!22 [sync] PR-20: Rebuild for fix log4j1.x cves

From: @openeuler-sync-bot 
Reviewed-by: @wangchong1995924 
Signed-off-by: @wangchong1995924

CVE-2021-36373-CVE-2021-36374.patch

@@ -0,0 +1,122 @@
+From 6594a2d66f7f060dafcbbf094dd60676db19a842 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Sat, 10 Jul 2021 11:10:12 +0200
+Subject: [PATCH] port some fixes from Commons Compress
+
+---
+ .../org/apache/tools/tar/TarInputStream.java  |  7 +++++--
+ .../org/apache/tools/zip/AsiExtraField.java   | 12 +++++++----
+ src/main/org/apache/tools/zip/ZipFile.java    | 20 ++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/src/main/org/apache/tools/tar/TarInputStream.java b/src/main/org/apache/tools/tar/TarInputStream.java
+index 0477d5c..71e4cc0 100644
+--- a/src/main/org/apache/tools/tar/TarInputStream.java
++++ b/src/main/org/apache/tools/tar/TarInputStream.java
+@@ -436,11 +436,13 @@ public class TarInputStream extends FilterInputStream {
+                             String keyword = coll.toString("UTF-8");
+                             // Get rest of entry
+                             final int restLen = len - read;
+-                            byte[] rest = new byte[restLen];
++                            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                             int got = 0;
+                             while (got < restLen && (ch = i.read()) != -1) {
+-                                rest[got++] = (byte) ch;
++                                bos.write((byte) ch);
++                                got++;
+                             }
++                            bos.close();
+                             if (got != restLen) {
+                                 throw new IOException("Failed to read "
+                                                       + "Paxheader. Expected "
+@@ -448,6 +450,7 @@ public class TarInputStream extends FilterInputStream {
+                                                       + " bytes, read "
+                                                       + got);
+                             }
++                            byte[] rest = bos.toByteArray();
+                             // Drop trailing NL
+                             String value = new String(rest, 0,
+                                                       restLen - 1, StandardCharsets.UTF_8);
+diff --git a/src/main/org/apache/tools/zip/AsiExtraField.java b/src/main/org/apache/tools/zip/AsiExtraField.java
+index 8afddb5..fdd81c6 100644
+--- a/src/main/org/apache/tools/zip/AsiExtraField.java
++++ b/src/main/org/apache/tools/zip/AsiExtraField.java
+@@ -307,14 +307,18 @@ public class AsiExtraField implements ZipExtraField, UnixStat, Cloneable {
+ 
+         int newMode = ZipShort.getValue(tmp, 0);
+         // CheckStyle:MagicNumber OFF
+-        byte[] linkArray = new byte[(int) ZipLong.getValue(tmp, 2)];
++        final int linkArrayLength = (int) ZipLong.getValue(tmp, 2);
++        if (linkArrayLength < 0 || linkArrayLength > tmp.length - 10) {
++            throw new ZipException("Bad symbolic link name length " + linkArrayLength
++                + " in ASI extra field");
++        }
+         uid = ZipShort.getValue(tmp, 6);
+         gid = ZipShort.getValue(tmp, 8);
+-
+-        if (linkArray.length == 0) {
++        if (linkArrayLength == 0) {
+             link = "";
+         } else {
+-            System.arraycopy(tmp, 10, linkArray, 0, linkArray.length);
++            final byte[] linkArray = new byte[linkArrayLength];
++            System.arraycopy(tmp, 10, linkArray, 0, linkArrayLength);
+             link = new String(linkArray); // Uses default charset - see class Javadoc
+         }
+         // CheckStyle:MagicNumber ON
+diff --git a/src/main/org/apache/tools/zip/ZipFile.java b/src/main/org/apache/tools/zip/ZipFile.java
+index dfb6bcf..8806ae7 100644
+--- a/src/main/org/apache/tools/zip/ZipFile.java
++++ b/src/main/org/apache/tools/zip/ZipFile.java
+@@ -541,6 +541,9 @@ public class ZipFile implements Closeable {
+         ze.setExternalAttributes(ZipLong.getValue(CFH_BUF, off));
+         off += WORD;
+ 
++        if (archive.length() - archive.getFilePointer() < fileNameLen) {
++            throw new EOFException();
++        }
+         final byte[] fileName = new byte[fileNameLen];
+         archive.readFully(fileName);
+         ze.setName(entryEncoding.decode(fileName), fileName);
+@@ -550,12 +553,18 @@ public class ZipFile implements Closeable {
+         // data offset will be filled later
+         entries.add(ze);
+ 
++        if (archive.length() - archive.getFilePointer() < extraLen) {
++            throw new EOFException();
++        }
+         final byte[] cdExtraData = new byte[extraLen];
+         archive.readFully(cdExtraData);
+         ze.setCentralDirectoryExtra(cdExtraData);
+ 
+         setSizesAndOffsetFromZip64Extra(ze, offset, diskStart);
+ 
++        if (archive.length() - archive.getFilePointer() < commentLen) {
++            throw new EOFException();
++        }
+         final byte[] comment = new byte[commentLen];
+         archive.readFully(comment);
+         ze.setComment(entryEncoding.decode(comment));
+@@ -881,9 +890,18 @@ public class ZipFile implements Closeable {
+                 }
+                 lenToSkip -= skipped;
+             }
++            if (archive.length() - archive.getFilePointer() < extraFieldLen) {
++                throw new EOFException();
++            }
+             final byte[] localExtraData = new byte[extraFieldLen];
+             archive.readFully(localExtraData);
+-            ze.setExtra(localExtraData);
++            try {
++                ze.setExtra(localExtraData);
++            } catch (RuntimeException ex) {
++                final ZipException z = new ZipException("Invalid extra data in entry " + ze.getName());
++                z.initCause(ex);
++                throw z;
++            }
+             offsetEntry.dataOffset = offset + LFH_OFFSET_FOR_FILENAME_LENGTH
+                 + SHORT + SHORT + fileNameLen + extraFieldLen;
+ 
+-- 
+2.27.0
+

