Robert Schulte created KARAF-7303:
-------------------------------------
Summary: overrides.properties explicit version range is compared
against wrong version
Key: KARAF-7303
URL: https://issues.apache.org/jira/browse/KARAF-7303
Project: Karaf
Issue Type: Bug
Components: karaf
Affects Versions: 4.3.3, 4.1.6
Reporter: Robert Schulte
h2. Context
I encountered this issue when I tried to hotfix a dated Karaf w.r.t the
log4shell vulnerabilies. I have tested the following behavior on 4.1.6. After
reviewing the source code, I believe this issue still exists on master
h2. Steps to Reproduce
* Place
[pax-logging-api|https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/1.11.12]
in system directory (or make sure, that Karaf can download from Maven Central)
* Create etc/overrides.properties with contents:
mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.10.0,1.11.0)
* do a clean start of Karaf
* On Karaf shell, inspect the output of: list -t 0 | grep "Pax Logging - API"
h2. Expected Results
pax-logging-api 1.11.12 should be active
{noformat}
6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
51 | Active | 8 | 1.11.12 | OPS4J Pax Logging - API
{noformat}
Note: Since Karaf 4.1.6 ships pax-logging-api 1.10.1 by default, the range spec
[1.10.0,1.11.0) should trigger the override
h2. Actual Results
Only the stock version of pax-logging-api is active:
{noformat}
6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
{noformat}
Changing etc/overrides.properties contents to
{noformat}
mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.11.12,1.11.13)
{noformat}
followed by a clean start will result in the expected version (1.11.12) to be
active
h2. Conjecture
In [Overrides
L141|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L141]
{code:java}
return range.contains(getVersion(override)) &&
getVersion(resource).compareTo(getVersion(override)) < 0;
{code}
range.contains should be checked against {{resource}} and not {{override}}
version. This issue is hidden by a second error in the code that creates the
implicit version range (which makes it work for implicit range, as both errors
cancel out in this case). See [Overrides
L133-L138|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L133-L138]
{code:java}
if (explicitRange == null) {
// default to micro version compatibility
Version v1 = getVersion(resource);
Version v2 = new Version(v1.getMajor(), v1.getMinor() + 1, 0);
range = new VersionRange(false, v1, v2, true);
}
{code}
The implicit range must be created based on {{{}override{}}}'s version and not
the version of {{resource}}
h2. Further Considerations
This cannot (should not) be fixed or otherwise existing overrides.properties
that rely on the buggy behavior stop working. A solution could be to add an
alternative range spec that works as intended. For example
{noformat}
mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;overrideVersions=[1.10.0,1.11.0)
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
