From 7f9e3ef54b27149d5137ede7f287d8d291118928 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 27 May 2024 14:41:26 +0800
Subject: [PATCH] Fix CVE-2019-10174

(cherry picked from commit b9f2292789fe88215197f18bdb7aa62680b4e228)
---
 CVE-2019-10174-pre.patch | 166 ++++++++++++++++++++++++++++++++
 CVE-2019-10174.patch     | 203 +++++++++++++++++++++++++++++++++++++++
 infinispan.spec          |   9 +-
 3 files changed, 377 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-10174-pre.patch
 create mode 100644 CVE-2019-10174.patch

diff --git a/CVE-2019-10174-pre.patch b/CVE-2019-10174-pre.patch
new file mode 100644
index 0000000..9a94f4e
--- /dev/null
+++ b/CVE-2019-10174-pre.patch
@@ -0,0 +1,166 @@
+From b317b7e70de2621fb25806b611126bcaf8793beb Mon Sep 17 00:00:00 2001
+From: Lin Gao <lgao@redhat.com>
+Date: Thu, 2 Mar 2017 10:17:25 +0800
+Subject: [PATCH] [ISPN-7535] Cache creation requires specific permissions when
+ using security manager
+
+Move Util.getClassLoaders() and ReflectionUtil.invokeAccessibly() to doPrivileged() when security manager is enabled
+---
+ .../commons/util/ReflectionUtil.java          | 13 +---
+ .../commons/util/SecurityActions.java         | 63 +++++++++++++++++++
+ .../org/infinispan/commons/util/Util.java     | 30 ++-------
+ 3 files changed, 68 insertions(+), 38 deletions(-)
+
+diff --git a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+index df9526d83af0..9b70e1430c6f 100644
+--- a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
++++ b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+@@ -6,7 +6,6 @@
+ 
+ import java.lang.annotation.Annotation;
+ import java.lang.reflect.Field;
+-import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+@@ -163,17 +162,7 @@ private static Field findFieldRecursively(Class<?> c, String fieldName) {
+     * @param parameters parameters
+     */
+    public static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
+-      try {
+-         method.setAccessible(true);
+-         return method.invoke(instance, parameters);
+-      } catch (InvocationTargetException e) {
+-         Throwable cause = e.getCause() != null ? e.getCause() : e;
+-         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
+-                                        (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
+-      } catch (Exception e) {
+-         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
+-               (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
+-      }
++      return SecurityActions.invokeAccessibly(instance, method, parameters);
+    }
+ 
+    public static Method findGetterForField(Class<?> c, String fieldName) {
+diff --git a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+index 91e58fbecd21..72d721349181 100644
+--- a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
++++ b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+@@ -1,7 +1,12 @@
+ package org.infinispan.commons.util;
+ 
++import java.lang.reflect.InvocationTargetException;
++import java.lang.reflect.Method;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
++import java.util.Arrays;
++
++import org.infinispan.commons.CacheException;
+ 
+ /**
+  * Privileged actions for the package
+@@ -70,4 +75,62 @@ static String getProperty(String name) {
+ 
+       return SysProps.PRIVILEGED.getProperty(name);
+    }
++
++   private static <T> T doPrivileged(PrivilegedAction<T> action) {
++      if (System.getSecurityManager() != null) {
++         return AccessController.doPrivileged(action);
++      } else {
++         return action.run();
++      }
++   }
++
++   static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
++       return doPrivileged((PrivilegedAction<Object>) () -> {
++          try {
++             method.setAccessible(true);
++             return method.invoke(instance, parameters);
++          } catch (InvocationTargetException e) {
++             Throwable cause = e.getCause() != null ? e.getCause() : e;
++             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
++                                            (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
++          } catch (Exception e) {
++             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
++                   (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
++          }
++       });
++   }
++
++   static ClassLoader[] getClassLoaders(ClassLoader appClassLoader) {
++      return doPrivileged((PrivilegedAction<ClassLoader[]>) () -> {
++         return new ClassLoader[] { appClassLoader,   // User defined classes
++               Util.class.getClassLoader(),           // Infinispan classes (not always on TCCL [modular env])
++               ClassLoader.getSystemClassLoader(),    // Used when load time instrumentation is in effect
++               Thread.currentThread().getContextClassLoader() //Used by jboss-as stuff
++         };
++      });
++   }
++
++   private static ClassLoader getOSGiClassLoader() {
++       // Make loading class optional
++       try {
++           Class<?> osgiClassLoader = Class.forName("org.infinispan.commons.util.OsgiClassLoader");
++           return (ClassLoader) osgiClassLoader.getMethod("getInstance", null).invoke(null);
++       } catch (ClassNotFoundException e) {
++           // fall back option - it can't hurt if we scan ctx class loader 2 times.