Document-why-we-are-actually-removing-the-file-before-writing.patch

@@ -0,0 +1,23 @@
+From f7159e8a084a3fcb76b933d393df1fc855d74d78 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Tue, 28 Jul 2020 21:51:01 +0200
+Subject: [PATCH] document why we are actually removing the file before writing
+
+---
+ .../org/apache/tools/ant/types/resources/FileResource.java     | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/org/apache/tools/ant/types/resources/FileResource.java b/src/main/org/apache/tools/ant/types/resources/FileResource.java
+index d8d604c0f8..17ed7cc463 100644
+--- a/src/main/org/apache/tools/ant/types/resources/FileResource.java
++++ b/src/main/org/apache/tools/ant/types/resources/FileResource.java
+@@ -255,7 +255,8 @@ public OutputStream getAppendOutputStream() throws IOException {
+     private OutputStream getOutputStream(boolean append) throws IOException {
+         File f = getNotNullFile();
+         if (f.exists()) {
+-            if (f.isFile() && !append) {
++            if (Files.isSymbolicLink(f.toPath()) && f.isFile() && !append) {
++                // https://bz.apache.org/bugzilla/show_bug.cgi?id=624
+                 f.delete();
+             }
+         } else {

Fallback-to-a-separate-owner-only-tempdir-if-possible.patch

@@ -0,0 +1,170 @@
+From 87ac51d3c22bcf7cfd0dc07cb0bd04a496e0d428 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Sat, 4 Jul 2020 18:03:13 +0200
+Subject: [PATCH] fallback to a separate owner-only tempdir if possible
+
+---
+ src/main/org/apache/tools/ant/MagicNames.java | 10 +++
+ .../org/apache/tools/ant/util/FileUtils.java  | 36 +++++++++--
+ .../apache/tools/ant/util/FileUtilsTest.java  | 64 +++++++++++++++++++
+ 3 files changed, 105 insertions(+), 5 deletions(-)
+
+diff --git a/src/main/org/apache/tools/ant/MagicNames.java b/src/main/org/apache/tools/ant/MagicNames.java
+index 5cf2fa8fa3..8ced505789 100644
+--- a/src/main/org/apache/tools/ant/MagicNames.java
++++ b/src/main/org/apache/tools/ant/MagicNames.java
+@@ -337,5 +337,15 @@ private MagicNames() {
+      * @since Ant 1.10.8
+      */
+     public static final String TMPDIR = "ant.tmpdir";
++
++    /**
++     * Magic property that will be set to override java.io.tmpdir
++     * system property as the location for Ant's default temporary
++     * directory if a temp file is created and {@link #TMPDIR} is not
++     * set.
++     * Value: {@value}
++     * @since Ant 1.10.9
++     */
++    public static final String AUTO_TMPDIR = "ant.auto.tmpdir";
+ }
+ 
+diff --git a/src/main/org/apache/tools/ant/util/FileUtils.java b/src/main/org/apache/tools/ant/util/FileUtils.java
+index 46671848c9..d835438fe7 100644
+--- a/src/main/org/apache/tools/ant/util/FileUtils.java
++++ b/src/main/org/apache/tools/ant/util/FileUtils.java
+@@ -110,6 +110,11 @@
+             PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ,
+                 PosixFilePermission.OWNER_WRITE))
+         };
++    private static final FileAttribute[] TMPDIR_ATTRIBUTES =
++        new FileAttribute[] {
++            PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ,
++                PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE))
++        };
+     private static final FileAttribute[] NO_TMPFILE_ATTRIBUTES = new FileAttribute[0];
+ 
+     /**
+@@ -991,14 +996,35 @@ public File createTempFile(String prefix, String suffix, File parentDir,
+     public File createTempFile(final Project project, String prefix, String suffix,
+             final File parentDir, final boolean deleteOnExit, final boolean createFile) {
+         File result;
+-        final String parent;
++        String p = null;
+         if (parentDir != null) {
+-            parent = parentDir.getPath();
++            p = parentDir.getPath();
+         } else if (project != null && project.getProperty(MagicNames.TMPDIR) != null) {
+-            parent = project.getProperty(MagicNames.TMPDIR);
+-        } else {
+-            parent = System.getProperty("java.io.tmpdir");
++            p = project.getProperty(MagicNames.TMPDIR);
++        } else if (project != null && deleteOnExit) {
++            if (project.getProperty(MagicNames.AUTO_TMPDIR) != null) {
++                p = project.getProperty(MagicNames.AUTO_TMPDIR);
++            } else {
++                final Path systemTempDirPath =
++                    new File(System.getProperty("java.io.tmpdir")).toPath();
++                final PosixFileAttributeView systemTempDirPosixAttributes =
++                    Files.getFileAttributeView(systemTempDirPath, PosixFileAttributeView.class);
++                if (systemTempDirPosixAttributes != null) {
++                    // no reason to create an extra temp dir if we cannot set permissions
++                    try {
