!22 [sync] PR-20: Fix CVE-2022-41853

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2022-41853
2023-12-07 09:22:56 +00:00 · 2023-12-07 16:39:55 +08:00 · 2022-11-23 07:19:33 +00:00 · 2022-11-23 15:06:21 +08:00 · 2021-06-16 07:01:27 +00:00 · 2021-06-16 14:48:49 +08:00
6 changed files with 95 additions and 21 deletions
--- a/0002-Build-cmdline-classes.patch
+++ b/0002-Build-cmdline-classes.patch
@ -1,17 +1,17 @@
-From 4db4a99c17d5c058dbe8f33a3b4cc7f0cd5fb9b6 Mon Sep 17 00:00:00 2001
+From bd384fb37738ac7c7bbc99585b3cdcd82fb984a5 Mon Sep 17 00:00:00 2001
-From: Michael Simacek <msimacek@redhat.com>
+From: maminjie <maminjie1@huawei.com>
-Date: Thu, 30 Nov 2017 19:53:15 +0200
+Date: Mon, 7 Jun 2021 12:46:38 +0800
-Subject: [PATCH 2/2] Build cmdline classes
+Subject: [PATCH] Build cmdline classes
 ---
 build/build.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/build/build.xml b/build/build.xml
-index 054db25..2a70d2b 100644
+index d5fbd2b..59882f2 100644
 --- a/build/build.xml
 +++ b/build/build.xml
-@@ -443,7 +443,7 @@ examples:
+@@ -442,7 +442,7 @@ examples:
     </target>
     <!-- compiles the cmdline classes -->
@ -20,14 +20,14 @@ index 054db25..2a70d2b 100644
             depends="-prepare, -update-switch-branch,
                      -conditionalize-sqlfile-scanner, -sqlfile-scanner">
       <javac srcdir="${swsrc}"
-@@ -601,7 +601,6 @@ examples:
+@@ -689,7 +689,6 @@ examples:
-          </manifest>
+          <exclude name="org/hsqldb/util/Zaurus*"/>
-          <exclude name="org/hsqldb/jmx/**"/>
+          <exclude name="org/hsqldb/test/*.class"/>
-          <exclude name="org/hsqldb/util/**"/>
+          <exclude name="org/hsqldb/sample/*.class"/>
 -         <exclude name="org/hsqldb/cmdline/**"/>
          <exclude name="org/hsqldb/test/**"/>
          <exclude name="org/hsqldb/sample/**"/>
       </jar>
     </target>
 -- 
-2.14.3
+2.23.0
--- a/CVE-2022-41853.patch
+++ b/CVE-2022-41853.patch
@ -0,0 +1,61 @@
 From: Markus Koschany <apo@debian.org>
 Date: Wed, 7 Dec 2022 13:00:46 +0100
 Subject: CVE-2022-41853
 Bug-Debian: https://bugs.debian.org/1023573
 Origin: https://sourceforge.net/p/hsqldb/svn/6614/
 ---
 src/org/hsqldb/persist/HsqlDatabaseProperties.java | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)
 diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
 index bc03e82..bee0ea6 100644
 --- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java
 +++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
@@ -51,28 +51,28 @@ import org.hsqldb.lib.StringUtil;
  */
 public class HsqlDatabaseProperties extends HsqlProperties {
 -    private static final String hsqldb_method_class_names =
 +    public static final String hsqldb_method_class_names =
         "hsqldb.method_class_names";
     public static final String textdb_allow_full_path =
         "textdb.allow_full_path";
 -    private static HashSet accessibleJavaMethodNames;
 +    public static String methodClassNames;
 +    private static final HashSet accessibleJavaMethodNames = new HashSet();
     private static boolean allowFullPath;
     static {
         try {
 -            String prop = System.getProperty(hsqldb_method_class_names);
 +            methodClassNames = System.getProperty(hsqldb_method_class_names);
 -            if (prop != null) {
 -                accessibleJavaMethodNames = new HashSet();
 +            if (methodClassNames != null) {
 -                String[] names = StringUtil.split(prop, ";");
 +                String[] names = StringUtil.split(methodClassNames, ";");
                 for (int i = 0; i < names.length; i++) {
                     accessibleJavaMethodNames.add(names[i]);
                 }
             }
 -            prop = System.getProperty(textdb_allow_full_path);
 +            String prop = System.getProperty(textdb_allow_full_path);
             if (prop != null) {
                 if (Boolean.valueOf(prop)) {
@@ -97,10 +97,6 @@ public class HsqlDatabaseProperties extends HsqlProperties {
      */
