[hawtjni] 01/02: Add CVE-2013-2035.patch
Markus Koschany
apo-guest at moszumanska.debian.org
Fri Jul 11 13:22:47 UTC 2014
This is an automated email from the git hooks/post-receive script.
apo-guest pushed a commit to branch wheezy-security
in repository hawtjni.
commit 4571d4b4e8530650e3d43c21e2cc016798f70d95
Author: Markus Koschany <apo at gambaru.de>
Date: Fri Jul 11 15:14:06 2014 +0200
Add CVE-2013-2035.patch
---
debian/patches/CVE-2013-2035.patch | 151 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 152 insertions(+)
diff --git a/debian/patches/CVE-2013-2035.patch b/debian/patches/CVE-2013-2035.patch
new file mode 100644
index 0000000..bd5b092
--- /dev/null
+++ b/debian/patches/CVE-2013-2035.patch
@@ -0,0 +1,151 @@
+From: Hiram Chirino <hiram at hiramchirino.com>
+Date: Fri, 11 Jul 2014 15:11:14 +0200
+Subject: CVE 2013-2035
+
+Bug: https://bugs.debian.org/708293
+Forwarded: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5
+---
+ .../org/fusesource/hawtjni/runtime/Library.java | 80 ++++++++--------------
+ 1 file changed, 30 insertions(+), 50 deletions(-)
+
+diff --git a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+index 28e15ea..0c3145d 100755
+--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+@@ -9,13 +9,11 @@
+ *******************************************************************************/
+ package org.fusesource.hawtjni.runtime;
+
+-import java.io.File;
+-import java.io.FileOutputStream;
+-import java.io.IOException;
+-import java.io.InputStream;
++import java.io.*;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.util.ArrayList;
++import java.util.Random;
+ import java.util.regex.Pattern;
+
+ /**
+@@ -205,15 +203,19 @@ public class Library {
+ URL resource = classLoader.getResource(resourcePath);
+ if( resource !=null ) {
+
+- String libName = name;
++ String libName = name + "-" + getBitModel();
+ if( version !=null) {
+ libName += "-" + version;
+ }
+-
++
++ String []libNameParts = map(libName).split("\\.");
++ String prefix = libNameParts[0]+"-";
++ String suffix = "."+libNameParts[1];
++
+ if( customPath!=null ) {
+ // Try to extract it to the custom path...
+- File target = file(customPath, map(libName));
+- if( extract(errors, resource, target) ) {
++ File target = extract(errors, resource, prefix, suffix, file(customPath));
++ if( target!=null ) {
+ if( load(errors, target) ) {
+ return true;
+ }
+@@ -222,8 +224,8 @@ public class Library {
+
+ // Fall back to extracting to the tmp dir
+ customPath = System.getProperty("java.io.tmpdir");
+- File target = file(customPath, map(libName));
+- if( extract(errors, resource, target) ) {
++ File target = extract(errors, resource, prefix, suffix, file(customPath));
++ if( target!=null ) {
+ if( load(errors, target) ) {
+ return true;
+ }
+@@ -257,67 +259,45 @@ public class Library {
+ return libName;
+ }
+
+- private boolean extract(ArrayList<String> errors, URL source, File target) {
+- FileOutputStream os = null;
+- InputStream is = null;
+- boolean extracting = false;
++ private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) {
++ File target = null;
+ try {
+- if (!target.exists() || isStale(source, target) ) {
++ FileOutputStream os = null;
++ InputStream is = null;
++ try {
++ target = File.createTempFile(prefix, suffix, directory);
+ is = source.openStream();
+ if (is != null) {
+ byte[] buffer = new byte[4096];
+ os = new FileOutputStream(target);
+- extracting = true;
+ int read;
+ while ((read = is.read(buffer)) != -1) {
+ os.write(buffer, 0, read);
+ }
+- os.close();
+- is.close();
+ chmod("755", target);
+ }
++ target.deleteOnExit();
++ return target;
++ } finally {
++ close(os);
++ close(is);
+ }
+ } catch (Throwable e) {
+- try {
+- if (os != null)
+- os.close();
+- } catch (IOException e1) {
+- }
+- try {
+- if (is != null)
+- is.close();
+- } catch (IOException e1) {
+- }
+- if (extracting && target.exists())
++ if( target!=null ) {
+ target.delete();
++ }
+ errors.add(e.getMessage());
+- return false;
+ }
+- return true;
++ return null;
+ }
+
+- private boolean isStale(URL source, File target) {
+-
+- if( source.getProtocol().equals("jar") ) {
+- // unwrap the jar protocol...
++ static private void close(Closeable file) {
++ if(file!=null) {
+ try {
+- String parts[] = source.getFile().split(Pattern.quote("!"));
+- source = new URL(parts[0]);
+- } catch (MalformedURLException e) {
+- return false;
+- }
+- }
+-
+- File sourceFile=null;
+- if( source.getProtocol().equals("file") ) {
+- sourceFile = new File(source.getFile());
+- }
+- if( sourceFile!=null && sourceFile.exists() ) {
+- if( sourceFile.lastModified() > target.lastModified() ) {
+- return true;
++ file.close();
++ } catch (Exception ignore) {
+ }
+ }
+- return false;
+ }
+
+ private void chmod(String permision, File path) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..872d27b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2013-2035.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/hawtjni.git
More information about the pkg-java-commits
mailing list