++                        final File projectTempDir = Files.createTempDirectory(systemTempDirPath,
++                            "ant", TMPDIR_ATTRIBUTES)
++                            .toFile();
++                        projectTempDir.deleteOnExit();
++                        p = projectTempDir.getAbsolutePath();
++                        project.setProperty(MagicNames.AUTO_TMPDIR, p);
++                    } catch (IOException ex) {
++                        // silently fall back to system temp directory
++                    }
++                }
++            }
+         }
++        final String parent = p != null ? p : System.getProperty("java.io.tmpdir");
+         if (prefix == null) {
+             prefix = NULL_PLACEHOLDER;
+         }
+diff --git a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
+index da46520038..d5448a6ac6 100644
+--- a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
++++ b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
+@@ -50,6 +50,8 @@
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertFalse;
+ import static org.junit.Assert.assertNotEquals;
++import static org.junit.Assert.assertNotNull;
++import static org.junit.Assert.assertNull;
+ import static org.junit.Assert.assertThat;
+ import static org.junit.Assert.assertTrue;
+ import static org.junit.Assume.assumeFalse;
+@@ -450,6 +452,68 @@ public void testCreateTempFile() throws IOException {
+                 tmp2.getAbsolutePath()));
+     }
+ 
++    @Test
++    public void createTempFileUsesAntTmpDirIfSetAndDeleteOnExitIsTrue() throws IOException {
++        final Project project = new Project();
++        final File projectTmpDir = folder.newFolder("subdir");
++        project.setProperty("ant.tmpdir", projectTmpDir.getAbsolutePath());
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true);
++        assertTrue(tmpFile + " must be child of " + projectTmpDir,
++                   tmpFile.getAbsolutePath().startsWith(projectTmpDir.getAbsolutePath()));
++    }
++
++    @Test
++    public void createTempFileUsesAntTmpDirIfSetAndDeleteOnExitIsFalse() throws IOException {
++        final Project project = new Project();
++        final File projectTmpDir = folder.newFolder("subdir");
++        project.setProperty("ant.tmpdir", projectTmpDir.getAbsolutePath());
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, false, true);
++        assertTrue(tmpFile + " must be child of " + projectTmpDir,
++                   tmpFile.getAbsolutePath().startsWith(projectTmpDir.getAbsolutePath()));
++    }
++
++    @Test
++    public void createTempFileCreatesAutoTmpDirIfDeleteOnExitIsTrueOnUnix() throws IOException {
++        assumeFalse("Test doesn't run on DOS", Os.isFamily("dos"));
++        final Project project = new Project();
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true);
++        final String autoTempDir = project.getProperty("ant.auto.tmpdir");
++        assertNotNull(autoTempDir);
++        assertTrue(tmpFile + " must be child of " + autoTempDir,
++                   tmpFile.getAbsolutePath().startsWith(autoTempDir));
++    }
++
++    @Test
++    public void createTempFileDoesntCreateAutoTmpDirIfDeleteOnExitIsFalse() throws IOException {
++        final Project project = new Project();
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, false, true);
++        assertNull(project.getProperty("ant.auto.tmpdir"));
++    }
++
++    @Test
++    public void createTempFileReusesAutoTmpDirIfDeleteOnExitIsTrueOnUnix() throws IOException {
++        assumeFalse("Test doesn't run on DOS", Os.isFamily("dos"));
++        final Project project = new Project();
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true);
++        final String autoTempDir = project.getProperty("ant.auto.tmpdir");
++        assertNotNull(autoTempDir);
++        final File tmpFile2 = getFileUtils().createTempFile(project, null, null, null, true, true);
++        assertTrue(tmpFile2 + " must be child of " + autoTempDir,
++                   tmpFile2.getAbsolutePath().startsWith(autoTempDir));
++    }
++
++    @Test
++    public void createTempFileDoesntReusesAutoTmpDirIfDeleteOnExitIsFalse() throws IOException {
++        assumeFalse("Test doesn't run on DOS", Os.isFamily("dos"));
++        final Project project = new Project();
++        final File tmpFile = getFileUtils().createTempFile(project, null, null, null, true, true);
++        final String autoTempDir = project.getProperty("ant.auto.tmpdir");
++        assertNotNull(autoTempDir);
++        final File tmpFile2 = getFileUtils().createTempFile(project, null, null, null, false, true);
++        assertFalse(tmpFile2 + " must not be child of " + autoTempDir,
++                    tmpFile2.getAbsolutePath().startsWith(autoTempDir));
++    }
++
+     /**
+      * Test contentEquals
+      */

ant.spec

@@ -3,15 +3,19 @@
 
 Name:           ant
 Summary:        A Java-based build tool
-Version:        1.10.5
-Release:        7
+Version:        1.10.8
+Release:        5
 Epoch:          0
 License:        ASL 2.0
 URL:            https://ant.apache.org/
-Source0:        https://archive.apache.org/dist/ant/source/apache-ant-1.10.5-src.tar.bz2
+Source0:        https://archive.apache.org/dist/ant/source/apache-ant-%{version}-src.tar.bz2
 Source2:        apache-ant-1.8.ant.conf
+# Patch 0-1 are used for repair CVE-2020-11979 
+Patch0:         Fallback-to-a-separate-owner-only-tempdir-if-possible.patch 
+Patch1:         Document-why-we-are-actually-removing-the-file-before-writing.patch
+Patch2:         CVE-2021-36373-CVE-2021-36374.patch
 
-BuildRequires:  javapackages-local java-devel >= 1:1.8.0 ant >= 1.10.2
+BuildRequires:  javapackages-local java-1.8.0-devel ant >= 1.10.2
 BuildRequires:  ant-junit xmlto mvn(antlr:antlr) mvn(bcel:bcel)
 BuildRequires:  mvn(bsf:bsf) mvn(com.jcraft:jsch) mvn(commons-logging:commons-logging-api)
 BuildRequires:  mvn(commons-net:commons-net) mvn(javax.mail:mail) mvn(jdepend:jdepend)
@@ -20,7 +24,7 @@ BuildRequires:  mvn(oro:oro) mvn(regexp:regexp) mvn(xalan:xalan)
 BuildRequires:  mvn(xml-resolver:xml-resolver) mvn(org.hamcrest:hamcrest-core)
 BuildRequires:  mvn(org.hamcrest:hamcrest-library) junit5
 
-Recommends: java-devel >= 1:1.8.0
+Recommends: java-1.8.0-devel
 Requires:       %{name}-lib = %{epoch}:%{version}-%{release} javapackages-tools
 BuildArch:      noarch
 
@@ -128,6 +132,12 @@ Requires:       %{name} = %{epoch}:%{version}-%{release}
 %description apache-xalan2
 Optional apache xalan2 tasks for %{name}.
 
