From 96034c8a16cb15f8a0ed540ce1f61c7da1f4314d Mon Sep 17 00:00:00 2001 From: fstrba <> Date: Mar 19 2021 15:55:40 +0000 Subject: Update eclipse to version 4.15 / rev 14 via SR 880010 https://build.opensuse.org/request/show/880010 by user fstrba + RBrownSUSE --- diff --git a/.files b/.files index 083ce48..7489065 100644 Binary files a/.files and b/.files differ diff --git a/.rev b/.rev index 21298b3..aee8a91 100644 --- a/.rev +++ b/.rev @@ -103,4 +103,12 @@ <comment>Fix use of native keystore on platforms where it is supported</comment> <requestid>821377</requestid> </revision> + <revision rev="14" vrev="3"> + <srcmd5>498549cf61a63cd311d3eff6ae5054b1</srcmd5> + <version>4.15</version> + <time>1616168594</time> + <user>RBrownSUSE</user> + <comment></comment> + <requestid>880010</requestid> + </revision> </revisionlist> diff --git a/eclipse-CVE-2020-27225.patch b/eclipse-CVE-2020-27225.patch new file mode 100644 index 0000000..fe17dda --- /dev/null +++ b/eclipse-CVE-2020-27225.patch @@ -0,0 +1,224 @@ +From 213812355860e3732e1b28e620df31db8ff160aa Mon Sep 17 00:00:00 2001 +From: Andrew Johnson +Date: Mon, 15 Mar 2021 20:53:01 +0530 +Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to + R4_15_maintenance branch + +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +@@ -59,6 +59,7 @@ public final class BaseHelpSystem { + private IBrowser browser; + private IBrowser internalBrowser; + private HelpDisplay helpDisplay = null; ++ private String liveHelpToken = null; + + private BaseHelpSystem() { + super(); +@@ -350,4 +351,29 @@ public final class BaseHelpSystem { + } + } + ++ /** ++ * Check supplied token against stored token. Clears the stored token if ++ * successful. ++ * ++ * @param helpSessionToken ++ * @return true if match successful ++ */ ++ public boolean matchOnceLiveHelpToken(String helpSessionToken) { ++ /* ++ * @FIXME - should we use a constant time comparison, and store/compare a ++ * cryptographic hash? ++ */ ++ if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { ++ // Enforce one-time use. ++ liveHelpToken = null; ++ return true; ++ } else { ++ return false; ++ } ++ } ++ ++ public void setLiveHelpToken(String helpSessionToken) { ++ liveHelpToken = helpSessionToken; ++ } ++ + } +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +@@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; + + import java.io.UnsupportedEncodingException; + import java.net.URLEncoder; ++import java.nio.charset.StandardCharsets; ++import java.util.UUID; + + import org.eclipse.core.runtime.CoreException; + import org.eclipse.core.runtime.IConfigurationElement; +@@ -196,6 +198,12 @@ public class HelpDisplay { + String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ + helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); + } ++ String basehelp = getBaseURL(); ++ if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { ++ String sessid = UUID.randomUUID().toString(); ++ BaseHelpSystem.getInstance().setLiveHelpToken(sessid); ++ helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ ++ } + + BaseHelpSystem.getHelpBrowser(forceExternal) + .displayURL(helpURL); +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp +@@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindo + url=url.substring(0, i+1); + var encodedArg=encodeURIComponent(argument); + url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); +- ++ <% ++ Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ ++ // Validate token to protect against XSS ++ if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) { ++ %> ++ url=url+"&token=<%=token%>"; ++ <% ++ } ++ %> + // we need to find the toolbar frame. + // to do: cleanup this, including the location of the hidden livehelp frame. + var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp +@@ -12,9 +12,11 @@ + IBM Corporation - initial API and implementation + --%> + <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> ++<%@ page import="java.util.UUID" %> ++<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> + <% + request.setCharacterEncoding("UTF-8"); +- ServerState.webappStarted(application,request, response); ++ ServerState.webappStarted(application,request, response); + // Read the scope parameter + RequestScope.setScopeFromRequest(request, response); + LayoutData data = new LayoutData(application,request, response); +@@ -33,7 +35,22 @@ + </body> + </html> + <% +- }else { ++ } else { ++ // For live help ++ String token = request.