[Git][java-team/bcel][master] 3 commits: Add CVE-2022-34169.patch

Tue Oct 18 00:17:47 BST 2022


Markus Koschany pushed to branch master at Debian Java Maintainers / bcel


Commits:
c4137129 by Markus Koschany at 2022-10-18T01:10:34+02:00
Add CVE-2022-34169.patch

- - - - -
49bb6e38 by Markus Koschany at 2022-10-18T01:10:50+02:00
Declare compliance with Debian Policy 4.6.1.

- - - - -
41383843 by Markus Koschany at 2022-10-18T01:13:24+02:00
Update changelog

- - - - -


4 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2022-34169.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+bcel (6.5.0-2) unstable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2022-34169:
+    The Apache Xalan Java XSLT library is vulnerable to an integer truncation
+    issue when processing malicious XSLT stylesheets. This can be used to
+    corrupt Java class files generated by the internal XSLTC compiler and
+    execute arbitrary Java bytecode. (Closes: #1015860)
+  * Declare compliance with Debian Policy 4.6.1.
+
+ -- Markus Koschany <apo at debian.org>  Tue, 18 Oct 2022 01:11:06 +0200
+
 bcel (6.5.0-1) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/control
=====================================
@@ -12,7 +12,7 @@ Build-Depends:
  libmaven-javadoc-plugin-java,
  junit4,
  maven-debian-helper (>= 2.1~)
-Standards-Version: 4.5.0
+Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/java-team/bcel.git
 Vcs-Browser: https://salsa.debian.org/java-team/bcel
 Homepage: http://commons.apache.org/bcel/


=====================================
debian/patches/CVE-2022-34169.patch
=====================================
@@ -0,0 +1,65 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 18 Oct 2022 01:07:03 +0200
+Subject: CVE-2022-34169
+
+Bug-Debian: https://bugs.debian.org/1015860
+Origin: https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
+---
+ src/main/java/org/apache/bcel/classfile/ConstantPool.java  | 11 +++++++++--
+ src/main/java/org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++-
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+index c2926c0..b417777 100644
+--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+@@ -218,8 +218,15 @@ public class ConstantPool implements Cloneable, Node {
+      * @throws IOException
+      */
+     public void dump( final DataOutputStream file ) throws IOException {
+-        file.writeShort(constantPool.length);
+-        for (int i = 1; i < constantPool.length; i++) {
++        /*
++         * Constants over the size of the constant pool shall not be written out.
++         * This is a redundant measure as the ConstantPoolGen should have already
++         * reported an error back in the situation.
++        */
++        final int size = Math.min(constantPool.length, Const.MAX_CP_ENTRIES);
++
++        file.writeShort(size);
++        for (int i = 1; i < size; i++) {
+             if (constantPool[i] != null) {
+                 constantPool[i].dump(file);
+             }
+diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+index 5a09e0d..ce78354 100644
+--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+@@ -95,7 +95,7 @@ public class ConstantPoolGen {
+     public ConstantPoolGen(final Constant[] cs) {
+         final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
+ 
+-        size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
++        size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1);
+         constants = new Constant[size];
+ 
+         System.arraycopy(cs, 0, constants, 0, cs.length);
+@@ -224,9 +224,18 @@ public class ConstantPoolGen {
+     /** Resize internal array of constants.
+      */
+     protected void adjustSize() {
++        // 3 extra spaces are needed as some entries may take 3 slots
++        if (index + 3 >= Const.MAX_CP_ENTRIES + 1) {
++            throw new IllegalStateException("The number of constants " + (index + 3)
++                    + " is over the size of the constant pool: "
++                    + Const.MAX_CP_ENTRIES);
++        }
++
+         if (index + 3 >= size) {
+             final Constant[] cs = constants;
+             size *= 2;
++            // the constant array shall not exceed the size of the constant pool
++            size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
+             constants = new Constant[size];
+             System.arraycopy(cs, 0, constants, 0, index);
+         }


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 01-disable-BCEL-336-test.patch
+CVE-2022-34169.patch



View it on GitLab: https://salsa.debian.org/java-team/bcel/-/compare/f584338f618b8188970e6a0c3ee58df2c0ba975d...41383843d9360af9f28afbcab258a659da88587e

-- 
View it on GitLab: https://salsa.debian.org/java-team/bcel/-/compare/f584338f618b8188970e6a0c3ee58df2c0ba975d...41383843d9360af9f28afbcab258a659da88587e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20221017/efd88a53/attachment.htm>
