From 51bd2aa9f1dc9c7b7c4952cadf16b3f13f40709c Mon Sep 17 00:00:00 2001 From: Jochen Schmitt Date: Tue, 30 Apr 2013 17:04:24 +0200 Subject: [PATCH 1/4] fix broken changelog --- clojure.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clojure.spec b/clojure.spec index e118882..6a680e2 100644 --- a/clojure.spec +++ b/clojure.spec @@ -84,6 +84,9 @@ rm -rf %{buildroot} %{_bindir}/%{name} %changelog +* Tue Apr 30 2013 Jochen Schmitt - 1:1.5.1-1 +- New upstream release. + * Sat Mar 2 2013 Jochen Schmitt - 1:1.5.0-1 - New upstream release From a825644ccee84c0b1951efb632416233669e04f8 Mon Sep 17 00:00:00 2001 From: Markku Korkeala Date: Thu, 2 Apr 2020 21:44:39 +0300 Subject: [PATCH 2/4] New upstream release. Replace add_maven_depmap macros with mvn_artifact and mvn_install --- .gitignore | 1 + clojure.spec | 30 +++++++++++------------------- sources | 2 +- 3 files changed, 13 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index f871958..e1f132a 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /clojure-clojure-1.5.0-RC1.zip /clojure-1.5.0.zip /clojure-1.5.1.zip +/clojure-1.8.0.zip diff --git a/clojure.spec b/clojure.spec index 6a680e2..96d234c 100644 --- a/clojure.spec +++ b/clojure.spec @@ -5,12 +5,12 @@ Name: clojure Epoch: 1 -Version: 1.5.1 +Version: 1.8.0 Release: 1%{?dist} Summary: A dynamic programming language that targets the Java Virtual Machine Group: Development/Languages -License: EPL +License: EPL-1.0 URL: http://clojure.org/ Source0: https://github.com/%{name}/%{name}/archive/%{name}-%{version}.zip @@ -23,6 +23,7 @@ BuildRequires: ant >= 1.6 BuildRequires: jpackage-utils >= 1.5 BuildRequires: objectweb-asm BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: sonatype-oss-parent Requires: jpackage-utils Requires: java >= 1:1.6 @@ -46,6 +47,8 @@ can avoid reflection. %build ant -Dmaven.test.skip=1 +%mvn_artifact pom.xml %{name}.jar + %install # jar - link to prefix'd jar so that java stuff knows where to look install -d -m 755 %{buildroot}%{_javadir} @@ -57,33 +60,22 @@ install -pm 644 pom.xml %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom install -d -m 755 %{buildroot}%{_bindir} install -pm 755 %{SOURCE1} %{buildroot}%{_bindir}/%{name} -%if 0%{?add_maven_depmap:1} -%add_maven_depmap JPP-%{name}.pom %{name}.jar -%else -# some systems like RHEL do not have add_maven_depmap defined -# - probably don't need JPP/%{name} -- do we? -%add_to_maven_depmap %{groupId} %{artifactId} %{version} JPP %{name} -%endif +%mvn_install %clean rm -rf %{buildroot} -%if 0%{?rhel} -%post -%update_maven_depmap - -%postun -%update_maven_depmap -%endif - -%files +%files -f .mfiles %doc epl-v10.html changes.md readme.txt %{_mavenpomdir}/* -%{_mavendepmapfragdir}/* %{_javadir}/%{name}.jar %{_bindir}/%{name} %changelog +* Thu Apr 2 2020 Markku Korkeala - 1:1.8.0-1 +- New upstream release. +- Replace add_maven_depmap macros with mvn_artifact and mvn_install + * Tue Apr 30 2013 Jochen Schmitt - 1:1.5.1-1 - New upstream release. diff --git a/sources b/sources index a0c9c95..f59d194 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f46d49e5d26f776e2971473d70cf416f clojure-1.5.1.zip +SHA512 (clojure-1.8.0.zip) = 36d95213f35ba182d8f3efb4753a50078a0f19a4ef9084c10c300ea075d11ba7d92dec51347afc5c23424800b9c75f9fcc363b23ead4f836ed193d8913ade0e4 From eef5e014bd744416186358dbfeff6fad90dcb1c4 Mon Sep 17 00:00:00 2001 From: Markku Korkeala Date: Sat, 27 Jan 2024 12:02:34 +0200 Subject: [PATCH 3/4] Add patch clj-2204 to mitigate