From 98fc09c9c93e7bd6054508d413d17670645e7be8 Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Fri, 7 May 2021 11:52:22 +0800
Subject: [PATCH] fix CVE-2021-28168

---
 CVE-2021-28168.patch | 126 +++++++++++++++++++++++++++++++++++++++++++
 jersey.spec          |  12 ++---
 2 files changed, 132 insertions(+), 6 deletions(-)
 create mode 100644 CVE-2021-28168.patch

diff --git a/CVE-2021-28168.patch b/CVE-2021-28168.patch
new file mode 100644
index 0000000..eb19ede
--- /dev/null
+++ b/CVE-2021-28168.patch
@@ -0,0 +1,126 @@
+From f3cadb38dcc5b20e515706fae68dce533ad6c737 Mon Sep 17 00:00:00 2001
+From: Maxim Nesen <24524084+senivam@users.noreply.github.com>
+Date: Thu, 4 Mar 2021 11:36:50 +0100
+Subject: [PATCH] switching to NIO tmp file creation approach (#4712)
+
+Signed-off-by: Maxim Nesen <maxim.nesen@oracle.com>
+---
+ .../jersey/message/internal/Utils.java        | 26 +++++++++--
+ .../jersey/message/internal/UtilsTest.java    | 45 +++++++++++++++++++
+ .../src/test/resources/surefire.policy        |  4 +-
+ 3 files changed, 70 insertions(+), 5 deletions(-)
+ create mode 100644 core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java
+
+diff --git a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java b/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java
+index c4f035ee10..dcae919502 100644
+--- a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java
++++ b/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java
+@@ -18,6 +18,10 @@
+ 
+ import java.io.File;
+ import java.io.IOException;
++import java.nio.file.Files;
++import java.security.AccessController;
++import java.security.PrivilegedAction;
++import java.util.concurrent.atomic.AtomicReference;
+ 
+ /**
+  * Utility class.
+@@ -46,9 +50,23 @@ static void throwIllegalArgumentExceptionIfNull(final Object toCheck, final Stri
+      * @throws IOException if a file could not be created.
+      */
+     public static File createTempFile() throws IOException {
+-        final File file = File.createTempFile("rep", "tmp");
+-        // Make sure the file is deleted when JVM is shutdown at last.
+-        file.deleteOnExit();
++        final AtomicReference<IOException> exceptionReference = new AtomicReference<>();
++        final File file = AccessController.doPrivileged(new PrivilegedAction<File>() {
++            public File run() {
++                File tempFile = null;
++                try {
++                    tempFile = Files.createTempFile("rep", "tmp").toFile();
++                    // Make sure the file is deleted when JVM is shutdown at last.
++                    tempFile.deleteOnExit();
++                } catch (IOException e) {
++                    exceptionReference.set(e);
++                }
++                return tempFile;
++            }
++        });
++        if (exceptionReference.get() != null) {
++            throw exceptionReference.get();
++        }
+         return file;
+     }
+ 
+diff --git a/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java b/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java
+new file mode 100644
+index 0000000000..e6baf4c404
+--- /dev/null
++++ b/core-common/src/test/java/org/glassfish/jersey/message/internal/UtilsTest.java
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (c) 2021 Oracle and/or its affiliates. All rights reserved.
++ *
++ * This program and the accompanying materials are made available under the
++ * terms of the Eclipse Public License v. 2.0, which is available at
++ * http://www.eclipse.org/legal/epl-2.0.
++ *
++ * This Source Code may also be made available under the following Secondary
++ * Licenses when the conditions for such availability set forth in the
++ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
++ * version 2 with the GNU Classpath Exception, which is available at
++ * https://www.gnu.org/software/classpath/license.html.
++ *
++ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
++ */
++
++package org.glassfish.jersey.message.internal;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++import java.io.BufferedOutputStream;
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.OutputStream;
++
++public class UtilsTest {
++
++    @Test
++    public void createTempFile() throws IOException {
++        final File file = Utils.createTempFile();
++        final OutputStream stream = new BufferedOutputStream(new FileOutputStream(file));
++
++        try {
++            final ByteArrayInputStream entityStream = new ByteArrayInputStream("Test stream byte input".getBytes());
++            ReaderWriter.writeTo(entityStream, stream);
++        } finally {
++            stream.close();
++        }
++        Assert.assertTrue(file.exists());
++    }
++
++}
+diff --git a/core-common/src/test/resources/surefire.policy b/core-common/src/test/resources/surefire.policy
+index 77fa02af3b..27602ae4c0 100644
+--- a/core-common/src/test/resources/surefire.policy
++++ b/core-common/src/test/resources/surefire.policy
+@@ -30,6 +30,7 @@ grant codebase "file:${project.build.directory}/test-classes/-" {
+   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+   permission java.lang.RuntimePermission "modifyThread";
+   permission java.util.PropertyPermission "*", "write";
++  permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
+   permission java.lang.RuntimePermission "getClassLoader";
+   permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+   permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*";
+@@ -43,6 +44,7 @@ grant codebase "file:${project.build.directory}/classes/-" {
+   permission java.lang.RuntimePermission "modifyThread";
+   permission java.util.PropertyPermission "*", "read";
+   permission java.io.FilePermission "<<ALL FILES>>", "read";
++  permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
+   permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+   permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*";
+   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
diff --git a/jersey.spec b/jersey.spec
index 24227e7..50a77af 100644
--- a/jersey.spec
+++ b/jersey.spec
@@ -1,7 +1,7 @@
 %bcond_with jp_minimal
 Name:                jersey
 Version:             2.28
-Release:             1
+Release:             2
 Summary:             JAX-RS (JSR 311) production quality Reference Implementation
 License:             (EPL-2.0 or GPLv2 with exceptions) and ASL 2.0
 URL:                 https://github.com/eclipse-ee4j/jersey
@@ -11,6 +11,7 @@ Patch0:              jersey-2.17-mvc-jsp-servlet31.patch
 Patch1:              0001-Patch-out-dependency-on-JMockit.patch
 Patch2:              0002-Port-to-glassfish-jsonp-1.0.patch
 Patch3:              0003-Port-to-hibernate-validation-5.x.patch
+Patch4:              CVE-2021-28168.patch
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations)
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-databind)
 BuildRequires:       mvn(com.fasterxml.jackson.module:jackson-module-jaxb-annotations)
@@ -65,11 +66,7 @@ Summary:             Javadoc for %{name}
 This package contains javadoc for %{name}.
 
 %prep
-%setup -q -n %{name}-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
+%autosetup -p1 -n %{name}-%{version}
 find . -name "*.jar" -print -delete
 find . -name "*.class" -print -delete
 cp -p %{SOURCE1} .
@@ -210,5 +207,8 @@ sed -i -e 's/javax\.activation\.\*;/javax.activation.*;resolution:=optional;/' c
 %license LICENSE.md NOTICE.md LICENSE-2.0.txt
 
 %changelog
+* Fri May 7 2021 wangxiao <wangxiao65@huawei.com> - 2.28-2
+- Fix CVE-2021-28168
+
 * Tue Aug 25 2020 Shaoqiang Kang <kangshaoqiang1@huawei.com> - 2.28-1
 - Package init
-- 
Gitee