rpms/hsqldb/devel hsqldb-1.8.0-backport.patch, NONE, 1.1 hsqldb-1.8.0-standard-server.properties, 1.1, 1.2 hsqldb-1.8.0-standard.cfg, 1.1, 1.2 hsqldb.spec, 1.36, 1.37
Jon Prindiville (jprindiv)
fedora-extras-commits at redhat.com
Tue Dec 4 22:29:14 UTC 2007
- Previous message (by thread): rpms/vala/devel vala-0.1.5-gen-project.patch, NONE, 1.1 vala.spec, 1.18, 1.19
- Next message (by thread): rpms/R-Biobase/F-7 R-Biobase.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jprindiv
Update of /cvs/pkgs/rpms/hsqldb/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31203
Modified Files:
hsqldb-1.8.0-standard-server.properties
hsqldb-1.8.0-standard.cfg hsqldb.spec
Added Files:
hsqldb-1.8.0-backport.patch
Log Message:
Backport patch, addressing CVE-2007-4576
hsqldb-1.8.0-backport.patch:
--- NEW FILE hsqldb-1.8.0-backport.patch ---
--- hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java.orig 2007-10-19 13:25:36.000000000 -0400
+++ hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java 2007-10-23 14:54:25.000000000 -0400
@@ -44,6 +44,7 @@ import org.hsqldb.lib.Set;
import org.hsqldb.lib.SimpleLog;
import org.hsqldb.lib.java.JavaSystem;
import org.hsqldb.store.ValuePool;
+import org.hsqldb.lib.StringUtil;
/**
* Manages a .properties file for a database.
@@ -53,6 +54,53 @@ import org.hsqldb.store.ValuePool;
* @since 1.7.0
*/
public class HsqlDatabaseProperties extends HsqlProperties {
+ private static String hsqldb_method_class_names =
+ "hsqldb.method_class_names";
+ private static HashSet accessibleJavaMethodNames;
+
+ static {
+ try {
+ String prop = System.getProperty(hsqldb_method_class_names);
+
+ if (prop != null) {
+ accessibleJavaMethodNames = new HashSet();
+
+ String[] names = StringUtil.split(prop, ";");
+
+ for (int i = 0; i < names.length; i++) {
+ accessibleJavaMethodNames.add(names[i]);
+ }
+ }
+ } catch (Exception e) {}
+ }
+
+ /**
+ * If the system property "hsqldb.method_class_names" is not set, then
+ * static methods of all available Java classes can be accessed as functions
+ * in HSQLDB. If the property is set, then only the list of semicolon
+ * seperated method names becomes accessible. An empty property value means
+ * no class is accessible.<p>
+ *
+ * All methods of org.hsqldb.Library are always accessible.
+ *
+ *
+ */
+ public static boolean supportsJavaMethod(String name) {
+
+ if (name.startsWith("org.hsqldb.Library")) {
+ return true;
+ }
+
+ if (accessibleJavaMethodNames == null) {
+ return true;
+ }
+
+ if (accessibleJavaMethodNames.contains(name)) {
+ return true;
+ }
+
+ return false;
+ }
// column number mappings
public static final int indexName = 0;
--- hsqldb/src/org/hsqldb/Database.java.orig 2007-10-19 13:24:32.000000000 -0400
+++ hsqldb/src/org/hsqldb/Database.java 2007-10-23 14:55:07.000000000 -0400
@@ -473,12 +473,19 @@ public class Database {
* the given method alias. If there is no Java method, then returns the
* alias itself.
*/
- String getJavaName(String s) {
+ String getJavaName(String name) throws HsqlException {
- String alias = (String) hAlias.get(s);
+ String target = (String) hAlias.get(name);
- return (alias == null) ? s
- : alias;
+ if (target == null) {
+ target = name;
+ }
+
+ if (HsqlDatabaseProperties.supportsJavaMethod(target)) {
+ return target;
+ }
+
+ throw Trace.error(Trace.ACCESS_IS_DENIED, target);
}
/**
Index: hsqldb-1.8.0-standard-server.properties
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/devel/hsqldb-1.8.0-standard-server.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard-server.properties 31 Aug 2007 14:43:58 -0000 1.1
+++ hsqldb-1.8.0-standard-server.properties 4 Dec 2007 22:28:42 -0000 1.2
@@ -9,3 +9,13 @@
server.port 9001
server.no_system_exit true
+
+# Until the following setting is changed, the HSQLDB service will not accept
+# remote connections. Failing to set a value for server.address at all will
+# result in the service binding itself to 0.0.0.0 and accepting remote
+# connections.