++           return Thread.currentThread().getContextClassLoader();
++       } catch (Exception e) {
++           throw new RuntimeException("Unable to call getInstance on OsgiClassLoader", e);
++       }
++   }
++
++   static ClassLoader[] getOSGIContextClassLoaders(ClassLoader appClassLoader) {
++      return doPrivileged((PrivilegedAction<ClassLoader[]>) () -> {
++         return new ClassLoader[] { appClassLoader,   // User defined classes
++               getOSGiClassLoader(), // OSGi bundle context needs to be on top of TCCL, system CL, etc.
++               Util.class.getClassLoader(),           // Infinispan classes (not always on TCCL [modular env])
++               ClassLoader.getSystemClassLoader(),    // Used when load time instrumentation is in effect
++               Thread.currentThread().getContextClassLoader() //Used by jboss-as stuff
++         };
++      });
++   }
+ }
+diff --git a/commons/src/main/java/org/infinispan/commons/util/Util.java b/commons/src/main/java/org/infinispan/commons/util/Util.java
+index 97078494be4b..3febe48e4fd5 100644
+--- a/commons/src/main/java/org/infinispan/commons/util/Util.java
++++ b/commons/src/main/java/org/infinispan/commons/util/Util.java
+@@ -115,33 +115,11 @@ public static boolean isOSGiContext() {
+ 
+    public static ClassLoader[] getClassLoaders(ClassLoader appClassLoader) {
+       if (isOSGiContext()) {
+-         return new ClassLoader[] { appClassLoader,   // User defined classes
+-               getOSGiClassLoader(), // OSGi bundle context needs to be on top of TCCL, system CL, etc.
+-               Util.class.getClassLoader(),           // Infinispan classes (not always on TCCL [modular env])
+-               ClassLoader.getSystemClassLoader(),    // Used when load time instrumentation is in effect
+-               Thread.currentThread().getContextClassLoader() //Used by jboss-as stuff
+-         };
++         return SecurityActions.getOSGIContextClassLoaders(appClassLoader);
+       } else {
+-         return new ClassLoader[] { appClassLoader,   // User defined classes
+-               Util.class.getClassLoader(),           // Infinispan classes (not always on TCCL [modular env])
+-               ClassLoader.getSystemClassLoader(),    // Used when load time instrumentation is in effect
+-               Thread.currentThread().getContextClassLoader() //Used by jboss-as stuff
+-         };
+-      }
+-   }
+-
+-    private static ClassLoader getOSGiClassLoader() {
+-        // Make loading class optional
+-        try {
+-            Class<?> osgiClassLoader = Class.forName("org.infinispan.commons.util.OsgiClassLoader");
+-            return (ClassLoader) osgiClassLoader.getMethod("getInstance", null).invoke(null);
+-        } catch (ClassNotFoundException e) {
+-            // fall back option - it can't hurt if we scan ctx class loader 2 times.
+-            return Thread.currentThread().getContextClassLoader();
+-        } catch (Exception e) {
+-            throw new RuntimeException("Unable to call getInstance on OsgiClassLoader", e);
+-        }
+-    }
++         return SecurityActions.getClassLoaders(appClassLoader);
++      }
++   }
+ 
+    /**
+     * <p>
diff --git a/CVE-2019-10174.patch b/CVE-2019-10174.patch
new file mode 100644
index 0000000..3b6848d
--- /dev/null
+++ b/CVE-2019-10174.patch
@@ -0,0 +1,203 @@
+From 5dbb05cfaca01a1a66732b82a0f5ba615ccbd214 Mon Sep 17 00:00:00 2001
+From: Dan Berindei <dan@infinispan.org>
+Date: Thu, 13 Jun 2019 12:11:52 +0300
+Subject: [PATCH] ISPN-9600 ReflectionUtil.invokeAccessibly should not be
+ public
+
+(cherry picked from commit 7bdc2822ccf79127a488130239c49a5e944e3ca2)
+
+Conflicts:
+	commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+	commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+	core/src/main/java/org/infinispan/distribution/group/impl/GroupManagerImpl.java
+	core/src/main/java/org/infinispan/factories/impl/BasicComponentRegistryImpl.java
+	core/src/test/java/org/infinispan/test/TestingUtil.java
+---
+ .../commons/util/ReflectionUtil.java          | 17 ++++++++++++---
+ .../commons/util/SecurityActions.java         | 21 -------------------
+ .../distribution/group/GroupManagerImpl.java  | 12 ++++++-----
+ .../factories/AbstractComponentRegistry.java  | 16 +++++++-------
+ .../infinispan/factories/SecurityActions.java |  8 +++++++
+ 5 files changed, 37 insertions(+), 37 deletions(-)
+
+diff --git a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+index 9b70e1430c6f..49ff83ac4dbe 100644
+--- a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
++++ b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+@@ -6,6 +6,7 @@
+ 
+ import java.lang.annotation.Annotation;
+ import java.lang.reflect.Field;
++import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+@@ -161,8 +162,19 @@ private static Field findFieldRecursively(Class<?> c, String fieldName) {
+     * @param method     method to execute
+     * @param parameters parameters
+     */
+-   public static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
+-      return SecurityActions.invokeAccessibly(instance, method, parameters);
++   public static Object invokeMethod(Object instance, Method method, Object[] parameters) {
