Projects
Mega:23.09
logback
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:logback.spec
Changed
@@ -1,12 +1,13 @@ Name: logback Version: 1.2.8 -Release: 2 +Release: 3 Summary: A Java logging library License: LGPLv2 or EPL-1.0 URL: http://logback.qos.ch/ Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz -Patch0001: logback-1.2.8-jetty.patch +Patch0001: logback-1.2.8-jetty.patch +Patch0002: CVE-2023-6378-and-CVE-2023-6481.patch BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail) BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17) @@ -122,6 +123,9 @@ %files help -f .mfiles-javadoc %changelog +* Tue Dec 12 2023 wangkai <13474090681@163.com> - 1.2.8-3 +- Fix CVE-2023-6378,CVE-2023-6481 + * Mon Aug 8 2022 Chenyx <chenyixiong3@huawei.com> - 1.2.8-2 - License compliance rectification
View file
_service:tar_scm:CVE-2023-6378-and-CVE-2023-6481.patch
Added
@@ -0,0 +1,456 @@ +From bb095154be011267b64e37a1d401546e7cc2b7c3 Mon Sep 17 00:00:00 2001 +From: Ceki Gulcu <ceki@qos.ch> +Date: Fri, 1 Dec 2023 15:12:22 +0100 +Subject: PATCH fix CVE-2023-6378 + +Signed-off-by: Ceki Gulcu <ceki@qos.ch> +--- + .../logback/classic/spi/LoggingEventVO.java | 7 ++ + .../src/test/input/issue/logback-1754.xml | 30 +++++++ + .../issue/logback_1754/LogbackTest.java | 78 +++++++++++++++++++ + .../core/net/HardenedObjectInputStream.java | 55 ++++++++++++- + .../ch/qos/logback/core/util/EnvUtil.java | 39 ++++++---- + .../net/HardenedObjectInputStreamTest.java | 49 +++++++++++- + .../rolling/ScaffoldingForRollingTests.java | 2 +- + .../ch/qos/logback/core/util/EnvUtilTest.java | 34 ++++++++ + 8 files changed, 275 insertions(+), 19 deletions(-) + create mode 100644 logback-classic/src/test/input/issue/logback-1754.xml + create mode 100644 logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java + create mode 100644 logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java + +diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java +index e21350b2cc..ea2c6ac128 100644 +--- a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java ++++ b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java +@@ -14,6 +14,7 @@ + package ch.qos.logback.classic.spi; + + import java.io.IOException; ++import java.io.InvalidObjectException; + import java.io.ObjectInputStream; + import java.io.ObjectOutputStream; + import java.io.Serializable; +@@ -38,6 +39,7 @@ public class LoggingEventVO implements ILoggingEvent, Serializable { + + private static final int NULL_ARGUMENT_ARRAY = -1; + private static final String NULL_ARGUMENT_ARRAY_ELEMENT = "NULL_ARGUMENT_ARRAY_ELEMENT"; ++ private static final int ARGUMENT_ARRAY_DESERIALIZATION_LIMIT = 128; + + private String threadName; + private String loggerName; +@@ -181,6 +183,11 @@ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundE + level = Level.toLevel(levelInt); + + int argArrayLen = in.readInt(); ++ // Prevent DOS attacks via large or negative arrays ++ if (argArrayLen < NULL_ARGUMENT_ARRAY || argArrayLen > ARGUMENT_ARRAY_DESERIALIZATION_LIMIT) { ++ throw new InvalidObjectException("Argument array length is invalid: " + argArrayLen); ++ } ++ + if (argArrayLen != NULL_ARGUMENT_ARRAY) { + argumentArray = new StringargArrayLen; + for (int i = 0; i < argArrayLen; i++) { +diff --git a/logback-classic/src/test/input/issue/logback-1754.xml b/logback-classic/src/test/input/issue/logback-1754.xml +new file mode 100644 +index 0000000000..ab41185a34 +--- /dev/null ++++ b/logback-classic/src/test/input/issue/logback-1754.xml +@@ -0,0 +1,30 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!-- ++ ~ Logback: the reliable, generic, fast and flexible logging framework. ++ ~ Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ ~ ++ ~ This program and the accompanying materials are dual-licensed under ++ ~ either the terms of the Eclipse Public License v1.0 as published by ++ ~ the Eclipse Foundation ++ ~ ++ ~ or (per the licensee's choosing) ++ ~ ++ ~ under the terms of the GNU Lesser General Public License version 2.1 ++ ~ as published by the Free Software Foundation. ++ --> ++ ++<configuration debug="true"> ++ <appender name="GENERAL" class="ch.qos.logback.core.rolling.RollingFileAppender"> ++ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> ++ <fileNamePattern>${logback_1754_targetDirectory}/test-%d{yyyy-MM-dd}.log</fileNamePattern> ++ <maxHistory>120</maxHistory> ++ </rollingPolicy> ++ <encoder> ++ <pattern>%date{HH:mm:ss.SSS} %level %logger{0} %thread %class{3}:%line : %msg%n</pattern> ++ </encoder> ++ <prudent>true</prudent> ++ </appender> ++ <root level="debug"> ++ <appender-ref ref="GENERAL" /> ++ </root> ++</configuration> +\ No newline at end of file +diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java +new file mode 100644 +index 0000000000..3001c00a66 +--- /dev/null ++++ b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java +@@ -0,0 +1,78 @@ ++/* ++ * Logback: the reliable, generic, fast and flexible logging framework. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ * ++ * This program and the accompanying materials are dual-licensed under ++ * either the terms of the Eclipse Public License v1.0 as published by ++ * the Eclipse Foundation ++ * ++ * or (per the licensee's choosing) ++ * ++ * under the terms of the GNU Lesser General Public License version 2.1 ++ * as published by the Free Software Foundation. ++ */ ++ ++package ch.qos.logback.classic.issue.logback_1754; ++ ++import ch.qos.logback.classic.ClassicConstants; ++import ch.qos.logback.classic.ClassicTestConstants; ++import ch.qos.logback.core.testUtil.RandomUtil; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import java.util.ArrayList; ++import java.util.List; ++import java.util.concurrent.CountDownLatch; ++ ++import static ch.qos.logback.classic.util.ContextInitializer.CONFIG_FILE_PROPERTY; ++ ++public class LogbackTest { ++ ++ private static final int THREADS = 16; ++ ++ private void runTest() { ++ ++ int diff = RandomUtil.getPositiveInt(); ++ //System.setProperty("logback.statusListenerClass", "sysout"); ++ System.setProperty(CONFIG_FILE_PROPERTY, ClassicTestConstants.INPUT_PREFIX+"issue/logback-1754.xml"); ++ System.setProperty("logback_1754_targetDirectory", ClassicTestConstants.OUTPUT_DIR_PREFIX+"safeWrite_"+diff); ++ ++ CountDownLatch latch = new CountDownLatch(THREADS); ++ List<Thread> threads = new ArrayList<Thread>(THREADS); ++ for (int i = 0; i < THREADS; i++) { ++ LoggerThread thread = new LoggerThread(latch, "message from thread " + i); ++ thread.start(); ++ threads.add(thread); ++ } ++ for (Thread thread : threads) { ++ try { ++ thread.join(); ++ } catch (InterruptedException e) { ++ Thread.currentThread().interrupt(); ++ throw new RuntimeException(e); ++ } ++ } ++ } ++ ++ public static void main(String... args) { ++ new LogbackTest().runTest(); ++ } ++ ++ private static final class LoggerThread extends Thread { ++ private static final Logger LOG = LoggerFactory.getLogger(LoggerThread.class); ++ private final CountDownLatch latch; ++ private final String message; ++ ++ LoggerThread(CountDownLatch latch, String message) { ++ setDaemon(false); ++ this.latch = latch; ++ this.message = message; ++ } ++ ++ @Override ++ public void run() { ++ latch.countDown(); ++ LOG.info(message); ++ } ++ } ++} +diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java +index d1b7301ea4..0674aaf3ea 100755 +--- a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java ++++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java +@@ -1,10 +1,27 @@ ++/** ++ * Logback: the reliable, generic, fast and flexible logging framework. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ * ++ * This program and the accompanying materials are dual-licensed under ++ * either the terms of the Eclipse Public License v1.0 as published by ++ * the Eclipse Foundation ++ * ++ * or (per the licensee's choosing) ++ * ++ * under the terms of the GNU Lesser General Public License version 2.1 ++ * as published by the Free Software Foundation. ++ */ + package ch.qos.logback.core.net; + ++import ch.qos.logback.core.util.EnvUtil; ++ + import java.io.IOException; + import java.io.InputStream; + import java.io.InvalidClassException; + import java.io.ObjectInputStream; + import java.io.ObjectStreamClass; ++import java.lang.reflect.InvocationTargetException; ++import java.lang.reflect.Method; + import java.util.ArrayList; + import java.util.List; + +@@ -22,10 +39,12 @@ public class HardenedObjectInputStream extends