rpms
/
bcel
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i9c
rpms:c9
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-201902
rpms:c8-stream-201902
rpms:i8c-stream-201801
rpms:c8-stream-201801
...
pull from: rpms:c10-beta
Branches Tags
rpms:i9c
rpms:c9
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-201902
rpms:c8-stream-201902
rpms:i8c-stream-201801
rpms:c8-stream-201801

No commits in common. 'c9' and 'c10-beta' have entirely different histories.
c9 ... c10-beta

4 changed files with 57 additions and 92 deletions
Show Stats

2
.bcel.metadata
Unescape View File

@ -1 +1 @@
28802d52408952747671b95539bdda9b842cd25f SOURCES/bcel-6.4.1-src.tar.gz
68867f5a6374d920b61450447d82a76f6d8b7e65 SOURCES/bcel-6.8.1-src.tar.gz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/bcel-6.4.1-src.tar.gz
SOURCES/bcel-6.8.1-src.tar.gz

71
SOURCES/0001-CVE-2022-42920.patch
Unescape View File

@ -1,71 +0,0 @@
From 3a4e355796891149adfd9228633f179015293dbd Mon Sep 17 00:00:00 2001
From: Richard Atkins <rjatkins359@gmail.com>
Date: Wed, 21 Sep 2022 23:18:58 +1000
Subject: [PATCH] CVE-2022-42920
---
.../org/apache/bcel/classfile/ConstantPool.java | 15 +++++++++++----
.../org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++-
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
index f2c946a1..77ab0da4 100644
--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
@@ -218,10 +218,17 @@ public class ConstantPool implements Cloneable, Node {
* @throws IOException
*/
public void dump( final DataOutputStream file ) throws IOException {
- file.writeShort(constant_pool.length);
- for (int i = 1; i < constant_pool.length; i++) {
- if (constant_pool[i] != null) {
- constant_pool[i].dump(file);
+ /*
+ * Constants over the size of the constant pool shall not be written out.
+ * This is a redundant measure as the ConstantPoolGen should have already
+ * reported an error back in the situation.
+ */
+ final int size = Math.min(constant_pool.length, Const.MAX_CP_ENTRIES);
+
+ file.writeShort(size);
+ for (int i = 1; i < size; i++) {
+ if (constant_pool[i] != null) {
+ constant_pool[i].dump(file);
}
}
}
diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
index fd0af47e..d3189ba4 100644
--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
@@ -95,7 +95,7 @@ public class ConstantPoolGen {
public ConstantPoolGen(final Constant[] cs) {
final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
- size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
+ size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1);
constants = new Constant[size];
System.arraycopy(cs, 0, constants, 0, cs.length);
@@ -224,9 +224,18 @@ public class ConstantPoolGen {
/** Resize internal array of constants.
*/
protected void adjustSize() {
+ // 3 extra spaces are needed as some entries may take 3 slots
+ if (index + 3 >= Const.MAX_CP_ENTRIES + 1) {
+ throw new IllegalStateException("The number of constants " + (index + 3)
+ + " is over the size of the constant pool: "
+ + Const.MAX_CP_ENTRIES);
+ }
+
if (index + 3 >= size) {
final Constant[] cs = constants;
size *= 2;
+ // the constant array shall not exceed the size of the constant pool
+ size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
constants = new Constant[size];
System.arraycopy(cs, 0, constants, 0, index);
}
--
2.38.1

74
SPECS/bcel.spec
Unescape View File

@ -1,17 +1,18 @@
Name: bcel
Version: 6.4.1
Release: 11%{?dist}
Version: 6.8.1
Release: 3%{?dist}
Summary: Byte Code Engineering Library
License: ASL 2.0
License: Apache-2.0
URL: http://commons.apache.org/proper/commons-bcel/
BuildArch: noarch
ExclusiveArch: %{java_arches} noarch
Source0: http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz
Patch1: 0001-CVE-2022-42920.patch
BuildRequires: maven-local
BuildRequires: mvn(org.apache.commons:commons-lang3)
BuildRequires: mvn(org.apache.commons:commons-parent:pom:)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
%description
The Byte Code Engineering Library (formerly known as JavaClass) is
@ -37,9 +38,10 @@ This package provides %{summary}.
%prep
%setup -q -n %{name}-%{version}-src
%patch -P 1 -p1
%pom_remove_plugin :maven-source-plugin
%pom_remove_plugin :spotbugs-maven-plugin
%pom_remove_plugin :jacoco-maven-plugin
%mvn_alias : bcel: apache:
%mvn_file : %{name}
@ -58,26 +60,60 @@ This package provides %{summary}.
%license LICENSE.txt NOTICE.txt
%changelog
* Thu Nov 21 2024 Marián Konček <mkoncek@redhat.com> - 6.4.1-11
- Fix patch usage
* Thu Aug 01 2024 Troy Dawson <tdawson@redhat.com> - 6.8.1-3
- Bump release for Aug 2024 java mass rebuild
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 6.8.1-2
- Bump release for June 2024 mass rebuild
* Thu Feb 01 2024 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.8.1-1
- Update to upstream version 6.8.1
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 6.8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 6.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Dec 11 2023 Marian Koncek <mkoncek@redhat.com> - 6.8.0-1
- Update to upstream version 6.8.0
* Fri Sep 01 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.7.0-3
- Convert License tag to SPDX format
* Fri Aug 18 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.7.0-2
- Add missing build-requires
* Tue Nov 19 2024 Marián Konček <mkoncek@redhat.com> - 6.4.1-10
- Rebuild with regenerated Requires on Java
* Fri Aug 18 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.7.0-1
- Update to upstream version 6.7.0
* Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-9
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.5.0-3
- Fix arbitrary bytecode produced via out-of-bounds writing
- Resolves: CVE-2022-42920
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 6.4.1-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jun 28 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-7
- Remove dependency on jna
- Resolves: rhbz#1976996
* Sun Apr 24 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.5.0-1
- Update to upstream version 6.5.0
* Sat Feb 05 2022 Jiri Vanek <jvanek@redhat.com> - 6.4.1-9
- Rebuilt for java-17-openjdk as system jdk
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0:6.4.1-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 28 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-6
- Remove dependency on jna
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.4.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save