File _service:obs_scm:CVE-2022-46337.patch of Package derby

Origin: https://svn.apache.org/viewvc?view=revision&revision=1905586
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
Forwarded: not-needed

--
--- a/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
+++ b/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
@@ -191,6 +191,54 @@
 	
 
     /**
+     * Given an LDAP search string, returns the string with certain characters
+     * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
+     *
+     * The character mapping is as follows:
+     *     char -&gt;  Replacement
+     *    ---------------------------
+     *     *  -&gt; \2a
+     *     (  -&gt; \28
+     *     )  -&gt; \29
+     *     \  -&gt; \5c
+     *     \0 -&gt; \00
+     *
+     * @param inString string to escape according to RFC 2254 guidelines
+     *
+     * @return String the escaped/encoded result
+     */
+    protected String doFilterEscaping(String inString) {
+        if (inString == null) {
+            return null;
+        }
+        StringBuilder buf = new StringBuilder(inString.length());
+        for (int i = 0; i < inString.length(); i++) {
+            char c = inString.charAt(i);
+            switch (c) {
+                case '\\':
+                    buf.append("\\5c");
+                    break;
+                case '*':
+                    buf.append("\\2a");
+                    break;
+                case '(':
+                    buf.append("\\28");
+                    break;
+                case ')':
+                    buf.append("\\29");
+                    break;
+                case '\0':
+                    buf.append("\\00");
+                    break;
+                default:
+                    buf.append(c);
+                    break;
+            }
+        }
+        return buf.toString();
+    }
+
+    /**
      * Call new InitialDirContext in a privilege block
      * @param env environment used to create the initial DirContext. Null indicates an empty environment.
      * @return an initial DirContext using the supplied environment. 
@@ -411,7 +459,10 @@
 	private String getDNFromUID(String uid)
 		throws javax.naming.NamingException
 	{
-		//
+            // Escape the uid as a defense against LDAP injection. See DERBY-7147.
+            uid = doFilterEscaping(uid);
+
+                //
 		// We bind to the LDAP server here
 		// Note that this bind might be anonymous (if anonymous searches
 		// are allowed in the LDAP server, or authenticated if we were
--- /dev/null
+++ b/tools/release/notices/tomcat.txt
@@ -0,0 +1,72 @@
+Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
+routine from the Apache Tomcat project. The following notice covers
+the Tomcat sources:
+
+Apache Tomcat
+Copyright 1999-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (https://www.apache.org/).
+
+This software contains code derived from netty-native
+developed by the Netty project
+(https://netty.io, https://github.com/netty/netty-tcnative/)
+and from finagle-native developed at Twitter
+(https://github.com/twitter/finagle).
+
+This software contains code derived from jgroups-kubernetes
+developed by the JGroups project (http://www.jgroups.org/).
+
+The Windows Installer is built with the Nullsoft
+Scriptable Install System (NSIS), which is
+open source software.  The original software and
+related information is available at
+http://nsis.sourceforge.net.
+
+Java compilation software for JSP pages is provided by the Eclipse
+JDT Core Batch Compiler component, which is open source software.
+The original software and related information is available at
+https://www.eclipse.org/jdt/core/.
+
+org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
+for JSON written by Robert Fischer.
+https://github.com/RobertFischer/json-parser
+
+For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
+The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
+are derivative work originating from the Netty project and the finagle-native
+project developed at Twitter
+* Copyright 2014 The Netty Project
+* Copyright 2014 Twitter
+
+For portions of the Tomcat cloud support
+The org.apache.catalina.tribes.membership.cloud package contains derivative
+work originating from the jgroups project.
+https://github.com/jgroups-extras/jgroups-kubernetes
+Copyright 2002-2018 Red Hat Inc.
+
+The original XML Schemas for Java EE Deployment Descriptors:
+ - javaee_5.xsd
+ - javaee_web_services_1_2.xsd
+ - javaee_web_services_client_1_2.xsd
+ - javaee_6.xsd
+ - javaee_web_services_1_3.xsd
+ - javaee_web_services_client_1_3.xsd
+ - jsp_2_2.xsd
+ - web-app_3_0.xsd
+ - web-common_3_0.xsd
+ - web-fragment_3_0.xsd
+ - javaee_7.xsd
+ - javaee_web_services_1_4.xsd
+ - javaee_web_services_client_1_4.xsd
+ - jsp_2_3.xsd
+ - web-app_3_1.xsd
+ - web-common_3_1.xsd
+ - web-fragment_3_1.xsd
+ - javaee_8.xsd
+ - web-app_4_0.xsd
+ - web-common_4_0.xsd
+ - web-fragment_4_0.xsd
+
+may be obtained from:
+http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
--- a/build.xml
+++ b/build.xml
@@ -2022,6 +2022,7 @@
      <antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
      <antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
      <antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
+     <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
      
       <antcall target="checkinfile">
          <param name="checkinComment" value="Check in NOTICE as part of building a release."/>