++      try {
++         return method.invoke(instance, parameters);
++      } catch (InvocationTargetException e) {
++         Throwable cause = e.getCause() != null ? e.getCause() : e;
++         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance
++                 .getClass().getSimpleName()) +
++                 (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
++      } catch (Exception e) {
++         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance
++                 .getClass().getSimpleName()) +
++                 (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
++      }
+    }
+ 
+    public static Method findGetterForField(Class<?> c, String fieldName) {
+@@ -260,7 +272,6 @@ public static Object getValue(Object instance, String fieldName) {
+     * @param ann   annotation to search for.  Must be a class-level annotation.
+     * @return the annotation instance, or null
+     */
+-   @SuppressWarnings("unchecked")
+    public static <T extends Annotation> T getAnnotation(Class<?> clazz, Class<T> ann) {
+       while (true) {
+          // first check class
+diff --git a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+index 72d721349181..6ca2151e0bae 100644
+--- a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
++++ b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+@@ -1,12 +1,7 @@
+ package org.infinispan.commons.util;
+ 
+-import java.lang.reflect.InvocationTargetException;
+-import java.lang.reflect.Method;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+-import java.util.Arrays;
+-
+-import org.infinispan.commons.CacheException;
+ 
+ /**
+  * Privileged actions for the package
+@@ -84,22 +79,6 @@ private static <T> T doPrivileged(PrivilegedAction<T> action) {
+       }
+    }
+ 
+-   static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
+-       return doPrivileged((PrivilegedAction<Object>) () -> {
+-          try {
+-             method.setAccessible(true);
+-             return method.invoke(instance, parameters);
+-          } catch (InvocationTargetException e) {
+-             Throwable cause = e.getCause() != null ? e.getCause() : e;
+-             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
+-                                            (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
+-          } catch (Exception e) {
+-             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
+-                   (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
+-          }
+-       });
+-   }
+-
+    static ClassLoader[] getClassLoaders(ClassLoader appClassLoader) {
+       return doPrivileged((PrivilegedAction<ClassLoader[]>) () -> {
+          return new ClassLoader[] { appClassLoader,   // User defined classes
+diff --git a/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java b/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
+index 566c8a7746f5..369537aa7319 100644
+--- a/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
++++ b/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
+@@ -1,6 +1,6 @@
+ package org.infinispan.distribution.group;
+ 
+-import static org.infinispan.commons.util.ReflectionUtil.invokeAccessibly;
++import static org.infinispan.commons.util.ReflectionUtil.invokeMethod;
+ 
+ import org.infinispan.commons.util.CollectionFactory;
+ import org.infinispan.commons.util.ReflectionUtil;
+@@ -50,13 +50,15 @@ public GroupMetadataImpl(Method method) {
+ 
+         @Override
+         public String getGroup(Object instance) {
+-            Object object;
+             if (System.getSecurityManager() == null) {
+-                object = invokeAccessibly(instance, method, Util.EMPTY_OBJECT_ARRAY);
++                method.setAccessible(true);
+             } else {
+-                object = AccessController.doPrivileged((PrivilegedAction<Object>) () -> invokeAccessibly(instance, method, Util.EMPTY_OBJECT_ARRAY));
++                AccessController.doPrivileged((PrivilegedAction<List<Method>>) () -> {
++                    method.setAccessible(true);
++                    return null;
++                });
+             }
+-            return String.class.cast(object);
++            return String.class.cast(invokeMethod(instance, method, Util.EMPTY_OBJECT_ARRAY));
+         }
+         
+     }
+diff --git a/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java b/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
+index 468dd4b266b2..367ae6709343 100644
+--- a/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
++++ b/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
+@@ -21,7 +21,6 @@
+ import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.security.AccessController;
+-import java.security.PrivilegedAction;
+ import java.security.PrivilegedExceptionAction;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+@@ -35,8 +34,6 @@
+ import java.util.concurrent.ConcurrentMap;
+ import java.util.concurrent.TimeUnit;
+ 
+-import static org.infinispan.commons.util.ReflectionUtil.invokeAccessibly;
+-
+ /**
+  * A registry where components which have been created are stored.  Components are stored as singletons, registered
+  * under a specific name.
+@@ -245,11 +242,7 @@ private void invokeInjectionMethod(Object o, ComponentMetadata.InjectMetadata in
+             boolean nameIsFQCN = !injectMetadata.isParameterNameSet(i);
+             params[i] = getOrCreateComponent(dependencies[i], name, nameIsFQCN);
+          }
+-         if (System.getSecurityManager() == null) {
+-            invokeAccessibly(o, injectMetadata.getMethod(), params);
+-         } else {
+-            AccessController.doPrivileged((PrivilegedAction<Object>) () -> invokeAccessibly(o, injectMetadata.getMethod(), params));
+-         }
++         invokeAccessibly(o, injectMetadata.getMethod(), params);
+       }
+    }
+ 
+@@ -465,6 +458,13 @@ public void rewire() {
+       }
+    }
+ 
++   private static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
++      return SecurityActions.doPrivileged(() -> {
++         method.setAccessible(true);
++         return ReflectionUtil.invokeMethod(instance, method, parameters);
++      });
++   }
++
+    /**
+     * Scans each registered component for lifecycle methods, and adds them to the appropriate lists, and then sorts them
+     * by priority.
+diff --git a/core/src/main/java/org/infinispan/factories/SecurityActions.java b/core/src/main/java/org/infinispan/factories/SecurityActions.java
+index 43f12152fe53..9a4ab8f1bc97 100644
+--- a/core/src/main/java/org/infinispan/factories/SecurityActions.java
++++ b/core/src/main/java/org/infinispan/factories/SecurityActions.java
+@@ -21,6 +21,14 @@
+ final class SecurityActions {
+    private static final Log log = LogFactory.getLog(SecurityActions.class);
+ 
++    static <T> T doPrivileged(PrivilegedAction<T> action) {
++      if (System.getSecurityManager() != null) {
++         return AccessController.doPrivileged(action);
++      } else {
++         return action.run();
++      }
++   }
++
+    private static Field findFieldRecursively(Class<?> c, String fieldName) {
+       Field f = null;
+       try {
diff --git a/infinispan.spec b/infinispan.spec
index 9d88abc..9f64010 100644
--- a/infinispan.spec
+++ b/infinispan.spec
@@ -1,6 +1,6 @@
 Name:          infinispan
 Version:       8.2.4
-Release:       12
+Release:       13
 Summary:       Data grid platform
 License:       ASL 2.0 and LGPLv2+ and Public Domain
 URL:           http://infinispan.org/
@@ -12,6 +12,10 @@ Patch1:        implement-abstract-functions-extended-from-class-Directory.patch
 Patch2:        CVE-2016-0750.patch
 Patch3:        CVE-2017-15089-1.patch
 Patch4:        CVE-2017-15089-2.patch
+# https://github.com/infinispan/infinispan/commit/b317b7e70de2621fb25806b611126bcaf8793beb
+Patch5:        CVE-2019-10174-pre.patch
+# https://github.com/infinispan/infinispan/commit/5dbb05cfaca01a1a66732b82a0f5ba615ccbd214
+Patch6:        CVE-2019-10174.patch
 
 BuildRequires: maven-local mvn(com.clearspring.analytics:stream) mvn(com.mchange:c3p0)
 BuildRequires: mvn(commons-logging:commons-logging) mvn(commons-pool:commons-pool)
@@ -223,6 +227,9 @@ export JAVA_TOOL_OPTIONS="-Xmx4096m"
 %license LICENSE.txt
 
 %changelog
+* Mon May 27 2024 yaoxin <yao_xin001@hoperun.com> - 8.2.4-13
+- Fix CVE-2019-10174
+
 * Sat Apr 13 2024 Dingli Zhang <dingli@iscas.ac.cn> - 8.2.4-12
 - Add -Xmx4096m for riscv64
 
-- 
Gitee