[Git][java-team/libcommons-compress-java][master] 6 commits: Add patch for CVE-2019-12402 (Debian: #939610)
Tony Mancill
gitlab at salsa.debian.org
Sun Sep 15 19:04:27 BST 2019
Tony Mancill pushed to branch master at Debian Java Maintainers / libcommons-compress-java
Commits:
b0f86e26 by tony mancill at 2019-09-15T17:47:30Z
Add patch for CVE-2019-12402 (Debian: #939610)
- - - - -
5c7fdaef by tony mancill at 2019-09-15T17:47:30Z
Refresh whitespace in debian/patches
- - - - -
f37bc768 by tony mancill at 2019-09-15T17:48:30Z
Bump Standards-Version to 4.4.0
- - - - -
8d7ffad6 by tony mancill at 2019-09-15T17:56:57Z
update whitespace in debian/control
- - - - -
7230b0ac by tony mancill at 2019-09-15T17:56:57Z
Use debhelper 12
- - - - -
99a2abb0 by tony mancill at 2019-09-15T17:57:40Z
prepare changelog for upload to unstable
- - - - -
8 changed files:
- debian/changelog
- debian/compat
- debian/control
- + debian/patches/CVE-2019-12402-939610.patch
- debian/patches/disable-brotli.patch
- debian/patches/disable-osgi-tests.patch
- debian/patches/disable-zstd.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+libcommons-compress-java (1.18-3) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2019-12402 (Debian: #939610)
+ * Refresh whitespace in debian/patches
+ * Bump Standards-Version to 4.4.0
+ * Use debhelper 12
+
+ -- tony mancill <tmancill at debian.org> Sun, 15 Sep 2019 10:45:24 -0700
+
libcommons-compress-java (1.18-2) unstable; urgency=medium
* Team upload.
@@ -172,7 +182,7 @@ libcommons-compress-java (1.5-1~exp1) experimental; urgency=low
libcommons-compress-java (1.4.1-2) unstable; urgency=low
* Team upload.
-
+
[ Miguel Landaeta ]
* Promote dependency on libxz-java from Suggests to Depends.
(Closes: #680874)
=====================================
debian/compat
=====================================
@@ -1 +1 @@
-11
+12
=====================================
debian/control
=====================================
@@ -7,7 +7,7 @@ Uploaders:
Jakub Adam <jakub.adam at ktknet.cz>,
Emmanuel Bourg <ebourg at apache.org>
Build-Depends:
- debhelper (>= 11),
+ debhelper (>= 12),
default-jdk,
javahelper,
junit4,
@@ -17,7 +17,7 @@ Build-Depends:
libmaven-javadoc-plugin-java,
libxz-java (>= 1.5),
maven-debian-helper
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
Vcs-Git: https://salsa.debian.org/java-team/libcommons-compress-java.git
Vcs-Browser: https://salsa.debian.org/java-team/libcommons-compress-java
Homepage: https://commons.apache.org/proper/commons-compress/
=====================================
debian/patches/CVE-2019-12402-939610.patch
=====================================
@@ -0,0 +1,127 @@
+Description: addresses CVE-2019-12402 (Debian: #939610)
+From: Stefan Bodewig <bodewig at apache.org>
+Date: Fri, 23 Aug 2019 14:12:05 +0000 (+0200)
+Subject: unit tests for encoding logic
+X-Git-Tag: 1.19-RC1~6
+X-Git-Url: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff_plain;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
+
+unit tests for encoding logic
+---
+
+diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+index 0a7581a..4ce9c20 100644
+--- a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
++++ b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+@@ -112,6 +112,9 @@ class NioZipEncoding implements ZipEncoding, CharsetAccessor {
+ } else if (res.isOverflow()) {
+ int increment = estimateIncrementalEncodingSize(enc, cb.remaining());
+ out = ZipEncodingHelper.growBufferBy(out, increment);
++
++ } else if (res.isUnderflow() || res.isError()) {
++ break;
+ }
+ }
+ // tell the encoder we are done
+diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+new file mode 100644
+index 0000000..a04730c
+--- /dev/null
++++ b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+@@ -0,0 +1,97 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++
++package org.apache.commons.compress.archivers.zip;
++
++import java.nio.ByteBuffer;
++import java.nio.charset.StandardCharsets;
++import java.util.Arrays;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++public class NioZipEncodingTest {
++
++ private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
++
++ @Test
++ public void umlautToUTF16BE() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
++ ByteBuffer bb = e.encode(UMLAUTS);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result);
++ }
++
++ @Test
++ public void umlautToUTF8() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result);
++ }
++
++ @Test
++ public void umlautToISO88591() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
++ }
++
++ @Test
++ public void unmappableUmlauts() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII));
++ }
++
++ private static final String RAINBOW_EMOJI = "\ud83c\udf08";
++
++ @Test
++ public void unmappableRainbowEmoji() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII));
++ }
++
++ @Test
++ public void rainbowEmojiToSurrogatePairUTF16() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
++ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result);
++ }
++
++ @Test
++ public void partialSurrogatePair() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++ ByteBuffer bb = e.encode("\ud83c");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++ Assert.assertEquals(0, result.length);
++ }
++}
=====================================
debian/patches/disable-brotli.patch
=====================================
@@ -1,6 +1,6 @@
--- a/pom.xml
+++ b/pom.xml
-@@ -314,6 +314,17 @@
+@@ -331,6 +331,17 @@
</pluginManagement>
<plugins>
<plugin>
=====================================
debian/patches/disable-osgi-tests.patch
=====================================
@@ -1,6 +1,6 @@
--- a/pom.xml
+++ b/pom.xml
-@@ -323,6 +323,7 @@
+@@ -340,6 +340,7 @@
<testExcludes>
<testExclude>**/brotli/**</testExclude>
<testExclude>**/zstandard/**</testExclude>
=====================================
debian/patches/disable-zstd.patch
=====================================
@@ -1,6 +1,6 @@
--- a/pom.xml
+++ b/pom.xml
-@@ -318,9 +318,11 @@
+@@ -335,9 +335,11 @@
<configuration>
<excludes>
<exclude>**/brotli/**</exclude>
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
disable-brotli.patch
disable-zstd.patch
disable-osgi-tests.patch
+CVE-2019-12402-939610.patch
View it on GitLab: https://salsa.debian.org/java-team/libcommons-compress-java/compare/2574b12bff6f1541505d1e462b6d31569d85865b...99a2abb081b5cccb3cfeeb4ff62fcf0d9bdbc80f
--
View it on GitLab: https://salsa.debian.org/java-team/libcommons-compress-java/compare/2574b12bff6f1541505d1e462b6d31569d85865b...99a2abb081b5cccb3cfeeb4ff62fcf0d9bdbc80f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190915/fc7577c1/attachment.html>
More information about the pkg-java-commits
mailing list