From 2fd40fa1a7af1f3c1a90ef9a5b13e162d426b976 Mon Sep 17 00:00:00 2001 From: lingsheng Date: Thu, 22 Apr 2021 16:46:51 +0800 Subject: [PATCH] fix CVE-2021-20289 --- CVE-2021-20289.patch | 121 +++++++++++++++++++++++++++++++++++++++++++ resteasy.spec | 7 ++- 2 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-20289.patch diff --git a/CVE-2021-20289.patch b/CVE-2021-20289.patch new file mode 100644 index 0000000..f19dcc9 --- /dev/null +++ b/CVE-2021-20289.patch @@ -0,0 +1,121 @@ +From 8dbcc5d69b2c077b1174e8cedac20956903e101b Mon Sep 17 00:00:00 2001 +From: lingsheng +Date: Wed, 21 Apr 2021 11:41:47 +0800 +Subject: [PATCH] [RESTEASY-2843] Do not add the target type to the thrown + exception. Instead log it as a debug message. + +Fix CVE-2021-20289, backport from https://github.com/resteasy/Resteasy/commit/358777a + +--- + .../core/StringParameterInjector.java | 19 +++++++++++++------ + .../resteasy_jaxrs/i18n/LogMessages.java | 4 ++++ + .../resteasy_jaxrs/i18n/Messages.java | 4 ++-- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java +index e50ba88..b7178f6 100755 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java +@@ -1,6 +1,7 @@ + package org.jboss.resteasy.core; + + import org.jboss.resteasy.annotations.StringParameterUnmarshallerBinder; ++import org.jboss.resteasy.resteasy_jaxrs.i18n.LogMessages; + import org.jboss.resteasy.resteasy_jaxrs.i18n.Messages; + import org.jboss.resteasy.spi.ResteasyProviderFactory; + import org.jboss.resteasy.spi.StringConverter; +@@ -296,7 +297,8 @@ public class StringParameterInjector + } + catch (Exception e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + if (paramConverter != null) + { +@@ -322,11 +324,13 @@ public class StringParameterInjector + } + catch (InstantiationException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (IllegalAccessException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (InvocationTargetException e) + { +@@ -335,7 +339,8 @@ public class StringParameterInjector + { + throw ((WebApplicationException)targetException); + } +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException); ++ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException); + } + } + else if (valueOf != null) +@@ -346,7 +351,8 @@ public class StringParameterInjector + } + catch (IllegalAccessException e) + { +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e); ++ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e); + } + catch (InvocationTargetException e) + { +@@ -355,7 +361,8 @@ public class StringParameterInjector + { + throw ((WebApplicationException)targetException); + } +- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException); ++ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target); ++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException); + } + } + return null; +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java +index a1c82da..265e632 100644 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java +@@ -1,5 +1,6 @@ + package org.jboss.resteasy.resteasy_jaxrs.i18n; + ++import java.lang.reflect.AccessibleObject; + import java.net.URL; + + import javax.ws.rs.core.MediaType; +@@ -209,6 +210,9 @@ public interface LogMessages extends BasicLogger + @Message(id = BASE + 335, value = "Unable to retrieve config: enableSecureProcessingFeature defaults to true") + void unableToRetrieveConfigSecure(); + ++ @LogMessage(level = Level.DEBUG) ++ @Message("Unable to extract parameter from http request: %s value is '%s' for %s") ++ void unableToExtractParameter(@Cause Throwable cause, String paramSignature, String strVal, AccessibleObject target); + + /////////////////////////////////////////////////////////////////////////////////////////////////////////// + // TRACE // +diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java +index 8a3ca94..472fa30 100644 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java +@@ -549,8 +549,8 @@ public interface Messages + @Message(id = BASE + 865, value = "Unable to determine base class from Type") + String unableToDetermineBaseClass(); + +- @Message(id = BASE + 870, value = "Unable to extract parameter from http request: {0} value is '{1}' for {2}", format=Format.MESSAGE_FORMAT) +- String unableToExtractParameter(String paramSignature, String strVal, AccessibleObject target); ++ @Message(id = BASE + 870, value = "Unable to extract parameter from http request: %s value is '%s'") ++ String unableToExtractParameter(String paramSignature, String strVal); + + @Message(id = BASE + 875, value = "Unable to find a constructor that takes a String param or a valueOf() or fromString() method for {0} on {1} for basetype: {2}", format=Format.MESSAGE_FORMAT) + String unableToFindConstructor(String paramSignature, AccessibleObject target, String className); +-- +2.23.0 + diff --git a/resteasy.spec b/resteasy.spec index 81d0dba..beb47ba 100644 --- a/resteasy.spec +++ b/resteasy.spec @@ -2,7 +2,7 @@ %global namedversion %{version}%{namedreltag} Name: resteasy Version: 3.0.19 -Release: 2 +Release: 3 Summary: Framework for RESTful Web services and Java applications License: ASL 2.0 and CDDL URL: https://github.com/resteasy/Resteasy/ @@ -10,6 +10,7 @@ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion Patch0: resteasy-3.0.19-Mime4j-0.7.2-support.patch Patch1: resteasy-3.0.19-port-resteasy-netty-to-netty-3.10.6.patch Patch2: CVE-2016-9606.patch +Patch3: CVE-2021-20289.patch BuildArch: noarch BuildRequires: maven-local mvn(com.beust:jcommander) mvn(com.fasterxml:classmate) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) @@ -196,6 +197,7 @@ find -name '*.jar' -print -delete %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %pom_disable_module resteasy-spring jaxrs %pom_disable_module fastinfoset jaxrs/providers %pom_disable_module examples jaxrs @@ -330,6 +332,9 @@ done %license jaxrs/License.html %changelog +* Thu Apr 22 2021 lingsheng - 3.0.19-3 +- fix CVE-2021-20289 + * Fri Jan 29 2021 wangxiao - 3.0.19-2 - fix CVE-2016-9606 -- Gitee