CVE-2017-20189. --- clj-2204-disable-proxy-serialization.patch | 224 +++++++++++++++++++++ clj-2204.patch | 25 +++ clojure.spec | 11 +- 3 files changed, 259 insertions(+), 1 deletion(-) create mode 100644 clj-2204-disable-proxy-serialization.patch create mode 100644 clj-2204.patch diff --git a/clj-2204-disable-proxy-serialization.patch b/clj-2204-disable-proxy-serialization.patch new file mode 100644 index 0000000..5edbe4a --- /dev/null +++ b/clj-2204-disable-proxy-serialization.patch @@ -0,0 +1,224 @@ +From c8d42afb5ec4fb5e2267aab3fb2d3af4a40df5d9 Mon Sep 17 00:00:00 2001 +From: Chouser +Date: Mon, 17 Jul 2017 23:04:41 -0400 +Subject: [PATCH] CLJ-2204 Disable serialization of proxy classes + +--- + src/clj/clojure/core_proxy.clj | 20 ++++++++++++++++++- + test/clojure/test_clojure/java_interop.clj | 31 +++++++++++++++++++++++++++++- + 2 files changed, 49 insertions(+), 2 deletions(-) + +diff --git a/src/clj/clojure/core_proxy.clj b/src/clj/clojure/core_proxy.clj +index 813c8bb..70d0528 100644 +--- a/src/clj/clojure/core_proxy.clj ++++ b/src/clj/clojure/core_proxy.clj +@@ -1,30 +1,31 @@ + ; Copyright (c) Rich Hickey. All rights reserved. + ; The use and distribution terms for this software are covered by the + ; Eclipse Public License 1.0 (http://opensource.org/licenses/eclipse-1.0.php) + ; which can be found in the file epl-v10.html at the root of this distribution. + ; By using this software in any fashion, you are agreeing to be bound by + ; the terms of this license. + ; You must not remove this notice, or any other, from this software. + + (in-ns 'clojure.core) + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;; proxy ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + (import + '(clojure.asm ClassWriter ClassVisitor Opcodes Type) + '(java.lang.reflect Modifier Constructor) ++ '(java.io Serializable NotSerializableException) + '(clojure.asm.commons Method GeneratorAdapter) + '(clojure.lang IProxy Reflector DynamicClassLoader IPersistentMap PersistentHashMap RT)) + + (defn method-sig [^java.lang.reflect.Method meth] + [(. meth (getName)) (seq (. meth (getParameterTypes))) (. meth getReturnType)]) + + (defn- most-specific [rtypes] + (or (some (fn [t] (when (every? #(isa? t %) rtypes) t)) rtypes) + (throw (Exception. "Incompatible return types")))) + + (defn- group-by-sig [coll] + "takes a collection of [msig meth] and returns a seq of maps from return-types to meths." + (vals (reduce1 (fn [m [msig meth]] + (let [rtype (peek msig) + argsig (pop msig)] +@@ -32,31 +33,32 @@ + {} coll))) + + (defn proxy-name + {:tag String} + [^Class super interfaces] + (let [inames (into1 (sorted-set) (map #(.getName ^Class %) interfaces))] + (apply str (.replace (str *ns*) \- \_) ".proxy" + (interleave (repeat "$") + (concat + [(.getName super)] + (map #(subs % (inc (.lastIndexOf ^String % "."))) inames) + [(Integer/toHexString (hash inames))]))))) + + (defn- generate-proxy [^Class super interfaces] + (let [cv (new ClassWriter (. ClassWriter COMPUTE_MAXS)) +- cname (.replace (proxy-name super interfaces) \. \/) ;(str "clojure/lang/" (gensym "Proxy__")) ++ pname (proxy-name super interfaces) ++ cname (.replace pname \. \/) ;(str "clojure/lang/" (gensym "Proxy__")) + ctype (. Type (getObjectType cname)) + iname (fn [^Class c] (.. Type (getType c) (getInternalName))) + fmap "__clojureFnMap" + totype (fn [^Class c] (. Type (getType c))) + to-types (fn [cs] (if (pos? (count cs)) + (into-array (map totype cs)) + (make-array Type 0))) + super-type ^Type (totype super) + imap-type ^Type (totype IPersistentMap) + ifn-type (totype clojure.lang.IFn) + obj-type (totype Object) + sym-type (totype clojure.lang.Symbol) + rt-type (totype clojure.lang.RT) + ex-type (totype java.lang.UnsupportedOperationException) + gen-bridge +@@ -136,30 +138,46 @@ + ;add ctors matching/calling super's + (doseq [^Constructor ctor (. super (getDeclaredConstructors))] + (when-not (. Modifier (isPrivate (. ctor (getModifiers)))) + (let [ptypes (to-types (. ctor (getParameterTypes))) + m (new Method "" (. Type VOID_TYPE) ptypes) + gen (new GeneratorAdapter (. Opcodes ACC_PUBLIC) m nil nil cv)] + (. gen (visitCode)) + ;call super ctor + (. gen (loadThis)) + (. gen (dup)) + (. gen (loadArgs)) + (. gen (invokeConstructor super-type m)) + + (. gen (returnValue)) + (. gen (endMethod))))) ++ ;disable serialization ++ (when (some #(isa? % Serializable) (cons super interfaces)) ++ (let [m (. Method (getMethod "void writeObject(java.io.ObjectOutputStream)")) ++ gen (new GeneratorAdapter (. Opcodes ACC_PRIVATE) m nil nil cv)] ++ (. gen (visitCode)) ++ (. gen (loadThis)) ++ (. gen (loadArgs)) ++ (. gen (throwException (totype NotSerializableException) pname)) ++ (. gen (endMethod))) ++ (let [m (. Method (getMethod "void readObject(java.io.ObjectInputStream)")) ++ gen (new GeneratorAdapter (. Opcodes ACC_PRIVATE) m nil nil cv)] ++ (. gen (visitCode)) ++ (. gen (loadThis)) ++ (. gen (loadArgs)) ++ (. gen (throwException (totype NotSerializableException) pname)) ++ (. gen (endMethod)))) + ;add IProxy methods + (let [m (. Method (getMethod "void __initClojureFnMappings(clojure.lang.IPersistentMap)")) + gen (new GeneratorAdapter (. Opcodes ACC_PUBLIC) m nil nil cv)] + (. gen (visitCode)) + (. gen (loadThis)) + (. gen (loadArgs)) + (. gen (putField ctype fmap imap-type)) + + (. gen (returnValue)) + (. gen (endMethod))) + (let [m (. Method (getMethod "void __updateClojureFnMappings(clojure.lang.IPersistentMap)")) + gen (new GeneratorAdapter (. Opcodes ACC_PUBLIC) m nil nil cv)] + (. gen (visitCode)) + (. gen (loadThis)) + (. gen (dup)) +diff --git a/test/clojure/test_clojure/java_interop.clj b/test/clojure/test_clojure/java_interop.clj +index 86ba5ca..44b5c70 100644 +--- a/test/clojure/test_clojure/java_interop.clj ++++ b/test/clojure/test_clojure/java_interop.clj +@@ -1,28 +1,29 @@ + ; Copyright (c) Rich Hickey. All rights reserved. + ; The use and distribution terms for this software are covered by the + ; Eclipse Public License 1.0 (http://opensource.org/licenses/eclipse-1.0.php) + ; which can be found in the file epl-v10.html at the root of this distribution. + ; By using this software in any fashion, you are agreeing to be bound by + ; the terms of this license. + ; You must not remove this notice, or any other, from this software. + + ; Author: Frantisek Sodomka + + + (ns clojure.test-clojure.java-interop +- (:use clojure.test)) ++ (:use clojure.test) ++ (:require [clojure.inspector])) + + ; http://clojure.org/java_interop + ; http://clojure.org/compilation + + + (deftest test-dot + ; (.instanceMember instance args*) + (are [x] (= x "FRED") + (.toUpperCase "fred") + (. "fred" toUpperCase) + (. "fred" (toUpperCase)) ) + + (are [x] (= x true) + (.startsWith "abcde" "ab") + (. "abcde" startsWith "ab") +@@ -159,30 +160,58 @@ + (testing "That the proxy functions can chain" + (are [x y] (= x y) + (-> (get-proxy-class Object) + construct-proxy + (init-proxy {}) + (update-proxy {"toString" (fn [_] "chain chain chain")}) + str) + "chain