[AUTO-CHERRYPICK] Patch javapackages-bootstrap for CVE-2024-25710 [HIGH] - branch 3.0-dev (#13986)

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/javapackages-bootstrap/CVE-2024-25710.patch

@@ -0,0 +1,52 @@
+From 74d2bf8a7f2ad282ebd0055c0f41ed2e6d1f5ea5 Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Fri, 16 May 2025 17:10:24 +0530
+Subject: [PATCH] Backport patch for CVE-2024-25710
+
+Upstream Reference: https://github.com/apache/commons-compress/commit/8a9a5847c04ae39a1d45b365f8bb82022466067d
+---
+ .../commons/compress/archivers/dump/DumpArchiveUtil.java    | 6 ++++++
+ .../commons/compress/archivers/dump/TapeInputStream.java    | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java b/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java
+index 80cd93588..0484d329b 100644
+--- a/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java
++++ b/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java
+@@ -83,6 +83,9 @@ public static final long convert64(final byte[] buffer, final int offset) {
+      */
+     static String decode(final ZipEncoding encoding, final byte[] b, final int offset, final int len)
+         throws IOException {
++        if (offset > offset + len) {
++            throw new IOException("Invalid offset/length combination");
++        }
+         return encoding.decode(Arrays.copyOfRange(b, offset, offset + len));
+     }
+ 
+@@ -103,6 +106,9 @@ public static final int getIno(final byte[] buffer) {
+      * @return Whether the buffer contains a tape segment header.
+      */
+     public static final boolean verify(final byte[] buffer) {
++        if (buffer == null) {
++            return false;
++        }
+         // verify magic. for now only accept NFS_MAGIC.
+         final int magic = convert32(buffer, 24);
+ 
+diff --git a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
+index 08d23f7f3..85735a189 100644
+--- a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
++++ b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
+@@ -311,6 +311,9 @@ public void resetBlockSize(final int recsPerBlock, final boolean isCompressed)
+                 + " records found, must be at least 1");
+         }
+         blockSize = RECORD_SIZE * recsPerBlock;
++        if (blockSize < 1) {
++            throw new IOException("Block size cannot be less than or equal to 0: " + blockSize);
++        }
+ 
+         // save first block in case we need it again
+         final byte[] oldBuffer = blockBuffer;
+-- 
+2.34.1
+

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -19,7 +19,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.14.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -154,6 +154,8 @@ Source1118:     xmvn-jpb-4.2.0.tar.xz
 Source1119:     xmvn-generator-1.2.1.tar.xz
 Source1120:     xz-java-1.9.tar.xz
 
+Patch0:       CVE-2024-25710.patch
+
 Provides:     bundled(ant) = 1.10.14
 Provides:     bundled(aopalliance) = 1.0
 Provides:     bundled(apache-pom) = 30
@@ -316,6 +318,10 @@ do
   tar -xf "${source}"
 done
 
+pushd "downstream/commons-compress"
+%patch -P 0 -p1
+popd
+
 for patch_path in patches/*/*
 do
   package_name="$(echo ${patch_path} | cut -f2 -d/)"
@@ -402,6 +408,9 @@ sed -i s/_xmvngen_/_jpbgen_/ %{buildroot}%{_fileattrsdir}/jpbgen.attr
 %doc AUTHORS
 
 %changelog
+* Fri May 16 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.14.0-3
+- Add backported patch for CVE-2024-25710
+
 * Thu Mar 21 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.14.0-2
 - Change JAVA_HOME for xmvn to be msopenjdk location.
 - Upgrade to 1.14.0 - azl 3.0