From a06d46759a7a0099ec863c16892ba315d3d50327 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 7 Dec 2023 16:12:27 +0800 Subject: [PATCH] Fix CVE-2022-41853 --- CVE-2022-41853.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ hsqldb.spec | 11 +++++--- 2 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 CVE-2022-41853.patch diff --git a/CVE-2022-41853.patch b/CVE-2022-41853.patch new file mode 100644 index 0000000..da8591b --- /dev/null +++ b/CVE-2022-41853.patch @@ -0,0 +1,61 @@ +From: Markus Koschany +Date: Wed, 7 Dec 2022 13:00:46 +0100 +Subject: CVE-2022-41853 + +Bug-Debian: https://bugs.debian.org/1023573 +Origin: https://sourceforge.net/p/hsqldb/svn/6614/ +--- + src/org/hsqldb/persist/HsqlDatabaseProperties.java | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +index bc03e82..bee0ea6 100644 +--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java ++++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java +@@ -51,28 +51,28 @@ import org.hsqldb.lib.StringUtil; + */ + public class HsqlDatabaseProperties extends HsqlProperties { + +- private static final String hsqldb_method_class_names = ++ public static final String hsqldb_method_class_names = + "hsqldb.method_class_names"; + public static final String textdb_allow_full_path = + "textdb.allow_full_path"; +- private static HashSet accessibleJavaMethodNames; ++ public static String methodClassNames; ++ private static final HashSet accessibleJavaMethodNames = new HashSet(); + private static boolean allowFullPath; + + static { + try { +- String prop = System.getProperty(hsqldb_method_class_names); ++ methodClassNames = System.getProperty(hsqldb_method_class_names); + +- if (prop != null) { +- accessibleJavaMethodNames = new HashSet(); ++ if (methodClassNames != null) { + +- String[] names = StringUtil.split(prop, ";"); ++ String[] names = StringUtil.split(methodClassNames, ";"); + + for (int i = 0; i < names.length; i++) { + accessibleJavaMethodNames.add(names[i]); + } + } + +- prop = System.getProperty(textdb_allow_full_path); ++ String prop = System.getProperty(textdb_allow_full_path); + + if (prop != null) { + if (Boolean.valueOf(prop)) { +@@ -97,10 +97,6 @@ public class HsqlDatabaseProperties extends HsqlProperties { + */ + public static boolean supportsJavaMethod(String name) { + +- if (accessibleJavaMethodNames == null) { +- return true; +- } +- + if (name.startsWith("java.lang.Math.")) { + return true; + } diff --git a/hsqldb.spec b/hsqldb.spec index 697844e..c4a6ef5 100644 --- a/hsqldb.spec +++ b/hsqldb.spec @@ -1,6 +1,6 @@ Name: hsqldb Version: 2.4.0 -Release: 2 +Release: 3 Epoch: 1 Summary: HyperSQL Database Engine License: BSD @@ -17,6 +17,8 @@ Source8: %{name}-post Source9: %{name}-stop Patch0: 0001-Fix-javadoc-build.patch Patch1: 0002-Build-cmdline-classes.patch +# https://sourceforge.net/p/hsqldb/svn/6614/ +Patch2: CVE-2022-41853.patch BuildRequires: ant javapackages-local systemd-units glassfish-servlet-api Requires: %{name}-lib = %{epoch}:%{version}-%{release} glassfish-servlet-api @@ -69,9 +71,7 @@ Requires: %{name} = %{epoch}:%{version}-%{release} Demonstrations and samples for %{name}. %prep -%setup -q -n %{name}-%{version} -%patch0 -p1 -%patch1 -p1 +%autosetup -n %{name}-%{version} -p1 find . -name "*.sh" -exec chmod 755 \{\} \; for dir in `find . -name _notes`; do rm -rf $dir; done find . -name "*.jar" -exec rm -f {} \; @@ -159,6 +159,9 @@ popd %files demo %changelog +* Thu Dec 07 2023 yaoxin - 1:2.4.0-3 +- Fix CVE-2022-41853 + * Mon Jun 07 2021 maminjie - 2.4.0-2 - Fix 0002-Build-cmdline-classes.patch -- Gitee