ObjectInputStream { + + final List<String> whitelistedClassNames; + final static String JAVA_PACKAGES = new String { "java.lang", "java.util" }; ++ final private static int DEPTH_LIMIT = 16; ++ final private static int ARRAY_LIMIT = 10000; + + public HardenedObjectInputStream(InputStream in, String whilelist) throws IOException { + super(in); +- ++ initObjectFilter(); + this.whitelistedClassNames = new ArrayList<String>(); + if (whilelist != null) { + for (int i = 0; i < whilelist.length; i++) { +@@ -36,11 +55,43 @@ public HardenedObjectInputStream(InputStream in, String whilelist) throws IOEx + + public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException { + super(in); +- ++ initObjectFilter(); + this.whitelistedClassNames = new ArrayList<String>(); + this.whitelistedClassNames.addAll(whitelist); + } + ++ private void initObjectFilter() { ++ ++ // invoke the following code by reflection ++ // this.setObjectInputFilter(ObjectInputFilter.Config.createFilter( ++ // "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";" ++ // )); ++ if(EnvUtil.isJDK9OrHigher()) { ++ try { ++ ClassLoader classLoader = this.getClass().getClassLoader(); ++ ++ Class oifClass = classLoader.loadClass("java.io.ObjectInputFilter"); ++ Class oifConfigClass = classLoader.loadClass("java.io.ObjectInputFilter$Config"); ++ Method setObjectInputFilterMethod = this.getClass().getMethod("setObjectInputFilter", oifClass); ++ ++ Method createFilterMethod = oifConfigClass.getMethod("createFilter", String.class); ++ Object filter = createFilterMethod.invoke(null, "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";"); ++ setObjectInputFilterMethod.invoke(this, filter); ++ } catch (ClassNotFoundException e) { ++ // this code should be unreachable ++ throw new RuntimeException("Failed to initialize object filter", e); ++ } catch (InvocationTargetException e) { ++ // this code should be unreachable ++ throw new RuntimeException("Failed to initialize object filter", e); ++ } catch (NoSuchMethodException e) { ++ // this code should be unreachable ++ throw new RuntimeException("Failed to initialize object filter", e); ++ } catch (IllegalAccessException e) { ++ // this code should be unreachable ++ throw new RuntimeException("Failed to initialize object filter", e); ++ } ++ } ++ } + @Override + protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { + +diff --git a/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java b/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java +index c200a1c984..f3dcd0cfe3 100644 +--- a/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java ++++ b/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java +@@ -1,6 +1,6 @@ + /** + * Logback: the reliable, generic, fast and flexible logging framework. +- * Copyright (C) 1999-2015, QOS.ch. All rights reserved. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. + * + * This program and the accompanying materials are dual-licensed under + * either the terms of the Eclipse Public License v1.0 as published by +@@ -22,22 +22,27 @@ + public class EnvUtil { + + static private boolean isJDK_N_OrHigher(int n) { +- List<String> versionList = new ArrayList<String>(); +- // this code should work at least until JDK 10 (assuming n parameter is +- // always 6 or more) +- for (int i = 0; i < 5; i++) { +- versionList.add("1." + (n + i)); +- } +- +- String javaVersion = System.getProperty("java.version"); +- if (javaVersion == null) { ++ String javaVersionStr = System.getProperty("java.version", ""); ++ if (javaVersionStr.isEmpty()) + return false; ++ ++ int version = getJDKVersion(javaVersionStr); ++ return version > 0 && n <= version; ++ } ++ ++ static public int getJDKVersion(String javaVersionStr) { ++ int version = 0; ++ ++ for (char ch : javaVersionStr.toCharArray()) { ++ if (Character.isDigit(ch)) { ++ version = (version * 10) + (ch - 48); ++ } else if (version == 1) { ++ version = 0; ++ } else { ++ break; ++ } + } +- for (String v : versionList) { +- if (javaVersion.startsWith(v)) +- return true; +- } +- return false; ++ return version; + } + + static public boolean isJDK5() { +@@ -52,6 +57,10 @@ static public boolean isJDK7OrHigher() { + return isJDK_N_OrHigher(7); + } + ++ static public boolean