commit jackson-databind for openSUSE:Factory

root Thu, 31 Oct 2019 10:14:46 -0700

Hello community,

here is the log from the commit of package jackson-databind for 
openSUSE:Factory checked in at 2019-10-31 18:13:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old)
 and      /work/SRC/openSUSE:Factory/.jackson-databind.new.2990 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "jackson-databind"

Thu Oct 31 18:13:40 2019 rev:1 rq:734362 version:2.9.4

Changes:
--------
New Changes file:

--- /dev/null   2019-10-24 10:19:07.066239389 +0200
+++ 
/work/SRC/openSUSE:Factory/.jackson-databind.new.2990/jackson-databind.changes  
    2019-10-31 18:13:45.765917028 +0100
@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Oct  1 13:59:49 UTC 2019 - Fridrich Strba <[email protected]>
+
+- Initial packaging of jackson-databind 2.9.4

New:
----
  CVE-2018-7489.patch
  jackson-databind-2.9.4.tar.gz
  jackson-databind.changes
  jackson-databind.spec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ jackson-databind.spec ++++++
#
# spec file for package jackson-databind
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


Name:           jackson-databind
Version:        2.9.4
Release:        0
Summary:        General data-binding package for Jackson (2.x)
License:        Apache-2.0 AND LGPL-2.1-or-later
URL:            https://github.com/FasterXML/jackson-databind/
Source0:        
https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
# Taken from 
https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Patch0:         CVE-2018-7489.patch
BuildRequires:  fdupes
BuildRequires:  maven-local
BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations) >= 
%{version}
BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
BuildRequires:  mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
BuildRequires:  mvn(com.google.code.maven-replacer-plugin:replacer)
BuildRequires:  mvn(org.apache.bcel:bcel)
BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
BuildArch:      noarch

%description
The general-purpose data-binding functionality and tree-model for Jackson Data
Processor. It builds on core streaming parser/generator package, and uses
Jackson Annotations for configuration.

%package javadoc
Summary:        Javadoc for %{name}

%description javadoc
This package contains API documentation for %{name}.

%prep
%setup -q -n %{name}-%{name}-%{version}

%patch0 -p1

# Remove plugins unnecessary for RPM builds
%pom_remove_plugin ":maven-enforcer-plugin"

cp -p src/main/resources/META-INF/LICENSE .
cp -p src/main/resources/META-INF/NOTICE .
sed -i 's/\r//' LICENSE NOTICE

# The package com.sun.org.apache.bcel.internal.util is not present in latest 
OpenJDK
%pom_add_dep org.apache.bcel:bcel
sed -i 
's/com\.sun\.org\.apache\.bcel\.internal\.util/org\.apache\.bcel\.util/g' \
  
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 \
  
src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java

%{mvn_file} : %{name}

%build
%{mvn_build} -f -- -Dsource=7

%install
%mvn_install
%fdupes -s %{buildroot}%{_javadocdir}

%files -f .mfiles
%doc README.md release-notes/*
%license LICENSE NOTICE

%files javadoc -f .mfiles-javadoc
%license LICENSE NOTICE

%changelog
++++++ CVE-2018-7489.patch ++++++
diff --git 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 164ab3454..bdd3b2f4e 100644
--- 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
  */
 public class SubTypeValidator
 {
-    protected final static String PREFIX_STRING = "org.springframework.";
+    protected final static String PREFIX_SPRING = "org.springframework.";
+
+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
     /**
      * Set of well-known "nasty classes", deserialization of which is 
considered dangerous
      * and should (and is) prevented by default.
@@ -46,8 +49,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); 
// deprecated by [databind#1855]
         
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by 
[databind#1931]
+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
@@ -86,8 +90,10 @@ public class SubTypeValidator
             // 18-Dec-2017, tatu: As per [databind#1855], need bit more 
sophisticated handling
             //    for some Spring framework types
             // 05-Jan-2017, tatu: ... also, only applies to classes, not 
interfaces
-            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
-                for (Class<?> cls = raw; (cls != null) && (cls != 
Object.class); cls = cls.getSuperclass()) {
+            if (raw.isInterface()) {
+                ;
+            } else if (full.startsWith(PREFIX_SPRING)) {
+                for (Class<?> cls = raw; (cls != null) && (cls != 
Object.class); cls = cls.getSuperclass()){
                     String name = cls.getSimpleName();
                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no 
point to allow any is there?
                     if ("AbstractPointcutAdvisor".equals(name)
@@ -96,6 +102,16 @@ public class SubTypeValidator
                         break main_check;
                     }
                 }
+            } else if (full.startsWith(PREFIX_C3P0)) {
+                // [databind#1737]; more 3rd party
+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+                // 
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+                // [databind#1931]; more 3rd party
+                // com.mchange.v2.c3p0.ComboPooledDataSource
+                // 
com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
+                if (full.endsWith("DataSource")) {
+                    break main_check;
+                }
             }
             return;
         } while (false);

commit jackson-databind for openSUSE:Factory

Reply via email to