diff --git a/CVE-2020-26945.patch b/CVE-2020-26945.patch new file mode 100644 index 0000000000000000000000000000000000000000..401d3c2987e1f265789018842f5735d47140a104 --- /dev/null +++ b/CVE-2020-26945.patch @@ -0,0 +1,117 @@ +From 9caf480e05c389548c9889362c2cb080d728b5d8 Mon Sep 17 00:00:00 2001 +From: Iwao AVE! +Date: Sat, 3 Oct 2020 23:58:09 +0900 +Subject: [PATCH] Output warning when deserializing object stream with no + JEP-290 filter defined + +--- + .../cache/decorators/SerializedCache.java | 2 + + .../loader/AbstractSerialStateHolder.java | 6 ++ + .../apache/ibatis/io/SerialFilterChecker.java | 54 +++++++++++++++++++ + 3 files changed, 61 insertions(+), 33 deletions(-) + create mode 100644 src/main/java/org/apache/ibatis/io/SerialFilterChecker.java + +diff --git a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java +index aeb3d09de7a..664b214aa65 100644 +--- a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java ++++ b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java +@@ -28,6 +28,7 @@ + import org.apache.ibatis.cache.Cache; + import org.apache.ibatis.cache.CacheException; + import org.apache.ibatis.io.Resources; ++import org.apache.ibatis.io.SerialFilterChecker; + + /** + * @author Clinton Begin +@@ -104,6 +105,7 @@ public boolean equals(Object obj) { + } + + private Serializable deserialize(byte[] value) { ++ SerialFilterChecker.check(); + Serializable result; + try { + ByteArrayInputStream bis = new ByteArrayInputStream(value); +diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java +index f1edbaa146a..414fe5db391 100644 +--- a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java ++++ b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java +@@ -31,6 +31,7 @@ + import java.util.List; + import java.util.Map; + ++import org.apache.ibatis.io.SerialFilterChecker; + import org.apache.ibatis.reflection.factory.ObjectFactory; + + /** +@@ -106,9 +107,11 @@ protected final Object readResolve() throws ObjectStreamException { + return this.userBean; + } + ++ SerialFilterChecker.check(); ++ + /* First run */ + try { + final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(this.userBeanBytes)); + this.userBean = in.readObject(); + this.unloadedProperties = (Map) in.readObject(); + this.objectFactory = (ObjectFactory) in.readObject(); +diff --git a/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java +new file mode 100644 +index 00000000000..abacac68332 +--- /dev/null ++++ b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java +@@ -0,0 +1,54 @@ ++/** ++ * Copyright 2009-2020 the original author or authors. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.ibatis.io; ++ ++import java.security.Security; ++ ++import org.apache.ibatis.logging.Log; ++import org.apache.ibatis.logging.LogFactory; ++ ++public final class SerialFilterChecker { ++ private static final Log log = LogFactory.getLog(SerialFilterChecker.class); ++ /* Property key for the JEP-290 serialization filters */ ++ private static final String JDK_SERIAL_FILTER = "jdk.serialFilter"; ++ private static final boolean SERIAL_FILTER_MISSING; ++ private static boolean firstInvocation = true; ++ ++ static { ++ Object serialFilter; ++ try { ++ Class objectFilterConfig = Class.forName("java.io.ObjectInputFilter$Config"); ++ serialFilter = objectFilterConfig.getMethod("getSerialFilter").invoke(null); ++ } catch (ReflectiveOperationException e) { ++ // Java 1.8 ++ serialFilter = System.getProperty(JDK_SERIAL_FILTER, Security.getProperty(JDK_SERIAL_FILTER)); ++ } ++ SERIAL_FILTER_MISSING = serialFilter == null; ++ } ++ ++ public static void check() { ++ if (firstInvocation && SERIAL_FILTER_MISSING) { ++ firstInvocation = false; ++ log.warn( ++ "As you are using functionality that deserializes object streams, it is recommended to define the JEP-290 serial filter. " ++ + "Please refer to https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66"); ++ } ++ } ++ ++ private SerialFilterChecker() { ++ } ++} diff --git a/mybatis.spec b/mybatis.spec index 13434f1eb4946987eaff3480177331d933777e2d..7fe00f636e41dca73678bb2e8e014f174520ab69 100644 --- a/mybatis.spec +++ b/mybatis.spec @@ -1,13 +1,14 @@ %bcond_with test Name: mybatis Version: 3.2.8 -Release: 1 +Release: 2 Summary: SQL Mapping Framework for Java License: Apache 2.0 URL: https://github.com/mybatis/mybatis-3 Source0: https://github.com/mybatis/mybatis-3/archive/%{name}-%{version}.tar.gz Patch0: %{name}-%{version}-commons-ognl.patch Patch1: mybatis-3.2.8-log4j2.6.patch +Patch2: CVE-2020-26945.patch BuildRequires: maven-local mvn(cglib:cglib) mvn(commons-logging:commons-logging) BuildRequires: mvn(log4j:log4j:1.2.17) mvn(org.apache.commons:commons-ognl) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) @@ -82,5 +83,8 @@ opts="-f" %license LICENSE NOTICE %changelog +* Sat Jun 19 2021 lingsheng - 3.2.8-2 +- Fix CVE-2020-26945 + * Fri Jan 8 2021 chengzihan - 3.2.8-1 - Package init