From da8f2314bd0b6df70a4016918e4450d632c24aff Mon Sep 17 00:00:00 2001 From: Patrice Clement Date: Thu, 3 Sep 2015 15:52:55 +0000 Subject: [PATCH] dev-java/mojarra: Version bump. Fixes security bug 501280. Package-Manager: portage-2.2.18 Signed-off-by: Patrice Clement --- dev-java/mojarra/Manifest | 1 + .../files/mojarra-2.2.12-Util.java.patch | 25 ++++++++++ dev-java/mojarra/mojarra-2.2.12.ebuild | 46 +++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 dev-java/mojarra/files/mojarra-2.2.12-Util.java.patch create mode 100644 dev-java/mojarra/mojarra-2.2.12.ebuild diff --git a/dev-java/mojarra/Manifest b/dev-java/mojarra/Manifest index 9332e5af68bf..21cd8dd5945e 100644 --- a/dev-java/mojarra/Manifest +++ b/dev-java/mojarra/Manifest @@ -1,3 +1,4 @@ +DIST javax.faces-2.2.12-sources.jar 3105808 SHA256 503c0a1c6a270429798a6507d477ee2114f0de5204c64d5660a11796c498ab61 SHA512 b2bc2ce38d72af38a4b2fdb5aec790600ca41a5d7f6340bf6be671a901c9fe664d50d9d13f021694e85e0e145a2031e2d8b61dd6d6ccebb544f2512a91ff670a WHIRLPOOL 98a5473c8c7841cf5baae4b879d2b0a9e1b64d3666b820aa7c1aeece43d3689fc8b93766c280906f19dd23d3e13436c6514b533a3d810bdb96e88d4d78666a87 DIST javax.faces-2.2.9-sources.jar 3098257 SHA256 f3ba4bcafcdac5e92bd784574e3f0b35ff4b7c56d07dda628a8e0246d1a40b27 SHA512 a398c7edd483af59e59c52896dfd6fbf67948cb9778940bb5045c6c4ee2e0549e24ee321dcf7a8bdadbbec82c7e533840bc42669e79664fa864627744b6cc0e3 WHIRLPOOL 040768e9aba1575137e4a1ef7bbf587fea71ff46119066a0fe5b72a9c0a1da647fbef1a712952efa0d59d51ca346366eefc0f79b7912cc7d071d695a39edf48c DIST mojarra-1.2_15-b01-FCS-patch.bz2 4369 SHA256 c8495b51225201bf23033a01bb853abf1cc0a40214aa6a68c7dd1c30812e6cd1 SHA512 125e511b052d4c70314a069c47ce72b51e4dd9d1c6826def6c1a8c0bf72f6c711a9fb9f05065a5f1f46dce8462b701198f67d257b1f0aa683b494b31d90205ac WHIRLPOOL 62efb9f165d40be7ba94be04046867b342d2ba39f340443bceb3f8b421c9be2c8c312ea9e04d7c743e6440fe124bd8566fa383013a9654b7758f180f659234c4 DIST mojarra-1.2_15-b01-FCS-source.zip 5091287 SHA256 8678db1e93a2f605b696ae3a04e145bc14dd46409301ae230dc6ee4477ccb343 SHA512 6e8d8278aac36d3971bef523f8ec90a4959c0d6ec69642d5edd10379c2cdbe13242ad197475abda887b886f166b8c7ea762be5560a746f2426cec9c6a25c0144 WHIRLPOOL c5b2ab6a568468c2570d61d5cf8bc5f7147b403c9f7718c2ea32eda783605f48aa41c9f8a96cf48e13c10e5859061a527f40c003d7ff48a66571be6a69472559 diff --git a/dev-java/mojarra/files/mojarra-2.2.12-Util.java.patch b/dev-java/mojarra/files/mojarra-2.2.12-Util.java.patch new file mode 100644 index 000000000000..23033f652969 --- /dev/null +++ b/dev-java/mojarra/files/mojarra-2.2.12-Util.java.patch @@ -0,0 +1,25 @@ +--- src/com/sun/faces/util/Util.java.orig 2015-09-03 14:43:30.953486000 +0000 ++++ src/com/sun/faces/util/Util.java 2015-09-03 14:43:57.692486000 +0000 +@@ -354,13 +354,15 @@ + // as the same adapter in a standalone program works as one might expect. + // So, for now, if the classname starts with '[', then use Class.forName() + // to avoid CR 643419 and for all other cases, use ClassLoader.loadClass(). +- if (loader.getClass() == com.sun.faces.scripting.groovy.GroovyHelperImpl.MojarraGroovyClassLoader.class) { +- if (name.charAt(0) == '[') { +- return Class.forName(name, true, loader); +- } else { +- return loader.loadClass(name); +- } +- } ++ // ++ // Disable Groovy support. ++ // if (loader.getClass() == com.sun.faces.scripting.groovy.GroovyHelperImpl.MojarraGroovyClassLoader.class) { ++ // if (name.charAt(0) == '[') { ++ // return Class.forName(name, true, loader); ++ // } else { ++ // return loader.loadClass(name); ++ // } ++ // } + return Class.forName(name, true, loader); + } + diff --git a/dev-java/mojarra/mojarra-2.2.12.ebuild b/dev-java/mojarra/mojarra-2.2.12.ebuild new file mode 100644 index 000000000000..8a94ed405b29 --- /dev/null +++ b/dev-java/mojarra/mojarra-2.2.12.ebuild @@ -0,0 +1,46 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils java-pkg-2 java-pkg-simple + +DESCRIPTION="Project Mojarra - GlassFish's Implementation for JavaServer Faces API" +HOMEPAGE="https://javaserverfaces.dev.java.net/" +SRC_URI="https://maven.java.net/content/repositories/releases/org/glassfish/javax.faces/${PV}/javax.faces-${PV}-sources.jar" + +LICENSE="CDDL" +SLOT="2.2" +KEYWORDS="~amd64 ~x86" + +IUSE="" + +CDEPEND="dev-java/glassfish-persistence:0 + dev-java/glassfish-ejb-api:0 + java-virtuals/servlet-api:3.0 + dev-java/tomcat-jstl-spec:1.2.5 + dev-java/tomcat-jstl-impl:1.2.5 + dev-java/validation-api:1.0 + dev-java/javax-inject:0 + dev-java/cdi-api:1.2" + +RDEPEND=">=virtual/jre-1.6 + ${CDEPEND}" +DEPEND=">=virtual/jdk-1.6 + app-arch/unzip + ${CDEPEND}" + +JAVA_SRC_DIR="src" + +JAVA_GENTOO_CLASSPATH="glassfish-persistence,glassfish-ejb-api,tomcat-jstl-spec-1.2.5,tomcat-jstl-impl-1.2.5,validation-api-1.0,cdi-api-1.2,servlet-api-3.0,javax-inject" + +java_prepare() { + mkdir src || die + mv * src + + # We *MUST* bump Groovy to 2.4 at some point + # to make this stuff work correctly. + rm -v src/com/sun/faces/scripting/groovy/GroovyHelperImpl.java || die + epatch "${FILESDIR}"/${P}-Util.java.patch +} -- 2.26.2