diff --git a/.gitignore b/.gitignore index d204f60..ace4ecc 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /3.0.17.Final.tar.gz /resteasy-3.0.19.Final.tar.gz /resteasy-3.0.26.Final.tar.gz +Resteasy-3.0.26.Final diff --git a/0001-RESTEASY-2559-Improper-validation-of-response-header.patch b/0001-RESTEASY-2559-Improper-validation-of-response-header.patch new file mode 100644 index 0000000..9048abd --- /dev/null +++ b/0001-RESTEASY-2559-Improper-validation-of-response-header.patch @@ -0,0 +1,47 @@ +From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001 +From: Bartosz Spyrko-Smietanko +Date: Thu, 16 Apr 2020 14:01:17 +0100 +Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in + MediaTypeHeaderDelegate.java class + +--- + .../plugins/delegates/MediaTypeHeaderDelegate.java | 1 + + .../test/mediatype/MediaTypeHeaderTest.java | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java + +diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +index db0b4d588..b31d4376e 100755 +--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java ++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate + case '[': + case ']': + case '=': ++ case '\n': + return false; + default: + break; +diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +new file mode 100644 +index 000000000..e46f018f7 +--- /dev/null ++++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +@@ -0,0 +1,14 @@ ++package org.jboss.resteasy.test.mediatype; ++ ++import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate; ++import org.junit.Test; ++ ++public class MediaTypeHeaderTest { ++ ++ @Test(expected = IllegalArgumentException.class) ++ public void testNewLineInHeaderValueIsRejected() { ++ MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate(); ++ ++ delegate.fromString("foo/bar\n"); ++ } ++} +-- +2.26.2 + diff --git a/resteasy.spec b/resteasy.spec index 1653258..979dc2f 100644 --- a/resteasy.spec +++ b/resteasy.spec @@ -3,11 +3,12 @@ Name: resteasy Version: 3.0.26 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Framework for RESTful Web services and Java applications License: ASL 2.0 and CDDL URL: http://resteasy.jboss.org/ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz +Patch1: 0001-RESTEASY-2559-Improper-validation-of-response-header.patch BuildArch: noarch @@ -101,6 +102,7 @@ Summary: Client for %{name} %prep %setup -q -n Resteasy-%{namedversion} +%patch1 -p1 %pom_disable_module arquillian %pom_disable_module eagledns @@ -209,6 +211,10 @@ find -name '*.jar' -print -delete %license License.html %changelog +* Mon Nov 30 2020 Alexander Scheel - 3.0.26-6 +- CVE-2020-1695: Improper validation of response header in MediaTypeHeaderDelegate.java class + Resolves: rh-bz#1845547 + * Wed Jul 29 2020 Fedora Release Engineering - 3.0.26-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild