rpms/hsqldb/F-7 hsqldb-1.8.0-backport.patch, NONE, 1.1 hsqldb-1.8.0-standard-server.properties, 1.1, 1.2 hsqldb-1.8.0-standard.cfg, 1.1, 1.2 hsqldb.spec, 1.34, 1.35

Jon Prindiville (jprindiv) fedora-extras-commits at redhat.com
Tue Dec 4 20:09:40 UTC 2007 

Author: jprindiv

Update of /cvs/pkgs/rpms/hsqldb/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15971

Modified Files:
	hsqldb-1.8.0-standard-server.properties 
	hsqldb-1.8.0-standard.cfg hsqldb.spec 
Added Files:
	hsqldb-1.8.0-backport.patch 
Log Message:
Backport patch, addressing CVE-2007-4576
Resolves: #303551


hsqldb-1.8.0-backport.patch:

--- NEW FILE hsqldb-1.8.0-backport.patch ---
--- hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java.orig	2007-10-19 13:25:36.000000000 -0400
+++ hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java	2007-10-23 14:54:25.000000000 -0400
@@ -44,6 +44,7 @@ import org.hsqldb.lib.Set;
 import org.hsqldb.lib.SimpleLog;
 import org.hsqldb.lib.java.JavaSystem;
 import org.hsqldb.store.ValuePool;
+import org.hsqldb.lib.StringUtil;
 
 /**
  * Manages a .properties file for a database.
@@ -53,6 +54,53 @@ import org.hsqldb.store.ValuePool;
  * @since 1.7.0
  */
 public class HsqlDatabaseProperties extends HsqlProperties {
+    private static String hsqldb_method_class_names =
+        "hsqldb.method_class_names";
+    private static HashSet accessibleJavaMethodNames;
+
+    static {
+        try {
+            String prop = System.getProperty(hsqldb_method_class_names);
+
+            if (prop != null) {
+                accessibleJavaMethodNames = new HashSet();
+
+                String[] names = StringUtil.split(prop, ";");
+
+                for (int i = 0; i < names.length; i++) {
+                    accessibleJavaMethodNames.add(names[i]);
+                }
+            }
+        } catch (Exception e) {}
+    }
+
+    /**
+     * If the system property "hsqldb.method_class_names" is not set, then
+     * static methods of all available Java classes can be accessed as functions
+     * in HSQLDB. If the property is set, then only the list of semicolon
+     * seperated method names becomes accessible. An empty property value means
+     * no class is accessible.<p>
+     *
+     * All methods of org.hsqldb.Library are always accessible.
+     *
+     *
+     */
+    public static boolean supportsJavaMethod(String name) {
+
+        if (name.startsWith("org.hsqldb.Library")) {
+            return true;
+        }
+
+        if (accessibleJavaMethodNames == null) {
+            return true;
+        }
+
+        if (accessibleJavaMethodNames.contains(name)) {
+            return true;
+        }
+
+        return false;
+    }
 
     // column number mappings
     public static final int indexName         = 0;
--- hsqldb/src/org/hsqldb/Database.java.orig	2007-10-19 13:24:32.000000000 -0400
+++ hsqldb/src/org/hsqldb/Database.java	2007-10-23 14:55:07.000000000 -0400
@@ -473,12 +473,19 @@ public class Database {
      *  the given method alias. If there is no Java method, then returns the
      *  alias itself.
      */
-    String getJavaName(String s) {
+    String getJavaName(String name) throws HsqlException {
 
-        String alias = (String) hAlias.get(s);
+        String target = (String) hAlias.get(name);
 
-        return (alias == null) ? s
-                               : alias;
+        if (target == null) {
+            target = name;
+        }
+
+        if (HsqlDatabaseProperties.supportsJavaMethod(target)) {
+            return target;
+        }
+
+        throw Trace.error(Trace.ACCESS_IS_DENIED, target);
     }
 