chain chain" + + (-> (proxy [Object] [] (toString [] "superfuzz bigmuff")) + (update-proxy {"toString" (fn [_] "chain chain chain")}) + str) + "chain chain chain"))) + + ++;; serialized-proxy can be regenerated using a modified version of ++;; Clojure with the proxy serialization prohibition disabled and the ++;; following code: ++#_(let [baos (java.io.ByteArrayOutputStream.) ] ++ (with-open [baos baos] ++ (.writeObject (java.io.ObjectOutputStream. baos) (clojure.inspector/list-model nil))) ++ (println (apply str (for [c (String. (.toByteArray baos) "ISO-8859-1")] ++ (if (<= 32 (int c) (int \z)) c (format "\\%03o" (int c))))))) ++(def serialized-proxy "\254\355\000\005sr\000Eclojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274art\330\266_\010ME\002\000\001L\000\016__clojureFnMapt\000\035Lclojure/lang/IPersistentMap;xr\000$javax.swing.table.AbstractTableModelr\313\3538\256\001\377\276\002\000\001L\000\014listenerListt\000%Ljavax/swing/event/EventListenerList;xpsr\000#javax.swing.event.EventListenerList\2616\306\175\204\352\326D\003\000\000xppxsr\000\037clojure.lang.PersistentArrayMap\3437p\017\230\305\364\337\002\000\002L\000\005_metaq\000\176\000\001[\000\005arrayt\000\023[Ljava/lang/Object;xr\000\033clojure.lang.APersistentMap]\174/\003t r\173\002\000\002I\000\005_hashI\000\007_hasheqxp\000\000\000\000\000\000\000\000pur\000\023[Ljava.lang.Object;\220\316X\237\020s)l\002\000\000xp\000\000\000\006t\000\016getColumnCountsr\000%clojure.inspector$list_model$fn__8816H\252\320\325b\371!+\002\000\000xr\000\026clojure.lang.AFunction>\006p\234\236F\375\313\002\000\001L\000\021__methodImplCachet\000\036Lclojure/lang/MethodImplCache;xppt\000\013getRowCountsr\000%clojure.inspector$list_model$fn__8818-\037I\247\234/U\226\002\000\001L\000\005nrowst\000\022Ljava/lang/Object;xq\000\176\000\017ppt\000\012getValueAtsr\000%clojure.inspector$list_model$fn__8820\323\331\174ke\233\370\034\002\000\002L\000\011get_labelq\000\176\000\024L\000\011get_valueq\000\176\000\024xq\000\176\000\017ppp") ++ ++(deftest test-proxy-non-serializable ++ (testing "That proxy classes refuse serialization and deserialization" ++ ;; Serializable listed directly in interface list: ++ (is (thrown? java.io.NotSerializableException ++ (-> (java.io.ByteArrayOutputStream.) ++ (java.io.ObjectOutputStream.) ++ (.writeObject (proxy [Object java.io.Serializable] []))))) ++ ;; Serializable included via inheritence: ++ (is (thrown? java.io.NotSerializableException ++ (-> (java.io.ByteArrayOutputStream.) ++ (java.io.ObjectOutputStream.) ++ (.writeObject (clojure.inspector/list-model nil))))) ++ ;; Deserialization also prohibited: ++ (is (thrown? java.io.NotSerializableException ++ (-> serialized-proxy (.getBytes "ISO-8859-1") ++ java.io.ByteArrayInputStream. java.io.ObjectInputStream. ++ .readObject))))) ++ + (deftest test-bases + (are [x y] (= x y) + (bases java.lang.Math) + (list java.lang.Object) + (bases java.util.Collection) + (list java.lang.Iterable) + (bases java.lang.Object) + nil + (bases java.lang.Comparable) + nil + (bases java.lang.Integer) + (list java.lang.Number java.lang.Comparable) )) + + (deftest test-supers + (are [x y] (= x y) +-- +2.9.3 + diff --git a/clj-2204.patch b/clj-2204.patch new file mode 100644 index 0000000..9a535f2 --- /dev/null +++ b/clj-2204.patch @@ -0,0 +1,25 @@ +From 3f5cf94eeac638a2993c98c786983918af5b8bbd Mon Sep 17 00:00:00 2001 +From: Alex Miller +Date: Wed, 12 Jul 2017 07:09:00 -0500 +Subject: [PATCH] CLJ-2204 Avoid AOT compilation of clojure.inspector which + creates classes susceptible to deserialization attacks + +--- + build.xml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/build.xml b/build.xml +index 0762853..dc38628 100644 +--- a/build.xml ++++ b/build.xml +@@ -64,7 +64,6 @@ + + + +- + + + +-- +2.9.0 + diff --git a/clojure.spec b/clojure.spec index 96d234c..8ac6f57 100644 --- a/clojure.spec +++ b/clojure.spec @@ -6,7 +6,7 @@ Name: clojure Epoch: 1 Version: 1.