     public static boolean supportsJavaMethod(String name) {
 -        if (accessibleJavaMethodNames == null) {
 -            return true;
 -        }
 -
         if (name.startsWith("java.lang.Math.")) {
             return true;
         }
--- a/hsqldb-2.4.0.tar.gz
+++ b/hsqldb-2.4.0.tar.gz
--- a/hsqldb-2.4.0.zip
+++ b/hsqldb-2.4.0.zip
--- a/hsqldb.spec
+++ b/hsqldb.spec
@ -1,11 +1,11 @@
 Name:                hsqldb
 Version:             2.4.0
-Release:             1
+Release:             5
 Epoch:               1
 Summary:             HyperSQL Database Engine
 License:             BSD
-URL:                 http://hsqldb.sourceforge.net/
+URL:                 https://github.com/ryenus/hsqldb
-Source0:             http://downloads.sourceforge.net/hsqldb/hsqldb-%{version}.zip
+Source0:             https://github.com/ryenus/hsqldb/archive/%{version}/hsqldb-%{version}.tar.gz
 Source1:             %{name}.cfg
 Source2:             %{name}-server.properties
 Source3:             %{name}-webserver.properties
@ -17,9 +17,12 @@ Source8:             %{name}-post
 Source9:             %{name}-stop
 Patch0:              0001-Fix-javadoc-build.patch
 Patch1:              0002-Build-cmdline-classes.patch
 # https://sourceforge.net/p/hsqldb/svn/6614/
 Patch2:              CVE-2022-41853.patch
 BuildRequires:       ant javapackages-local systemd-units glassfish-servlet-api
 Requires:            %{name}-lib = %{epoch}:%{version}-%{release} glassfish-servlet-api
 Requires:            javapackages-tools
 Requires(pre):       shadow-utils
 Requires(post):      systemd-units
 Requires(preun):     systemd-units
@ -69,9 +72,7 @@ Requires:            %{name} = %{epoch}:%{version}-%{release}
 Demonstrations and samples for %{name}.
 %prep
-%setup -q -n %{name}-%{version}/%{name}
+%autosetup -n %{name}-%{version} -p1
 %patch0 -p1
 %patch1 -p1
 find . -name "*.sh" -exec chmod 755 \{\} \;
 for dir in `find . -name _notes`; do rm -rf $dir; done
 find . -name "*.jar" -exec rm -f {} \;
@ -159,5 +160,17 @@ popd
 %files demo
 %changelog
 * Thu Dec 07 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.4.0-5
 - Fix CVE-2022-41853
 * Wed Nov 23 2022 yaoxin <yaoxin30@h-partners.com> - 1:2.4.0-4
 - Modify invalid Source
 * Wed Jun 16 2021 lingsheng <lingsheng@huawei.com> - 2.4.0-3
 - Add dependency javapackages-tools required by hsqldb service
 * Mon Jun 07 2021 maminjie <maminjie1@huawei.com> - 2.4.0-2
 - Fix 0002-Build-cmdline-classes.patch
 * Tue Aug 4 2020 leiju <leiju4@huawei.com> - 2.4.0-1
 - Package init
--- a/hsqldb.yaml
+++ b/hsqldb.yaml
@ -1,4 +1,4 @@
-version_control: svn
+version_control: github
-src_repo: https://svn.code.sf.net/p/hsqldb/svn/
+src_repo: ryenus/hsqldb
 tag_prefix: "^"
 seperator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	6629a1ce03	!22 [sync] PR-20: Fix CVE-2022-41853 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2023-12-07 09:22:56 +00:00
starlet-dx	de78bc3f4f	Fix CVE-2022-41853 (cherry picked from commit 0d23d3bd3815334677954222c59d6fa3532dd666)	2023-12-07 16:39:55 +08:00
openeuler-ci-bot	f6578d71ab	!13 Modify invalid Source From: @starlet-dx Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2022-11-23 07:19:33 +00:00
starlet-dx	d8424f1b0f	Modify invalid Source	2022-11-23 15:06:21 +08:00
openeuler-ci-bot	a77e820b77	!6 Add dependency javapackages-tools required by hsqldb service From: @ultra_planet Reviewed-by: @small_leek,@si-gui,@wangchong1995924 Signed-off-by: @wangchong1995924	2021-06-16 07:01:27 +00:00
lingsheng	ec9ef80081	Add dependency javapackages-tools required by hsqldb service	2021-06-16 14:48:49 +08:00
openeuler-ci-bot	43ea906390	!2 Fix 0002-Build-cmdline-classes.patch From: @maminjie Reviewed-by: @wang_yue111,@wangchong1995924 Signed-off-by: @wangchong1995924	2021-06-07 14:29:59 +08:00
maminjie	f8717675b4	Fix 0002-Build-cmdline-classes.patch	2021-06-07 13:14:04 +08:00
openeuler-ci-bot	8887fa7332	!1 Package init Merge pull request !1 from 雷炬/master	2020-08-31 19:12:20 +08:00
lei_ju	d09bea89c2	Modify spec file	2020-08-31 16:20:28 +08:00