[
https://issues.apache.org/jira/browse/KARAF-7303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-7303:
----------------------------------------
Affects Version/s: 4.2.6
> overrides.properties explicit version range is compared against wrong version
> -----------------------------------------------------------------------------
>
> Key: KARAF-7303
> URL: https://issues.apache.org/jira/browse/KARAF-7303
> Project: Karaf
> Issue Type: Bug
> Components: karaf
> Affects Versions: 4.1.6, 4.2.6, 4.3.3
> Reporter: Robert Schulte
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> h2. Context
> I encountered this issue when I tried to hotfix a dated Karaf w.r.t the
> log4shell vulnerabilies. I have tested the following behavior on 4.1.6. After
> reviewing the source code, I believe this issue still exists on master
> h2. Steps to Reproduce
> * Place
> [pax-logging-api|https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/1.11.12]
> in system directory (or make sure, that Karaf can download from Maven
> Central)
> * Create etc/overrides.properties with contents:
> mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.10.0,1.11.0)
> * do a clean start of Karaf
> * On Karaf shell, inspect the output of: list -t 0 | grep "Pax Logging - API"
> h2. Expected Results
> pax-logging-api 1.11.12 should be active
> {noformat}
> 6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
> 51 | Active | 8 | 1.11.12 | OPS4J Pax Logging - API
> {noformat}
> Note: Since Karaf 4.1.6 ships pax-logging-api 1.10.1 by default, the range
> spec [1.10.0,1.11.0) should trigger the override
> h2. Actual Results
> Only the stock version of pax-logging-api is active:
> {noformat}
> 6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
> {noformat}
> Changing etc/overrides.properties contents to
> {noformat}
> mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.11.12,1.11.13)
> {noformat}
> followed by a clean start will result in the expected version (1.11.12) to be
> active
> h2. Conjecture
> In [Overrides
> L141|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L141]
> {code:java}
> return range.contains(getVersion(override)) &&
> getVersion(resource).compareTo(getVersion(override)) < 0;
> {code}
> range.contains should be checked against {{resource}} and not {{override}}
> version. This issue is hidden by a second error in the code that creates the
> implicit version range (which makes it work for implicit range, as both
> errors cancel out in this case). See [Overrides
> L133-L138|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L133-L138]
> {code:java}
> if (explicitRange == null) {
> // default to micro version compatibility
> Version v1 = getVersion(resource);
> Version v2 = new Version(v1.getMajor(), v1.getMinor() + 1, 0);
> range = new VersionRange(false, v1, v2, true);
> }
> {code}
> The implicit range must be created based on {{{}override{}}}'s version and
> not the version of {{resource}}
> h2. Further Considerations
> This cannot (should not) be fixed or otherwise existing overrides.properties
> that rely on the buggy behavior stop working. A solution could be to add an
> alternative range spec that works as intended. For example
> {noformat}
> mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;overrideVersions=[1.10.0,1.11.0)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
