Fix CVE-2023-36617 by patching plexus-archiver (#5996)

SPECS/javapackages-bootstrap/CVE-2023-37460.patch

@@ -0,0 +1,60 @@
+From ac60706ff2e9c4241f792b5f2fea6d1197b6dc70 Mon Sep 17 00:00:00 2001
+From: Saul Paredes <saulparedes@microsoft.com>
+Date: Fri, 11 Aug 2023 12:00:58 -0700
+Subject: [PATCH] Avoid override target symlink by standard file in
+ AbstractUnArchiver
+
+---
+ .../plexus/archiver/AbstractUnArchiver.java        | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+index 41f6c8c..f40aab9 100644
+--- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
++++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+@@ -21,7 +21,6 @@
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+-import java.io.OutputStream;
+ import java.util.ArrayList;
+ import java.util.Date;
+ import java.util.List;
+@@ -32,8 +31,9 @@
+ import org.codehaus.plexus.components.io.resources.PlexusIoResource;
+ import org.codehaus.plexus.logging.AbstractLogEnabled;
+ import org.codehaus.plexus.util.FileUtils;
+-import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.StringUtils;
++import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
++import java.nio.file.Files;
+ 
+ // TODO there should really be constructors which take the source file.
+ 
+@@ -336,6 +336,11 @@ protected void extractFile( final File srcF, final File dir, final InputStream c
+         String canonicalDirPath = dir.getCanonicalPath();
+         String canonicalDestPath = f.getCanonicalPath();
+ 
++        // don't allow override target symlink by standard file
++        if (StringUtils.isEmpty(symlinkDestination) && Files.isSymbolicLink(f.getCanonicalFile().toPath())) {
++            throw new ArchiverException("Entry is outside of the target directory (" + entryName + ")");
++        }
++
+         if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
+         {
+             throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
+@@ -365,10 +370,7 @@ else if ( isDirectory )
+             }
+             else
+             {
+-                try ( OutputStream out = new FileOutputStream( f ) )
+-                {
+-                    IOUtil.copy( compressedInputStream, out );
+-                }
++                Files.copy(compressedInputStream, f.toPath(), REPLACE_EXISTING);
+             }
+ 
+             f.setLastModified( entryDate.getTime() );
+-- 
+2.25.1
+

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -13,7 +13,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.5.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -137,6 +137,7 @@ Source1108:     xz-java.tar.xz
 
 Patch0:         0001-Bind-to-OpenJDK-11-for-runtime.patch
 Patch1:         0001-Remove-usage-of-ArchiveStreamFactory.patch
+Patch2:         CVE-2023-37460.patch
 
 Provides:       bundled(ant) = 1.10.9
 Provides:       bundled(apache-parent) = 23
@@ -292,6 +293,10 @@ pushd "downstream/commons-compress"
 %patch1 -p1 
 popd
 
+pushd "downstream/plexus-archiver"
+%patch2 -p1 
+popd
+
 for patch_path in patches/*/*
 do
   package_name="$(echo ${patch_path} | cut -f2 -d/)"
@@ -359,6 +364,9 @@ sed -i 's|/usr/lib/jvm/java-11-openjdk|%{java_home}|' %{buildroot}%{launchersPat
 %doc AUTHORS
 
 %changelog
+* Fri Aug 11 2023 Saul Paredes <saulparedes@microsoft.com> - 1.5.0-4
+- Patch plexus-archiver to fix CVE-2023-37460
+
 * Wed Apr 05 2023 Riken Maharjan <rmaharjan@microsoft.com> - 1.5.0-3
 - Update commons-compress to 1.21