diff --git a/CVE-2021-20289.patch b/CVE-2021-20289.patch new file mode 100644 index 0000000000000000000000000000000000000000..f19dcc93474c1781e13001ea2dfa660ecfac98f0 --- /dev/null +++ b/CVE-2021-20289.patch @@ -0,0 +1,121 @@ +From 8dbcc5d69b2c077b1174e8cedac20956903e101b Mon Sep 17 00:00:00 2001 +From: lingsheng +Date: Wed, 21 Apr 2021 11:41:47 +0800 +Subject: [PATCH] [RESTEASY-2843] Do not add the target type to the thrown + exception. Instead log it as a debug message. + +Fix CVE-2021-20289, backport from https://github.com/resteasy/Resteasy/commit/358777a + +--- + .../core/StringParameterInjector.java | 19 +++++++++++++------ + .../resteasy_jaxrs/i18n/LogMessages.java | 4 ++++ + .../resteasy_jaxrs/i18n/Messages.java | 4 ++-- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java +index e50ba88..b7178f6 100755 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java +@@ -1,6 +1,7 @@ + package org.jboss.resteasy.core; + + import org.jboss.resteasy.annotations.StringParameterUnmarshallerBinder; ++import org.jboss.resteasy.resteasy_jaxrs.i18n.LogMessages; + import org.jboss.resteasy.resteasy_jaxrs.i18n.Messages; + import org.jboss.resteasy.spi.ResteasyProviderFactory; + import org.jboss.resteasy.spi.StringConverter; +@@ -296,7 +297,8 @@ public class StringParameterInjector + } + catch (Exception e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + if (paramConverter != null) + { +@@ -322,11 +324,13 @@ public class StringParameterInjector + } + catch (InstantiationException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (IllegalAccessException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (InvocationTargetException e) + { +@@ -335,7 +339,8 @@ public class StringParameterInjector + { + throw ((WebApplicationException)targetException); + } +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException); ++ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException); + } + } + else if (valueOf != null) +@@ -346,7 +351,8 @@ public class StringParameterInjector + } + catch (IllegalAccessException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (InvocationTargetException e) + { +@@ -355,7 +361,8 @@ public class StringParameterInjector + { + throw ((WebApplicationException)targetException); + } +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException); ++ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException); + } + } + return null; +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java +index a1c82da..265e632 100644 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java +@@ -1,5 +1,6 @@ + package org.jboss.resteasy.resteasy_jaxrs.i18n; + ++import java.lang.reflect.AccessibleObject; + import java.net.URL; + + import javax.ws.rs.core.MediaType; +@@ -209,6 +210,9 @@ public interface LogMessages extends BasicLogger + @Message(id = BASE + 335, value = "Unable to retrieve config: enableSecureProcessingFeature defaults to true") + void unableToRetrieveConfigSecure(); + ++ @LogMessage(level = Level.DEBUG) ++ @Message("Unable to extract parameter from http request: %s value is '%s' for %s") ++ void unableToExtractParameter(@Cause Throwable cause, String paramSignature, String strVal, AccessibleObject target); + + /////////////////////////////////////////////////////////////////////////////////////////////////////////// + // TRACE // +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java +index 8a3ca94..472fa30 100644 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java +@@ -549,8 +549,8 @@ public interface Messages + @Message(id = BASE + 865, value = "Unable to determine base class from Type") + String unableToDetermineBaseClass(); + +- @Message(id = BASE + 870, value = "Unable to extract parameter from http request: {0} value is '{1}' for {2}", format=Format.MESSAGE_FORMAT) +- String unableToExtractParameter(String paramSignature, String strVal, AccessibleObject target); ++ @Message(id = BASE + 870, value = "Unable to extract parameter from http request: %s value is '%s'") ++ String unableToExtractParameter(String paramSignature, String strVal); + + @Message(id = BASE + 875, value = "Unable to find a constructor that takes a String param or a valueOf() or fromString() method for {0} on {1} for basetype: {2}", format=Format.MESSAGE_FORMAT) + String unableToFindConstructor(String paramSignature, AccessibleObject target, String className); +-- +2.23.0 + diff --git a/resteasy.spec b/resteasy.spec index 81d0dba1b87cdb455c682344e7dd112382ff45ca..beb47ba26847c7e0a809d95a92a8a4e71426760c 100644 --- a/resteasy.spec +++ b/resteasy.spec @@ -2,7 +2,7 @@ %global namedversion %{version}%{namedreltag} Name: resteasy Version: 3.0.19 -Release: 2 +Release: 3 Summary: Framework for RESTful Web services and Java applications License: ASL 2.0 and CDDL URL: https://github.com/resteasy/Resteasy/ @@ -10,6 +10,7 @@ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion Patch0: resteasy-3.0.19-Mime4j-0.7.2-support.patch Patch1: resteasy-3.0.19-port-resteasy-netty-to-netty-3.10.6.patch Patch2: CVE-2016-9606.patch +Patch3: CVE-2021-20289.patch BuildArch: noarch BuildRequires: maven-local mvn(com.beust:jcommander) mvn(com.fasterxml:classmate) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) @@ -196,6 +197,7 @@ find -name '*.jar' -print -delete %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %pom_disable_module resteasy-spring jaxrs %pom_disable_module fastinfoset jaxrs/providers %pom_disable_module examples jaxrs @@ -330,6 +332,9 @@ done %license jaxrs/License.html %changelog +* Thu Apr 22 2021 lingsheng - 3.0.19-3 +- fix CVE-2021-20289 + * Fri Jan 29 2021 wangxiao - 3.0.19-2 - fix CVE-2016-9606