isJDK9OrHigher() { ++ return isJDK_N_OrHigher(9); ++ } ++ + static public boolean isJaninoAvailable() { + ClassLoader classLoader = EnvUtil.class.getClassLoader(); + try { +diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java +index ff4ddc599f..36f7f11b59 100755 +--- a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java ++++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java +@@ -1,12 +1,17 @@ + package ch.qos.logback.core.net; + + import static org.junit.Assert.assertEquals; ++import static org.junit.Assert.fail; + + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; ++import java.io.InvalidClassException; + import java.io.ObjectOutputStream; ++import java.util.HashSet; ++import java.util.Set; + ++import ch.qos.logback.core.util.EnvUtil; + import org.junit.After; + import org.junit.Before; + import org.junit.Test; +@@ -54,5 +59,47 @@ private void writeObject(ObjectOutputStream oos, Object o) throws IOException { + oos.flush(); + oos.close(); + } +- ++ ++ @Test ++ public void denialOfService() throws ClassNotFoundException, IOException { ++ ++ if(!EnvUtil.isJDK9OrHigher()) { ++ return; ++ } ++ ++ ByteArrayInputStream bis = new ByteArrayInputStream(payload()); ++ inputStream = new HardenedObjectInputStream(bis, whitelist); ++ try { ++ inputStream.readObject(); ++ fail("InvalidClassException expected"); ++ } catch(InvalidClassException e) { ++ } ++ finally { ++ inputStream.close(); ++ } ++ } ++ ++ private byte payload() throws IOException { ++ Set root = buildEvilHashset(); ++ writeObject(oos, root); ++ return bos.toByteArray(); ++ } ++ ++ private Set buildEvilHashset() { ++ Set root = new HashSet(); ++ Set s1 = root; ++ Set s2 = new HashSet(); ++ for (int i = 0; i < 100; i++) { ++ Set t1 = new HashSet(); ++ Set t2 = new HashSet(); ++ t1.add("foo"); // make it not equal to t2 ++ s1.add(t1); ++ s1.add(t2); ++ s2.add(t1); ++ s2.add(t2); ++ s1 = t1; ++ s2 = t2; ++ } ++ return root; ++ } + } +diff --git a/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java b/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java +index 57389be3f7..504b52adc2 100755 +--- a/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java ++++ b/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java +@@ -24,10 +24,10 @@ + + import java.io.File; + import java.io.IOException; +-import java.sql.Date; + import java.text.SimpleDateFormat; + import java.util.ArrayList; + import java.util.Calendar; ++import java.util.Date; + import java.util.Enumeration; + import java.util.List; + import java.util.concurrent.Future; +diff --git a/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java b/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java +new file mode 100644 +index 0000000000..2ee4abd42e +--- /dev/null ++++ b/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java +@@ -0,0 +1,34 @@ ++/** ++ * Logback: the reliable, generic, fast and flexible logging framework. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ * ++ * This program and the accompanying materials are dual-licensed under ++ * either the terms of the Eclipse Public License v1.0 as published by ++ * the Eclipse Foundation ++ * ++ * or (per the licensee's choosing) ++ * ++ * under the terms of the GNU Lesser General Public License version 2.1 ++ * as published by the Free Software Foundation. ++ */ ++package ch.qos.logback.core.util; ++ ++import org.junit.Test; ++ ++import static org.junit.Assert.assertEquals; ++ ++public class EnvUtilTest { ++ ++ ++ @Test ++ public void jdkVersion() { ++ assertEquals(4, EnvUtil.getJDKVersion("1.4.xx")); ++ assertEquals(5, EnvUtil.getJDKVersion("1.5")); ++ assertEquals(5, EnvUtil.getJDKVersion("1.5.xx")); ++ assertEquals(5, EnvUtil.getJDKVersion("1.5AA")); ++ assertEquals(9, EnvUtil.getJDKVersion("9EA")); ++ assertEquals(9, EnvUtil.getJDKVersion("9.0.1")); ++ assertEquals(18, EnvUtil.getJDKVersion("18.3+xx")); ++ assertEquals(21, EnvUtil.getJDKVersion("21.0.1")); ++ } ++}
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/logback.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:logback.yaml
Added
@@ -0,0 +1,4 @@ +version_control: github +src_repo: qos-ch/logback/ +tag_prefix: ^v_ +separator: .
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2