Markus Koschany pushed to branch master at Debian Java Maintainers / bcel
Commits: c4137129 by Markus Koschany at 2022-10-18T01:10:34+02:00 Add CVE-2022-34169.patch - - - - - 49bb6e38 by Markus Koschany at 2022-10-18T01:10:50+02:00 Declare compliance with Debian Policy 4.6.1. - - - - - 41383843 by Markus Koschany at 2022-10-18T01:13:24+02:00 Update changelog - - - - - 4 changed files: - debian/changelog - debian/control - + debian/patches/CVE-2022-34169.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,15 @@ +bcel (6.5.0-2) unstable; urgency=high + + * Team upload. + * Fix CVE-2022-34169: + The Apache Xalan Java XSLT library is vulnerable to an integer truncation + issue when processing malicious XSLT stylesheets. This can be used to + corrupt Java class files generated by the internal XSLTC compiler and + execute arbitrary Java bytecode. (Closes: #1015860) + * Declare compliance with Debian Policy 4.6.1. + + -- Markus Koschany <[email protected]> Tue, 18 Oct 2022 01:11:06 +0200 + bcel (6.5.0-1) unstable; urgency=medium * Team upload. ===================================== debian/control ===================================== @@ -12,7 +12,7 @@ Build-Depends: libmaven-javadoc-plugin-java, junit4, maven-debian-helper (>= 2.1~) -Standards-Version: 4.5.0 +Standards-Version: 4.6.1 Vcs-Git: https://salsa.debian.org/java-team/bcel.git Vcs-Browser: https://salsa.debian.org/java-team/bcel Homepage: http://commons.apache.org/bcel/ ===================================== debian/patches/CVE-2022-34169.patch ===================================== @@ -0,0 +1,65 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 18 Oct 2022 01:07:03 +0200 +Subject: CVE-2022-34169 + +Bug-Debian: https://bugs.debian.org/1015860 +Origin: https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5 +--- + src/main/java/org/apache/bcel/classfile/ConstantPool.java | 11 +++++++++-- + src/main/java/org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java +index c2926c0..b417777 100644 +--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java ++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java +@@ -218,8 +218,15 @@ public class ConstantPool implements Cloneable, Node { + * @throws IOException + */ + public void dump( final DataOutputStream file ) throws IOException { +- file.writeShort(constantPool.length); +- for (int i = 1; i < constantPool.length; i++) { ++ /* ++ * Constants over the size of the constant pool shall not be written out. ++ * This is a redundant measure as the ConstantPoolGen should have already ++ * reported an error back in the situation. ++ */ ++ final int size = Math.min(constantPool.length, Const.MAX_CP_ENTRIES); ++ ++ file.writeShort(size); ++ for (int i = 1; i < size; i++) { + if (constantPool[i] != null) { + constantPool[i].dump(file); + } +diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java +index 5a09e0d..ce78354 100644 +--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java ++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java +@@ -95,7 +95,7 @@ public class ConstantPoolGen { + public ConstantPoolGen(final Constant[] cs) { + final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE); + +- size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64); ++ size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + + System.arraycopy(cs, 0, constants, 0, cs.length); +@@ -224,9 +224,18 @@ public class ConstantPoolGen { + /** Resize internal array of constants. + */ + protected void adjustSize() { ++ // 3 extra spaces are needed as some entries may take 3 slots ++ if (index + 3 >= Const.MAX_CP_ENTRIES + 1) { ++ throw new IllegalStateException("The number of constants " + (index + 3) ++ + " is over the size of the constant pool: " ++ + Const.MAX_CP_ENTRIES); ++ } ++ + if (index + 3 >= size) { + final Constant[] cs = constants; + size *= 2; ++ // the constant array shall not exceed the size of the constant pool ++ size = Math.min(size, Const.MAX_CP_ENTRIES + 1); + constants = new Constant[size]; + System.arraycopy(cs, 0, constants, 0, index); + } ===================================== debian/patches/series ===================================== @@ -1 +1,2 @@ 01-disable-BCEL-336-test.patch +CVE-2022-34169.patch View it on GitLab: https://salsa.debian.org/java-team/bcel/-/compare/f584338f618b8188970e6a0c3ee58df2c0ba975d...41383843d9360af9f28afbcab258a659da88587e -- View it on GitLab: https://salsa.debian.org/java-team/bcel/-/compare/f584338f618b8188970e6a0c3ee58df2c0ba975d...41383843d9360af9f28afbcab258a659da88587e You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