+%package imageio
+Summary:Optional imageio tasks for %{name}
+Requires:%{name} = %{epoch}:%{version}-%{release}
+
+%description imageio
+Optional imageio tasks for %{name}.
 
 %package javamail
 Summary:        Optional javamail tasks for %{name}
@@ -225,6 +235,8 @@ ln -sf LICENSE.utf8 LICENSE
 %pom_xpath_remove pom:optional src/etc/poms/%{name}-antlr/pom.xml
 %pom_xpath_inject 'target[@name="javadocs"]/javadoc/packageset' '<exclude name="**/junitlauncher"/>' build.xml
 
+%pom_change_dep -r com.sun.mail:jakarta.mail javax.mail:mail src/etc/poms/ant-javamail/pom.xml
+
 %build
 %{ant} jars test-jar
 %{ant} javadocs
@@ -274,6 +286,7 @@ echo "log4j12 %{name}/%{name}-apache-log4j" > %{buildroot}%{_sysconfdir}/%{name}
 echo "oro %{name}/%{name}-apache-oro" > %{buildroot}%{_sysconfdir}/%{name}.d/apache-oro
 echo "regexp %{name}/%{name}-apache-regexp" > %{buildroot}%{_sysconfdir}/%{name}.d/apache-regexp
 echo "xalan-j2 xalan-j2-serializer %{name}/%{name}-apache-xalan2" > %{buildroot}%{_sysconfdir}/%{name}.d/apache-xalan2
+echo "ant/ant-imageio" > $RPM_BUILD_ROOT%{_sysconfdir}/%{name}.d/imageio
 echo "javamail jaf %{name}/%{name}-javamail" > %{buildroot}%{_sysconfdir}/%{name}.d/javamail
 echo "jdepend %{name}/%{name}-jdepend" > %{buildroot}%{_sysconfdir}/%{name}.d/jdepend
 echo "jsch %{name}/%{name}-jsch" > %{buildroot}%{_sysconfdir}/%{name}.d/jsch
@@ -365,6 +378,10 @@ LC_ALL=en_US.utf8 %{ant} test
 %{ant_home}/lib/%{name}-apache-xalan2.jar
 %config(noreplace) %{_sysconfdir}/%{name}.d/apache-xalan2
 
+%files imageio -f .mfiles-imageio
+%{ant_home}/lib/%{name}-imageio.jar
+%config(noreplace) %{_sysconfdir}/%{name}.d/imageio
+
 %files javamail -f .mfiles-javamail
 %{ant_home}/lib/%{name}-javamail.jar
 %config(noreplace) %{_sysconfdir}/%{name}.d/javamail
@@ -409,6 +426,21 @@ LC_ALL=en_US.utf8 %{ant} test
 %{_javadocdir}/%{name}
 
 %changelog
+* Mon Feb 14 2022 wangkai <wangkai385@huawei.com> - 0:1.10.8-5
+- Rebuild for fix log4j1.x cves
+
+* Mon Jul 19 2021 yaoxin <yaoxin30@huawei.com> - 0:1.10.8-4
+- Fix CVE-2021-36373 CVE-2021-36374
+
+* Mon Nov 30 2020 huanghaitao <huanghaitao8@huawei.com> - 0:1.10.8-3
+- Fix CVE-2020-11979
+
+* Thu Oct 15 2020 lingsheng<lingsheng@huawei.com> - 0:1.10.8-2
+- Change buildrequire and require to java-1.8.0-devel
+
+* Wed Sep 9 2020 zhanghua<zhanghua40@huawei.com> - 0:1.10.8-1
+- update to 1.10.8
+
 * Sat Mar 14 2020 zhujunhao<zhujunhao5@huawei.com> - 0:1.10.5-7
 - Split ant pack into subpackets