Hello community,
here is the log from the commit of package mysql-connector-java for
openSUSE:Factory checked in at 2017-05-06 18:24:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mysql-connector-java (Old)
and /work/SRC/openSUSE:Factory/.mysql-connector-java.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mysql-connector-java"
Sat May 6 18:24:51 2017 rev:25 rq:492576 version:5.1.35
Changes:
--------
---
/work/SRC/openSUSE:Factory/mysql-connector-java/mysql-connector-java.changes
2015-06-17 16:14:50.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.mysql-connector-java.new/mysql-connector-java.changes
2017-05-06 18:24:52.307693352 +0200
@@ -1,0 +2,9 @@
+Tue May 2 15:20:16 UTC 2017 - [email protected]
+
+- Fix for CVE-2017-3523 (bsc#1035697)
+ * Unexpected automatic deserialisation of Java objects
+ * Affected software: MySQL Connector/J
+ * Remote Code Execution Vulnerability
+- Added patch: mysql-connector-java-5.1.35-CVE-2017-3523.patch
+
+-------------------------------------------------------------------
New:
----
mysql-connector-java-5.1.35-CVE-2017-3523.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mysql-connector-java.spec ++++++
--- /var/tmp/diff_new_pack.Wpm0dx/_old 2017-05-06 18:24:53.163572582 +0200
+++ /var/tmp/diff_new_pack.Wpm0dx/_new 2017-05-06 18:24:53.171571454 +0200
@@ -1,7 +1,7 @@
#
# spec file for package mysql-connector-java
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,9 @@
Patch3: mysql-connector-java-jdbc-4.1.patch
# PATCH-FIX-UPSTREAM: do not lose classpath during tests build
Patch4: use-classpath-in-tests.patch
+# PATCH_FIX-UPSTREAM: CVE-2017-3523 Oracle MySQL <=5.1.40 Connector/J
+# Remote Code Execution Vulnerability
+Patch5: mysql-connector-java-5.1.35-CVE-2017-3523.patch
BuildRequires: ant
BuildRequires: ant-contrib
BuildRequires: apache-commons-logging
@@ -74,6 +77,7 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
# dup
rm -f README
++++++ mysql-connector-java-5.1.35-CVE-2017-3523.patch ++++++
--- mysql-connector-java-5.1.35.orig/src/com/mysql/jdbc/ResultSetImpl.java
+++ mysql-connector-java-5.1.35/src/com/mysql/jdbc/ResultSetImpl.java
@@ -3436,27 +3436,26 @@ public class ResultSetImpl implements Re
byte[] data = getBytes(columnIndex);
Object obj = data;
- if ((data != null) && (data.length >= 2)) {
- if ((data[0] == -84) && (data[1] == -19)) {
- // Serialized object?
- try {
- ByteArrayInputStream bytesIn = new
ByteArrayInputStream(data);
- ObjectInputStream objIn = new
ObjectInputStream(bytesIn);
- obj = objIn.readObject();
- objIn.close();
- bytesIn.close();
- } catch (ClassNotFoundException cnfe) {
- throw SQLError.createSQLException(
-
Messages.getString("ResultSet.Class_not_found___91") + cnfe.toString()
- +
Messages.getString("ResultSet._while_reading_serialized_object_92"),
getExceptionInterceptor());
- } catch (IOException ex) {
- obj = data; // not serialized?
+ if (this.connection.getAutoDeserialize()) {
+ if ((data != null) && (data.length >= 2)) {
+ if ((data[0] == -84) && (data[1] == -19)) {
+ // Serialized object?
+ try {
+ ByteArrayInputStream bytesIn = new
ByteArrayInputStream(data);
+ ObjectInputStream objIn = new
ObjectInputStream(bytesIn);
+ obj = objIn.readObject();
+ objIn.close();
+ bytesIn.close();
+ } catch (ClassNotFoundException cnfe) {
+ throw
SQLError.createSQLException(Messages.getString("ResultSet.Class_not_found___91")
+ cnfe.toString()
+ +
Messages.getString("ResultSet._while_reading_serialized_object_92"),
getExceptionInterceptor());
+ } catch (IOException ex) {
+ obj = data; // not serialized?
+ }
}
- }
-
- return obj.toString();
- }
-
+ return obj.toString();
+ }
+ }
return extractStringFromNativeColumn(columnIndex,
mysqlType);
}
