[AUTO-CHERRYPICK] Patch javapackages-bootstrap for CVE-2021-36373 [Medium], CVE-2021-36374 [Medium] - branch main (#12666)

Co-authored-by: kgodara912 <kshigodara@outlook.com>

Author: CBL-Mariner-Bot

SPECS/javapackages-bootstrap/CVE-2021-36373.patch

@@ -0,0 +1,122 @@
+From 1fa58fb3a05631cb019340ff429de2c85a214b29 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Sat, 10 Jul 2021 11:10:12 +0200
+Subject: [PATCH] port some fixes from Commons Compress
+
+---
+ .../org/apache/tools/tar/TarInputStream.java  |  7 +++++--
+ .../org/apache/tools/zip/AsiExtraField.java   | 12 +++++++----
+ src/main/org/apache/tools/zip/ZipFile.java    | 20 ++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/src/main/org/apache/tools/tar/TarInputStream.java b/src/main/org/apache/tools/tar/TarInputStream.java
+index 0477d5c..71e4cc0 100644
+--- a/src/main/org/apache/tools/tar/TarInputStream.java
++++ b/src/main/org/apache/tools/tar/TarInputStream.java
+@@ -436,11 +436,13 @@ public class TarInputStream extends FilterInputStream {
+                             String keyword = coll.toString("UTF-8");
+                             // Get rest of entry
+                             final int restLen = len - read;
+-                            byte[] rest = new byte[restLen];
++                            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                             int got = 0;
+                             while (got < restLen && (ch = i.read()) != -1) {
+-                                rest[got++] = (byte) ch;
++                                bos.write((byte) ch);
++                                got++;
+                             }
++                            bos.close();
+                             if (got != restLen) {
+                                 throw new IOException("Failed to read "
+                                                       + "Paxheader. Expected "
+@@ -448,6 +450,7 @@ public class TarInputStream extends FilterInputStream {
+                                                       + " bytes, read "
+                                                       + got);
+                             }
++                            byte[] rest = bos.toByteArray();
+                             // Drop trailing NL
+                             String value = new String(rest, 0,
+                                                       restLen - 1, StandardCharsets.UTF_8);
+diff --git a/src/main/org/apache/tools/zip/AsiExtraField.java b/src/main/org/apache/tools/zip/AsiExtraField.java
+index 8afddb5..fdd81c6 100644
+--- a/src/main/org/apache/tools/zip/AsiExtraField.java
++++ b/src/main/org/apache/tools/zip/AsiExtraField.java
+@@ -307,14 +307,18 @@ public class AsiExtraField implements ZipExtraField, UnixStat, Cloneable {
+ 
+         int newMode = ZipShort.getValue(tmp, 0);
+         // CheckStyle:MagicNumber OFF
+-        byte[] linkArray = new byte[(int) ZipLong.getValue(tmp, 2)];
++        final int linkArrayLength = (int) ZipLong.getValue(tmp, 2);
++        if (linkArrayLength < 0 || linkArrayLength > tmp.length - 10) {
++            throw new ZipException("Bad symbolic link name length " + linkArrayLength
++                + " in ASI extra field");
++        }
+         uid = ZipShort.getValue(tmp, 6);
+         gid = ZipShort.getValue(tmp, 8);
+-
+-        if (linkArray.length == 0) {
++        if (linkArrayLength == 0) {
+             link = "";
+         } else {
+-            System.arraycopy(tmp, 10, linkArray, 0, linkArray.length);
++            final byte[] linkArray = new byte[linkArrayLength];
++            System.arraycopy(tmp, 10, linkArray, 0, linkArrayLength);
+             link = new String(linkArray); // Uses default charset - see class Javadoc
+         }
+         // CheckStyle:MagicNumber ON
+diff --git a/src/main/org/apache/tools/zip/ZipFile.java b/src/main/org/apache/tools/zip/ZipFile.java
+index dfb6bcf..8806ae7 100644
+--- a/src/main/org/apache/tools/zip/ZipFile.java
++++ b/src/main/org/apache/tools/zip/ZipFile.java
+@@ -541,6 +541,9 @@ public class ZipFile implements Closeable {
+         ze.setExternalAttributes(ZipLong.getValue(CFH_BUF, off));
+         off += WORD;
+ 
++        if (archive.length() - archive.getFilePointer() < fileNameLen) {
++            throw new EOFException();
++        }
+         final byte[] fileName = new byte[fileNameLen];
+         archive.readFully(fileName);
+         ze.setName(entryEncoding.decode(fileName), fileName);
+@@ -550,12 +553,18 @@ public class ZipFile implements Closeable {
+         // data offset will be filled later
+         entries.add(ze);
+ 
++        if (archive.length() - archive.getFilePointer() < extraLen) {
++            throw new EOFException();
++        }
+         final byte[] cdExtraData = new byte[extraLen];
+         archive.readFully(cdExtraData);
+         ze.setCentralDirectoryExtra(cdExtraData);
+ 
+         setSizesAndOffsetFromZip64Extra(ze, offset, diskStart);
+ 
++        if (archive.length() - archive.getFilePointer() < commentLen) {
++            throw new EOFException();
++        }
+         final byte[] comment = new byte[commentLen];
+         archive.readFully(comment);
+         ze.setComment(entryEncoding.decode(comment));
+@@ -881,9 +890,18 @@ public class ZipFile implements Closeable {
+                 }
+                 lenToSkip -= skipped;
+             }
++            if (archive.length() - archive.getFilePointer() < extraFieldLen) {
++                throw new EOFException();
++            }
+             final byte[] localExtraData = new byte[extraFieldLen];
+             archive.readFully(localExtraData);
+-            ze.setExtra(localExtraData);
++            try {
++                ze.setExtra(localExtraData);
++            } catch (RuntimeException ex) {
++                final ZipException z = new ZipException("Invalid extra data in entry " + ze.getName());
++                z.initCause(ex);
++                throw z;
++            }
+             offsetEntry.dataOffset = offset + LFH_OFFSET_FOR_FILENAME_LENGTH
+                 + SHORT + SHORT + fileNameLen + extraFieldLen;
+ 
+-- 
+2.34.1
+

SPECS/javapackages-bootstrap/CVE-2021-36374.nopatch

@@ -0,0 +1 @@
+# Addressed as part of CVE-2021-36373.patch

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -13,7 +13,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.5.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -140,6 +140,7 @@ Patch0:         0001-Bind-to-OpenJDK-11-for-runtime.patch
 Patch1:         0001-Remove-usage-of-ArchiveStreamFactory.patch
 Patch2:         CVE-2023-37460.patch
 Patch3:         Internal-Java-API.patch
+Patch4:         CVE-2021-36373.patch
 
 Provides:       bundled(ant) = 1.10.9
 Provides:       bundled(apache-parent) = 23
@@ -300,6 +301,10 @@ pushd "downstream/plexus-archiver"
 %patch2 -p1 
 popd
 
+pushd "downstream/ant"
+%patch4 -p1
+popd
+
 # remove guava.xml from javapackage-bootstrap 1.5.0
 # import guava.xml 32.1.3 from Fedora 40
 # edit version from guava.properties
@@ -384,6 +389,9 @@ sed -i 's|/usr/lib/jvm/java-11-openjdk|%{java_home}|' %{buildroot}%{launchersPat
 %doc AUTHORS
 
 %changelog
+* Wed Feb 26 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.5.0-6
+- Patch CVE-2021-36373 and CVE-2021-36374.
+
 * Fri Mar 22 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.5.0-5
 - Update Guava to fix CVE-2023-2976 using Fedora 40 (License: MIT).