Projects
Mega:23.09
logback
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:logback.spec
Changed
@@ -1,12 +1,13 @@ Name: logback Version: 1.2.8 -Release: 2 +Release: 3 Summary: A Java logging library License: LGPLv2 or EPL-1.0 URL: http://logback.qos.ch/ Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz -Patch0001: logback-1.2.8-jetty.patch +Patch0001: logback-1.2.8-jetty.patch +Patch0002: CVE-2023-6378-and-CVE-2023-6481.patch BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail) BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17) @@ -122,6 +123,9 @@ %files help -f .mfiles-javadoc %changelog +* Tue Dec 12 2023 wangkai <13474090681@163.com> - 1.2.8-3 +- Fix CVE-2023-6378,CVE-2023-6481 + * Mon Aug 8 2022 Chenyx <chenyixiong3@huawei.com> - 1.2.8-2 - License compliance rectification
View file
_service:tar_scm:CVE-2023-6378-and-CVE-2023-6481.patch
Added
@@ -0,0 +1,456 @@ +From bb095154be011267b64e37a1d401546e7cc2b7c3 Mon Sep 17 00:00:00 2001 +From: Ceki Gulcu <ceki@qos.ch> +Date: Fri, 1 Dec 2023 15:12:22 +0100 +Subject: PATCH fix CVE-2023-6378 + +Signed-off-by: Ceki Gulcu <ceki@qos.ch> +--- + .../logback/classic/spi/LoggingEventVO.java | 7 ++ + .../src/test/input/issue/logback-1754.xml | 30 +++++++ + .../issue/logback_1754/LogbackTest.java | 78 +++++++++++++++++++ + .../core/net/HardenedObjectInputStream.java | 55 ++++++++++++- + .../ch/qos/logback/core/util/EnvUtil.java | 39 ++++++---- + .../net/HardenedObjectInputStreamTest.java | 49 +++++++++++- + .../rolling/ScaffoldingForRollingTests.java | 2 +- + .../ch/qos/logback/core/util/EnvUtilTest.java | 34 ++++++++ + 8 files changed, 275 insertions(+), 19 deletions(-) + create mode 100644 logback-classic/src/test/input/issue/logback-1754.xml + create mode 100644 logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java + create mode 100644 logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java + +diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java +index e21350b2cc..ea2c6ac128 100644 +--- a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java ++++ b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java +@@ -14,6 +14,7 @@ + package ch.qos.logback.classic.spi; + + import java.io.IOException; ++import java.io.InvalidObjectException; + import java.io.ObjectInputStream; + import java.io.ObjectOutputStream; + import java.io.Serializable; +@@ -38,6 +39,7 @@ public class LoggingEventVO implements ILoggingEvent, Serializable { + + private static final int NULL_ARGUMENT_ARRAY = -1; + private static final String NULL_ARGUMENT_ARRAY_ELEMENT = "NULL_ARGUMENT_ARRAY_ELEMENT"; ++ private static final int ARGUMENT_ARRAY_DESERIALIZATION_LIMIT = 128; + + private String threadName; + private String loggerName; +@@ -181,6 +183,11 @@ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundE + level = Level.toLevel(levelInt); + + int argArrayLen = in.readInt(); ++ // Prevent DOS attacks via large or negative arrays ++ if (argArrayLen < NULL_ARGUMENT_ARRAY || argArrayLen > ARGUMENT_ARRAY_DESERIALIZATION_LIMIT) { ++ throw new InvalidObjectException("Argument array length is invalid: " + argArrayLen); ++ } ++ + if (argArrayLen != NULL_ARGUMENT_ARRAY) { + argumentArray = new StringargArrayLen; + for (int i = 0; i < argArrayLen; i++) { +diff --git a/logback-classic/src/test/input/issue/logback-1754.xml b/logback-classic/src/test/input/issue/logback-1754.xml +new file mode 100644 +index 0000000000..ab41185a34 +--- /dev/null ++++ b/logback-classic/src/test/input/issue/logback-1754.xml +@@ -0,0 +1,30 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!-- ++ ~ Logback: the reliable, generic, fast and flexible logging framework. ++ ~ Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ ~ ++ ~ This program and the accompanying materials are dual-licensed under ++ ~ either the terms of the Eclipse Public License v1.0 as published by ++ ~ the Eclipse Foundation ++ ~ ++ ~ or (per the licensee's choosing) ++ ~ ++ ~ under the terms of the GNU Lesser General Public License version 2.1 ++ ~ as published by the Free Software Foundation. ++ --> ++ ++<configuration debug="true"> ++ <appender name="GENERAL" class="ch.qos.logback.core.rolling.RollingFileAppender"> ++ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> ++ <fileNamePattern>${logback_1754_targetDirectory}/test-%d{yyyy-MM-dd}.log</fileNamePattern> ++ <maxHistory>120</maxHistory> ++ </rollingPolicy> ++ <encoder> ++ <pattern>%date{HH:mm:ss.SSS} %level %logger{0} %thread %class{3}:%line : %msg%n</pattern> ++ </encoder> ++ <prudent>true</prudent> ++ </appender> ++ <root level="debug"> ++ <appender-ref ref="GENERAL" /> ++ </root> ++</configuration> +\ No newline at end of file +diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java +new file mode 100644 +index 0000000000..3001c00a66 +--- /dev/null ++++ b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java +@@ -0,0 +1,78 @@ ++/* ++ * Logback: the reliable, generic, fast and flexible logging framework. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ * ++ * This program and the accompanying materials are dual-licensed under ++ * either the terms of the Eclipse Public License v1.0 as published by ++ * the Eclipse Foundation ++ * ++ * or (per the licensee's choosing) ++ * ++ * under the terms of the GNU Lesser General Public License version 2.1 ++ * as published by the Free Software Foundation. ++ */ ++ ++package ch.qos.logback.classic.issue.logback_1754; ++ ++import ch.qos.logback.classic.ClassicConstants; ++import ch.qos.logback.classic.ClassicTestConstants; ++import ch.qos.logback.core.testUtil.RandomUtil; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import java.util.ArrayList; ++import java.util.List; ++import java.util.concurrent.CountDownLatch; ++ ++import static ch.qos.logback.classic.util.ContextInitializer.CONFIG_FILE_PROPERTY; ++ ++public class LogbackTest { ++ ++ private static final int THREADS = 16; ++ ++ private void runTest() { ++ ++ int diff = RandomUtil.getPositiveInt(); ++ //System.setProperty("logback.statusListenerClass", "sysout"); ++ System.setProperty(CONFIG_FILE_PROPERTY, ClassicTestConstants.INPUT_PREFIX+"issue/logback-1754.xml"); ++ System.setProperty("logback_1754_targetDirectory", ClassicTestConstants.OUTPUT_DIR_PREFIX+"safeWrite_"+diff); ++ ++ CountDownLatch latch = new CountDownLatch(THREADS); ++ List<Thread> threads = new ArrayList<Thread>(THREADS); ++ for (int i = 0; i < THREADS; i++) { ++ LoggerThread thread = new LoggerThread(latch, "message from thread " + i); ++ thread.start(); ++ threads.add(thread); ++ } ++ for (Thread thread : threads) { ++ try { ++ thread.join(); ++ } catch (InterruptedException e) { ++ Thread.currentThread().interrupt(); ++ throw new RuntimeException(e); ++ } ++ } ++ } ++ ++ public static void main(String... args) { ++ new LogbackTest().runTest(); ++ } ++ ++ private static final class LoggerThread extends Thread { ++ private static final Logger LOG = LoggerFactory.getLogger(LoggerThread.class); ++ private final CountDownLatch latch; ++ private final String message; ++ ++ LoggerThread(CountDownLatch latch, String message) { ++ setDaemon(false); ++ this.latch = latch; ++ this.message = message; ++ } ++ ++ @Override ++ public void run() { ++ latch.countDown(); ++ LOG.info(message); ++ } ++ } ++} +diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java +index d1b7301ea4..0674aaf3ea 100755 +--- a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java ++++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java +@@ -1,10 +1,27 @@ ++/** ++ * Logback: the reliable, generic, fast and flexible logging framework. ++ * Copyright (C) 1999-2023, QOS.ch. All rights reserved. ++ * ++ * This program and the accompanying materials are dual-licensed under ++ * either the terms of the Eclipse Public License v1.0 as published by ++ * the Eclipse Foundation ++ * ++ * or (per the licensee's choosing) ++ * ++ * under the terms of the GNU Lesser General Public License version 2.1 ++ * as published by the Free Software Foundation. ++ */ + package ch.qos.logback.core.net; + ++import ch.qos.logback.core.util.EnvUtil; ++ + import java.io.IOException; + import java.io.InputStream; + import java.io.InvalidClassException; + import java.io.ObjectInputStream;
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/logback.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:logback.yaml
Added
@@ -0,0 +1,4 @@ +version_control: github +src_repo: qos-ch/logback/ +tag_prefix: ^v_ +separator: .
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2