diff --git a/apache-commons-fileupload.spec b/apache-commons-fileupload.spec index 9303ca4f778487d58ed682f46779498c552e3442..673d626389264f4c1371966aeead76fdbe406f60 100644 --- a/apache-commons-fileupload.spec +++ b/apache-commons-fileupload.spec @@ -1,13 +1,14 @@ %bcond_without portlet Name: apache-commons-fileupload Version: 1.5 -Release: 1 +Release: 2 Summary: API to work with HTML file upload License: ASL 2.0 URL: http://commons.apache.org/fileupload/ BuildArch: noarch Source0: http://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-%{version}-src.tar.gz +Patch1: backport-commons-io-upgrade-in-1.x-for-CVE-2024-47554.patch BuildRequires: maven-local mvn(commons-io:commons-io) mvn(javax.servlet:servlet-api) BuildRequires: mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:) %if %{with portlet} @@ -30,6 +31,7 @@ This package contains the API documentation for %{name}. %prep %setup -q -n commons-fileupload-%{version}-src +%patch1 -p1 sed -i 's/\r//' LICENSE.txt sed -i 's/\r//' NOTICE.txt %if %{with portlet} @@ -57,6 +59,9 @@ rm -r src/main/java/org/apache/commons/fileupload/portlet %license LICENSE.txt NOTICE.txt %changelog +* Thu Nov 07 2024 shaojiansong - 1.5-2 +- Backport commons-io upgrade in 1.x for CVE-2024-47554 + * Tue Apr 16 2024 Ge Wang - 1.5-1 - Update to version 1.5 diff --git a/backport-commons-io-upgrade-in-1.x-for-CVE-2024-47554.patch b/backport-commons-io-upgrade-in-1.x-for-CVE-2024-47554.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9d927430c35f2e4304f97155030586f943c38f2 --- /dev/null +++ b/backport-commons-io-upgrade-in-1.x-for-CVE-2024-47554.patch @@ -0,0 +1,43 @@ +diff -Naru commons-fileupload-1.5-src/pom.xml commons-fileupload-1.5-src-update/pom.xml +--- commons-fileupload-1.5-src/pom.xml 2022-12-31 00:12:53.000000000 +0800 ++++ commons-fileupload-1.5-src-update/pom.xml 2024-11-07 17:06:12.934622218 +0800 +@@ -246,7 +246,7 @@ + + commons-io + commons-io +- 2.11.0 ++ 2.16.1 + + + +diff -Naru commons-fileupload-1.5-src/src/changes/changes.xml commons-fileupload-1.5-src-update/src/changes/changes.xml +--- commons-fileupload-1.5-src/src/changes/changes.xml 2022-12-31 00:12:53.000000000 +0800 ++++ commons-fileupload-1.5-src-update/src/changes/changes.xml 2024-11-07 17:11:29.432023224 +0800 +@@ -44,6 +44,7 @@ + + + ++ Bump commons-io from 2.11.0 to 2.16.1. + Bump Commons IO to 2.11.0 + DiskFileItem.write(File) had been changed to use FileUtils.moveFile internally, preventing an existing file as the target + Improve parsing speed +diff -Naru commons-fileupload-1.5-src/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java commons-fileupload-1.5-src-update/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java +--- commons-fileupload-1.5-src/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java 2022-12-31 00:12:53.000000000 +0800 ++++ commons-fileupload-1.5-src-update/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java 2024-11-07 17:12:48.656104861 +0800 +@@ -29,6 +29,7 @@ + import java.io.ObjectInputStream; + import java.io.ObjectOutputStream; + import java.io.OutputStream; ++import java.nio.file.InvalidPathException; + + import org.apache.commons.fileupload.disk.DiskFileItemFactory; + import org.apache.commons.io.FileUtils; +@@ -156,7 +157,7 @@ + /** + * Test deserialization fails when repository contains a null character. + */ +- @Test(expected=IOException.class) ++ @Test(expected = InvalidPathException.class) + public void testInvalidRepositoryWithNullChar() throws Exception { + // Create the FileItem + byte[] testFieldValueBytes = createContentBytes(threshold);