From 5444c5d5ce9f079c8daa35a6c9fbac3a5e3e9690 Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Fri, 29 Jan 2021 09:18:21 +0800
Subject: [PATCH] fix CVE-2016-9606

(cherry picked from commit dcd01b0295f926794ef953a1bfcddb27c95e7e67)
---
 CVE-2016-9606.patch | 59 +++++++++++++++++++++++++++++++++++++++++++++
 resteasy.spec       |  7 +++++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2016-9606.patch

diff --git a/CVE-2016-9606.patch b/CVE-2016-9606.patch
new file mode 100644
index 0000000..ea751e7
--- /dev/null
+++ b/CVE-2016-9606.patch
@@ -0,0 +1,59 @@
+From 7ae52d2322169295a18570892d7596af69d41545 Mon Sep 17 00:00:00 2001
+From: Petr Jurak <pjurak@redhat.com>
+Date: Tue, 28 Feb 2017 15:45:58 +0100
+Subject: [PATCH] [RESTEASY-1618] Yaml unmarshalling vulnerable to RCE
+
+---
+ .../org/jboss/resteasy/resteasy1223/TestResteasy1223.java     | 3 ++-
+ .../resources/META-INF/services/javax.ws.rs.ext.Providers     | 1 +
+ .../jboss/resteasy/test/providers/yaml/TestYamlProvider.java  | 4 ++--
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+ rename jaxrs/{providers/yaml/src/main => arquillian/RESTEASY-1223-WF8/src/test}/resources/META-INF/services/javax.ws.rs.ext.Providers (98%)
+
+diff --git a/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/java/org/jboss/resteasy/resteasy1223/TestResteasy1223.java b/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/java/org/jboss/resteasy/resteasy1223/TestResteasy1223.java
+index 301ddd6535..b6805d30bf 100644
+--- a/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/java/org/jboss/resteasy/resteasy1223/TestResteasy1223.java
++++ b/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/java/org/jboss/resteasy/resteasy1223/TestResteasy1223.java
+@@ -31,7 +31,8 @@
+     public static Archive<?> createTestArchive() {
+         WebArchive war = ShrinkWrap.create(WebArchive.class, "resteasy1223.war")
+                 .addClasses(TestApplication.class, YamlResource.class, MyNestedObject.class, MyObject.class)
+-                .addAsWebInfResource("web.xml").addAsManifestResource("MANIFEST.MF");
++                .addAsWebInfResource("web.xml").addAsManifestResource("MANIFEST.MF")
++                .addAsResource("META-INF/services/javax.ws.rs.ext.Providers");
+         return war;
+     }
+ 
+diff --git a/jaxrs/providers/yaml/src/main/resources/META-INF/services/javax.ws.rs.ext.Providers b/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/resources/META-INF/services/javax.ws.rs.ext.Providers
+similarity index 98%
+rename from jaxrs/providers/yaml/src/main/resources/META-INF/services/javax.ws.rs.ext.Providers
+rename to jaxrs/arquillian/RESTEASY-1223-WF8/src/test/resources/META-INF/services/javax.ws.rs.ext.Providers
+index 9a6782a638..c854fd6d9a 100644
+--- a/jaxrs/providers/yaml/src/main/resources/META-INF/services/javax.ws.rs.ext.Providers
++++ b/jaxrs/arquillian/RESTEASY-1223-WF8/src/test/resources/META-INF/services/javax.ws.rs.ext.Providers
+@@ -1 +1,2 @@
+ org.jboss.resteasy.plugins.providers.YamlProvider
++
+diff --git a/jaxrs/providers/yaml/src/test/java/org/jboss/resteasy/test/providers/yaml/TestYamlProvider.java b/jaxrs/providers/yaml/src/test/java/org/jboss/resteasy/test/providers/yaml/TestYamlProvider.java
+index 05be1b26c6..5cf75aacf8 100644
+--- a/jaxrs/providers/yaml/src/test/java/org/jboss/resteasy/test/providers/yaml/TestYamlProvider.java
++++ b/jaxrs/providers/yaml/src/test/java/org/jboss/resteasy/test/providers/yaml/TestYamlProvider.java
+@@ -3,6 +3,7 @@
+ import junit.framework.Assert;
+ import org.jboss.resteasy.client.ClientRequest;
+ import org.jboss.resteasy.client.ClientResponse;
++import org.jboss.resteasy.plugins.providers.YamlProvider;
+ import org.jboss.resteasy.test.BaseResourceTest;
+ import org.junit.Before;
+ import org.junit.Test;
+@@ -19,9 +20,8 @@
+ 
+     @Before
+     public void setUp() {
+-
+         addPerRequestResource(YamlResource.class);
+-
++        getProviderFactory().registerProvider(YamlProvider.class);
+     }
+ 
+     @Test
diff --git a/resteasy.spec b/resteasy.spec
index 52a4178..81d0dba 100644
--- a/resteasy.spec
+++ b/resteasy.spec
@@ -2,13 +2,14 @@
 %global namedversion %{version}%{namedreltag}
 Name:                resteasy
 Version:             3.0.19
-Release:             1
+Release:             2
 Summary:             Framework for RESTful Web services and Java applications
 License:             ASL 2.0 and CDDL
 URL:                 https://github.com/resteasy/Resteasy/
 Source0:             https://github.com/resteasy/Resteasy/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz
 Patch0:              resteasy-3.0.19-Mime4j-0.7.2-support.patch
 Patch1:              resteasy-3.0.19-port-resteasy-netty-to-netty-3.10.6.patch
+Patch2:              CVE-2016-9606.patch
 BuildArch:           noarch
 BuildRequires:       maven-local mvn(com.beust:jcommander) mvn(com.fasterxml:classmate)
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-annotations)
@@ -194,6 +195,7 @@ Summary:             Test modules for %{name}
 find -name '*.jar' -print -delete
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 %pom_disable_module resteasy-spring jaxrs
 %pom_disable_module fastinfoset jaxrs/providers
 %pom_disable_module examples jaxrs
@@ -328,5 +330,8 @@ done
 %license jaxrs/License.html
 
 %changelog
+* Fri Jan 29 2021 wangxiao <wangxiao65@huawe.com> - 3.0.19-2
+- fix CVE-2016-9606
+
 * Wed Oct 28 2020 baizhonggui <baizhonggui@huawei.com> - 3.0.19-1
 - package init
-- 
Gitee