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A dynamic programming language that targets the Java Virtual Machine Group: Development/Languages @@ -16,6 +16,10 @@ Source0: https://github.com/%{name}/%{name}/archive/%{name}-%{version}.zi Source1: clojure.sh +# Backport clj-2204, https://clojure.atlassian.net/browse/CLJ-2204 +Patch1: clj-2204-disable-proxy-serialization.patch +Patch2: clj-2204.patch + BuildArch: noarch BuildRequires: maven-local @@ -43,6 +47,8 @@ can avoid reflection. %prep %setup -q -n %{archivename}-%{version} +%patch -P 1 -p1 +%patch -P 2 -p1 %build ant -Dmaven.test.skip=1 @@ -72,6 +78,9 @@ rm -rf %{buildroot} %{_bindir}/%{name} %changelog +* Sat Jan 27 2024 Markku Korkeala - 1:1.8.0-2 +- Add patch clj-2204 to mitigate CVE-2017-20189. + * Thu Apr 2 2020 Markku Korkeala - 1:1.8.0-1 - New upstream release. - Replace add_maven_depmap macros with mvn_artifact and mvn_install From b2a74e6e816c2dcf67c2a794accafb6bc052636b Mon Sep 17 00:00:00 2001 From: Markku Korkeala Date: Wed, 3 Apr 2024 11:49:43 +0300 Subject: [PATCH 4/4] Backport patch for clj-2839 to mitigate CVE-2024-22871. --- ...LJ-2839-Infinite-seq-class-hashCode-.patch | 125 ++++++++++++++++++ clojure.spec | 9 +- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 0001-Backport-patch-CLJ-2839-Infinite-seq-class-hashCode-.patch diff --git a/0001-Backport-patch-CLJ-2839-Infinite-seq-class-hashCode-.patch b/0001-Backport-patch-CLJ-2839-Infinite-seq-class-hashCode-.patch new file mode 100644 index 0000000..8b5e052 --- /dev/null +++ b/0001-Backport-patch-CLJ-2839-Infinite-seq-class-hashCode-.patch @@ -0,0 +1,125 @@ +From 5ed84f26da3c6b4d88c5efa1cadc0df30baed5a7 Mon Sep 17 00:00:00 2001 +From: Markku Korkeala +Date: Tue, 2 Apr 2024 19:30:49 +0300 +Subject: [PATCH] Backport patch CLJ-2839 Infinite seq class hashCode() is + infinite loop + +--- + src/clj/clojure/core.clj | 3 ++- + src/jvm/clojure/lang/Cycle.java | 8 ++++++++ + src/jvm/clojure/lang/Iterate.java | 7 +++++++ + src/jvm/clojure/lang/Repeat.java | 12 ++++++++++++ + test/clojure/test_clojure/sequences.clj | 11 +++++++++++ + test/clojure/test_clojure/serialization.clj | 10 +++++++++- + 6 files changed, 49 insertions(+), 2 deletions(-) + +diff --git a/src/clj/clojure/core.clj b/src/clj/clojure/core.clj +index 32d04d8..6b858f3 100644 +--- a/src/clj/clojure/core.clj ++++ b/src/clj/clojure/core.clj +@@ -2902,7 +2902,8 @@ + [n x] (take n (repeat x))) + + (defn iterate +- "Returns a lazy sequence of x, (f x), (f (f x)) etc. f must be free of side-effects" ++ "Returns a lazy (infinite!) sequence of x, (f x), (f (f x)) etc. ++ f must be free of side-effects" + {:added "1.0" + :static true} + [f x] (clojure.lang.Iterate/create f x) ) +diff --git a/src/jvm/clojure/lang/Cycle.java b/src/jvm/clojure/lang/Cycle.java +index 3fae8af..8d8f21f 100644 +--- a/src/jvm/clojure/lang/Cycle.java ++++ b/src/jvm/clojure/lang/Cycle.java +@@ -91,4 +91,12 @@ public Object reduce(IFn f, Object start){ + s = all; + } + } ++public int hashCode(){ ++ throw new UnsupportedOperationException(); ++} ++ ++public int hasheq(){ ++ throw new UnsupportedOperationException(); ++} ++ + } +diff --git a/src/jvm/clojure/lang/Iterate.java b/src/jvm/clojure/lang/Iterate.java +index 2502383..973f396 100644 +--- a/src/jvm/clojure/lang/Iterate.java ++++ b/src/jvm/clojure/lang/Iterate.java +@@ -82,4 +82,11 @@ public Object reduce(IFn rf, Object start){ + v = f.invoke(v); + } + } ++public int hashCode(){ ++ throw new UnsupportedOperationException(); ++} ++ ++public int hasheq(){ ++ throw new UnsupportedOperationException(); ++} + } +diff --git a/src/jvm/clojure/lang/Repeat.java b/src/jvm/clojure/lang/Repeat.java +index 2e9de0e..62b36be 100644 +--- a/src/jvm/clojure/lang/Repeat.java ++++ b/src/jvm/clojure/lang/Repeat.java +@@ -94,5 +94,17 @@ public Object reduce(IFn f, Object start){ + return ret; + } + } ++public int hashCode(){ ++ if(count <= 0) ++ throw new UnsupportedOperationException(); ++ else ++ return super.hashCode(); ++} + ++public int hasheq(){ ++ if(count <= 0) ++ throw new UnsupportedOperationException(); ++ else ++ return super.hasheq(); ++} + } +diff --git a/test/clojure/test_clojure/sequences.clj b/test/clojure/test_clojure/sequences.clj +index e3adb27..420a834 100644 +--- a/test/clojure/test_clojure/sequences.clj ++++ b/test/clojure/test_clojure/sequences.clj +@@ -1343,3 +1343,14 @@ + (doseq [i (range 100)] + (is (= s1 (concat (subseq s2 < i) (subseq s2 >= i)))) + (is (= (reverse s1) (concat (rsubseq s2 >= i) (rsubseq s2 < i))))))) ++ ++(deftest infinite-seq-hash ++ (are [e] (thrown? Exception (.hashCode ^Object e)) ++ (iterate identity nil) ++ (cycle [1]) ++ (repeat 1)) ++ (are [e] (thrown? Exception (.hasheq ^clojure.lang.IHashEq e)) ++ (iterate identity nil) ++ (cycle [1]) ++ (repeat 1))) ++ +diff --git a/test/clojure/test_clojure/serialization.clj b/test/clojure/test_clojure/serialization.clj +index 60cd65c..3806a9e 100644 +--- a/test/clojure/test_clojure/serialization.clj ++++ b/test/clojure/test_clojure/serialization.clj +@@ -173,4 +173,12 @@ + + ;; stateful seqs + (enumeration-seq (java.util.Collections/enumeration (range 50))) +- (iterator-seq (.iterator (range 50))))) +\ No newline at end of file ++ (iterator-seq (.iterator (range 50))))) ++ ++;; necessary for CVE-2024-22871 ++(deftest CLJ-2839 ++ (are [e] (thrown? Exception (.hashCode ^Object (-> e serialize deserialize))) ++ (repeat 1) ++ (iterate identity nil) ++ (cycle [1]))) ++ +-- +2.44.0 + diff --git a/clojure.spec b/clojure.spec index 8ac6f57..613a434 100644 --- a/clojure.spec +++ b/clojure.spec @@ -6,7 +6,7 @@ Name: clojure Epoch: 1 Version: 1.8.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A dynamic programming language that targets the Java Virtual Machine Group: Development/Languages @@ -19,6 +19,8 @@ Source1: clojure.sh # Backport clj-2204, https://clojure.atlassian.net/browse/CLJ-2204 Patch1: clj-2204-disable-proxy-serialization.patch Patch2: clj-2204.patch +# Backport clj-2839 https://clojure.atlassian.net/browse/CLJ-2839 +Patch3: 0001-Backport-patch-CLJ-2839-Infinite-seq-class-hashCode-.patch BuildArch: noarch @@ -49,6 +51,8 @@ can avoid reflection. %setup -q -n %{archivename}-%{version} %patch -P 1 -p1 %patch -P 2 -p1 +%patch -P 3 -p1 + %build ant -Dmaven.test.skip=1 @@ -78,6 +82,9 @@ rm -rf %{buildroot} %{_bindir}/%{name} %changelog +* Wed Apr 3 2024 Markku Korkeala - 1:1.8.0-3 +- Backport patch for clj-2839 to mitigate CVE-2024-22871. + * Sat Jan 27 2024 Markku Korkeala - 1:1.8.0-2 - Add patch clj-2204 to mitigate CVE-2017-20189.