1; i < constant_pool_count; i++) { - if (constant_pool[i] != null) { - constant_pool[i].dump(file); + /* + * Constants over the size of the constant pool shall not be written out. + * This is a redundant measure as the ConstantPoolGen should have already + * reported an error back in the situation. + */ + final int size = Math.min(constant_pool.length, Constants.MAX_CP_ENTRIES); + + file.writeShort(size); + for (int i = 1; i < size; i++) { + if (constant_pool[i] != null) { + constant_pool[i].dump(file); } } } Index: bcel/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java =================================================================== --- bcel.orig/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java +++ bcel/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java @@ -50,14 +50,16 @@ import org.apache.bcel.classfile.Constan */ public class ConstantPoolGen implements java.io.Serializable { - protected int size = 1024; // Inital size, sufficient in most cases - protected Constant[] constants = new Constant[size]; - protected int index = 1; // First entry (0) used by JVM + private static final int DEFAULT_BUFFER_SIZE = 256; private static final String METHODREF_DELIM = ":"; private static final String IMETHODREF_DELIM = "#"; private static final String FIELDREF_DELIM = "&"; private static final String NAT_DELIM = "%"; + protected int size = DEFAULT_BUFFER_SIZE; + protected Constant[] constants = new Constant[size]; + protected int index = 1; // First entry (0) used by JVM + private static class Index implements java.io.Serializable { int index; @@ -75,6 +76,8 @@ public class ConstantPoolGen implements * @param cs array of given constants, new ones will be appended */ public ConstantPoolGen(Constant[] cs) { + + size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Constants.MAX_CP_ENTRIES + 1); if (cs.length > size) { size = cs.length; constants = new Constant[size]; @@ -156,9 +159,18 @@ public class ConstantPoolGen implements /** Resize internal array of constants. */ protected void adjustSize() { + // 3 extra spaces are needed as some entries may take 3 slots + if (index + 3 >= Constants.MAX_CP_ENTRIES + 1) { + throw new IllegalStateException("The number of constants " + (index + 3) + + " is over the size of the constant pool: " + + Constants.MAX_CP_ENTRIES); + } + if (index + 3 >= size) { Constant[] cs = constants; size *= 2; + // the constant array shall not exceed the size of the constant pool + size = Math.min(size, Constants.MAX_CP_ENTRIES + 1); constants = new Constant[size]; System.arraycopy(cs, 0, constants, 0, index); } Index: bcel/src/test/java/org/apache/bcel/ConstantPoolTestCase.java =================================================================== --- /dev/null +++ bcel/src/test/java/org/apache/bcel/ConstantPoolTestCase.java @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.bcel.classfile; + +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import org.apache.bcel.AbstractTestCase; +import org.apache.bcel.Const; +import org.apache.bcel.generic.ConstantPoolGen; +import org.apache.bcel.generic.InstructionHandle; +import org.apache.bcel.generic.InstructionList; +import org.apache.bcel.generic.MethodGen; +import org.junit.jupiter.api.Test; +public class ConstantPoolTestCase extends AbstractTestCase { + private InstructionHandle[] getInstructionHandles(final JavaClass clazz, final ConstantPoolGen cp, final Method method) { + final MethodGen methodGen = new MethodGen(method, clazz.getClassName(), cp); + final InstructionList instructionList = methodGen.getInstructionList(); + return instructionList.getInstructionHandles(); + } + @Test + public void testConstantToString() throws ClassNotFoundException { + final JavaClass clazz = getTestClass(PACKAGE_BASE_NAME + ".data.SimpleClassWithDefaultConstructor"); + final ConstantPoolGen cp = new ConstantPoolGen(clazz.getConstantPool()); + final Method[] methods = clazz.getMethods(); + for (final Method method : methods) { + if (method.getName().equals("<init>")) { + for (final InstructionHandle instructionHandle : getInstructionHandles(clazz, cp, method)) { + final String string = instructionHandle.getInstruction().toString(cp.getConstantPool()); + assertNotNull(string); + // TODO Need real assertions. + // System.out.println(string); + } + } + } + } + + @Test + public void testTooManyConstants() throws ClassNotFoundException { + final JavaClass clazz = getTestClass(PACKAGE_BASE_NAME + ".data.SimpleClassWithDefaultConstructor"); + final ConstantPoolGen cp = new ConstantPoolGen(clazz.getConstantPool()); + + int i = cp.getSize(); + while (i < Constants.MAX_CP_ENTRIES - 1) { + cp.addLong(i); + i = cp.getSize(); // i += 2 + } + assertThrows(IllegalStateException.class, () -> cp.addLong(0)); + } +}