+#
+# IT IS STRONGLY ADVISED that before doing this you alter the password of
+# the default account (username "sa"). By default, no password is required
+# to connect to HSQLDB with the "sa" account.
+server.address localhost
Index: hsqldb-1.8.0-standard.cfg
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/devel/hsqldb-1.8.0-standard.cfg,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard.cfg 31 Aug 2007 14:43:58 -0000 1.1
+++ hsqldb-1.8.0-standard.cfg 4 Dec 2007 22:28:42 -0000 1.2
@@ -84,6 +84,12 @@
# In particular, you will want to add classpath elements to give access of
# all of your store procedures (store procedures are documented in the
# HSQLDB User Guide in the SQL Syntax chapter.
+#
+# N.B.!
+# If you're adding files to the classpath in order to be able to call them
+# from SQL queries, you will be unable to access them unless you adjust the
+# value of the system property hsqldb.method_class_names. Please see the
+# comments on SERVER_JVMARGS, at the end of this file.
# SERVER_ADDL_CLASSPATH=/home/blaine/storedprocs.jar:/usr/dev/dbutil/classes
# For TLS encryption for your Server, set these two variables.
@@ -104,4 +110,19 @@
# Any JVM args for the server.
# For multiple args, put quotes around entire value.
-#SERVER_JVMARGS=-Xmx512m
+#
+# N.B.!
+# The default value of SERVER_JVMARGS sets the system property
+# hsqldb.method_class_names to be empty. This is in order to lessen the
+# security risk posed by HSQLDB allowing Java method calls in SQL statements.
+# The implications of changing this value (as explained by the authors of
+# HSQLDB) are as follows:
+# If [it] is not set, then static methods of all available Java classes
+# can be accessed as functions in HSQLDB. If the property is set, then
+# only the list of semicolon seperated method names becomes accessible.
+# An empty property value means no class is accessible.
+# Regardless of the value of hsqldb.method_class_names, methods in
+# org.hsqldb.Library will be accessible.
+# Before making changes to the value below, please be advised of the possible
+# dangers involved in allowing SQL queries to contain Java method calls.
+SERVER_JVMARGS=-Dhsqldb.method_class_names=\"\"
Index: hsqldb.spec
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/devel/hsqldb.spec,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- hsqldb.spec 16 Oct 2007 21:57:13 -0000 1.36
+++ hsqldb.spec 4 Dec 2007 22:28:42 -0000 1.37
@@ -38,7 +38,7 @@
Name: hsqldb
Version: 1.8.0.8
-Release: 1jpp.4%{?dist}
+Release: 1jpp.5%{?dist}
Epoch: 1
Summary: Hsqldb Database Engine
License: BSD Style
@@ -52,6 +52,7 @@
Patch0: %{name}-1.8.0-scripts.patch
Patch1: hsqldb-tmp.patch
Patch2: %{name}-1.8.0-specify-su-shell.patch
+Patch3: %{name}-1.8.0-backport.patch
Requires: servletapi5
Requires(post): /bin/rm,/bin/ln
Requires(post): servletapi5
@@ -133,6 +134,7 @@
%patch0
%patch1 -p1
%patch2
+%patch3 -p1
%build
export CLASSPATH=$(build-classpath \
@@ -269,6 +271,9 @@
%{_datadir}/%{name}
%changelog
+* Tue Dec 04 2007 Jon Prindiville <jprindiv at redhat.com> 1.8.0.8-1jpp.5
+- Backport patch, addressing CVE-2007-4576
+
* Tue Oct 16 2007 Deepak Bhole <dbhole at redhat.com> 1.8.0.8-1jpp.4
- Rebuild
- Previous message (by thread): rpms/vala/devel vala-0.1.5-gen-project.patch, NONE, 1.1 vala.spec, 1.18, 1.19
- Next message (by thread): rpms/R-Biobase/F-7 R-Biobase.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list