     /**


Index: hsqldb-1.8.0-standard-server.properties
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-7/hsqldb-1.8.0-standard-server.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard-server.properties	10 Oct 2007 18:32:52 -0000	1.1
+++ hsqldb-1.8.0-standard-server.properties	4 Dec 2007 20:09:07 -0000	1.2
@@ -9,3 +9,13 @@
 
 server.port         9001
 server.no_system_exit         true
+
+# Until the following setting is changed, the HSQLDB service will not accept
+# remote connections. Failing to set a value for server.address at all will
+# result in the service binding itself to 0.0.0.0 and accepting remote
+# connections.
+#
+# IT IS STRONGLY ADVISED that before doing this you alter the password of
+# the default account (username "sa"). By default, no password is required
+# to connect to HSQLDB with the "sa" account.
+server.address      localhost


Index: hsqldb-1.8.0-standard.cfg
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-7/hsqldb-1.8.0-standard.cfg,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard.cfg	10 Oct 2007 18:32:52 -0000	1.1
+++ hsqldb-1.8.0-standard.cfg	4 Dec 2007 20:09:07 -0000	1.2
@@ -84,6 +84,12 @@
 # In particular, you will want to add classpath elements to give access of
 # all of your store procedures (store procedures are documented in the 
 # HSQLDB User Guide in the SQL Syntax chapter.
+#
+# N.B.!
+# If you're adding files to the classpath in order to be able to call them
+# from SQL queries, you will be unable to access them unless you adjust the
+# value of the system property hsqldb.method_class_names. Please see the
+# comments on SERVER_JVMARGS, at the end of this file.
 # SERVER_ADDL_CLASSPATH=/home/blaine/storedprocs.jar:/usr/dev/dbutil/classes
 
 # For TLS encryption for your Server, set these two variables.
@@ -104,4 +110,19 @@
 
 # Any JVM args for the server.
 # For multiple args, put quotes around entire value.
-#SERVER_JVMARGS=-Xmx512m
+#
+# N.B.!
+# The default value of SERVER_JVMARGS sets the system property 
+# hsqldb.method_class_names to be empty. This is in order to lessen the
+# security risk posed by HSQLDB allowing Java method calls in SQL statements.
+# The implications of changing this value (as explained by the authors of
+# HSQLDB) are as follows:
+#     If [it] is not set, then static methods of all available Java classes
+#     can be accessed as functions in HSQLDB. If the property is set, then
+#     only the list of semicolon seperated method names becomes accessible.
+#     An empty property value means no class is accessible.
+# Regardless of the value of hsqldb.method_class_names, methods in
+# org.hsqldb.Library will be accessible.
+# Before making changes to the value below, please be advised of the possible
+# dangers involved in allowing SQL queries to contain Java method calls.
+SERVER_JVMARGS=-Dhsqldb.method_class_names=\"\"


Index: hsqldb.spec
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-7/hsqldb.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- hsqldb.spec	16 Oct 2007 21:55:29 -0000	1.34
+++ hsqldb.spec	4 Dec 2007 20:09:07 -0000	1.35
@@ -52,6 +52,7 @@
 Patch0:     %{name}-1.8.0-scripts.patch
 Patch1:     hsqldb-tmp.patch
 Patch2:     %{name}-1.8.0-specify-su-shell.patch
+Patch3:     %{name}-1.8.0-backport.patch
 Requires:	servletapi5
 Requires(post):   /bin/rm,/bin/ln
 Requires(post):   servletapi5
@@ -133,6 +134,7 @@
 %patch0
 %patch1 -p1
 %patch2
+%patch3 -p1
 
 %build
 export CLASSPATH=$(build-classpath \
@@ -269,6 +271,10 @@
 %{_datadir}/%{name}
 
 %changelog
+* Tue Dec 04 2007 Jon Prindiville <jprindiv at redhat.com> 1.8.0.8-1jpp.5
+ - Backport patch, addressing CVE-2007-4576
+ - Resolves: #303551
+
 * Tue Oct 16 2007 Deepak Bhole <dbhole at redhat.com> 1.8.0.8-1jpp.4
 - Rebuild

More information about the fedora-extras-commits mailing list