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$ ++ if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { ++ // Only one session can grab this ++ if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ ++ String token2 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ ++ int port = request.getLocalPort(); ++ response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1 //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ ++ String token3 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ ++ } ++ } ++ } + request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); + } + %> +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +@@ -46,6 +46,11 @@ public class LayoutData extends RequestD + + // initialize the query string + String qs = request.getQueryString(); ++ // Remove any live help token ++ if (qs != null) { ++ qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ } + if (qs != null && qs.length() > 0) + query = "?" + qs; //$NON-NLS-1$ + } +Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +=================================================================== +--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java ++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +@@ -14,8 +14,8 @@ + package org.eclipse.help.internal.webapp.servlet; + + import java.io.IOException; +- + import javax.servlet.ServletException; ++import javax.servlet.http.Cookie; + import javax.servlet.http.HttpServlet; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; +@@ -51,6 +51,45 @@ public class LiveHelpServlet extends Htt + return; + } + req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ ++ String sessionid = req.getSession().getId(); ++ Cookie cookies[] = req.getCookies(); ++ boolean jsessOK = false; ++ boolean xsessOK = false; ++ boolean lsessOK = false; ++ // Unique session ID per help server ++ int port = req.getLocalPort(); ++ String xsessname = "XSESSION-" + port; //$NON-NLS-1$ ++ if (cookies != null) { ++ for (Cookie cookie : cookies) { ++ if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ ++ if (sessionid.length() >= 30 && ++ cookie.getValue().startsWith(sessionid)) { ++ jsessOK = true; ++ } ++ } ++ if (cookie.getName().equals(xsessname)) { ++ if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ ++ xsessOK = true; ++ } ++ } ++ } ++ } ++ String token = req.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ ++ lsessOK = true; ++ } ++ if (!jsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ ++ return; ++ } ++ if (!lsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ ++ return; ++ } ++ if (!xsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); ++ return; ++ } + String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ + if (pluginID == null) + return; +@@ -59,6 +98,11 @@ public class LiveHelpServlet extends Htt + return; + String arg = req.getParameter("arg"); //$NON-NLS-1$ + BaseHelpSystem.runLiveHelp(pluginID, className, arg); ++ /* ++ * @FIXME Should runLiveHelp return an error if the plugin/class is wrong ++ * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? ++ */ ++ resp.setStatus(HttpServletResponse.SC_ACCEPTED); + } + /** + * diff --git a/eclipse.changes b/eclipse.changes index 6f8f1df..5cb59e7 100644 --- a/eclipse.changes +++ b/eclipse.changes @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Thu Mar 18 17:38:41 UTC 2021 - Pedro Monreal <pmonreal@suse.com> + +- Security fix: [bsc#1183728, CVE-2020-27225] + * The Help Subsystem does not authenticate active help requests + to the local help web server, allowing an unauthenticated local + attacker to issue active help commands to the associated Eclipse + Platform process or Eclipse Rich Client Platform process. +- Add eclipse-CVE-2020-27225.patch + +------------------------------------------------------------------- Thu Jul 16 23:57:01 UTC 2020 - Fridrich Strba <fstrba@suse.com> - Added patch: diff --git a/eclipse.spec b/eclipse.spec index 0d18075..bab94a2 100644 --- a/eclipse.spec +++ b/eclipse.spec @@ -1,7 +1,7 @@ # -# spec file for package eclipse +# spec file for package eclipse-bootstrap # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -115,6 +115,8 @@ Patch31: eclipse-suse-batik.patch # Fix build on ppc64 big endian Patch33: eclipse-ppc64.patch Patch34: eclipse-libkeystorelinuxnative.patch +# PATCH-FIX-UPSTREAM bsc#1183728 CVE-2020-27225 Help Subsystem does not authenticate active help requests +Patch35: eclipse-CVE-2020-27225.patch BuildRequires: ant >= 1.10.5 BuildRequires: ant-antlr BuildRequires: ant-apache-bcel @@ -252,6 +254,7 @@ everything in between. %if %{with bootstrap} %package -n eclipse-swt-bootstrap %else + %package swt Obsoletes: eclipse-swt-bootstrap %endif @@ -265,6 +268,7 @@ Requires: libwebkit2gtk-4_0-37 %if %{with bootstrap} %description -n eclipse-swt-bootstrap %else + %description swt %endif SWT Library for GTK+. @@ -272,6 +276,7 @@ SWT Library for GTK+. %if %{with bootstrap} %package -n eclipse-equinox-osgi-bootstrap %else + %package equinox-osgi Obsoletes: eclipse-equinox-osgi-bootstrap %endif @@ -284,6 +289,7 @@ Provides: osgi(system.bundle) = %{version} %if %{with bootstrap} %description -n eclipse-equinox-osgi-bootstrap %else + %description equinox-osgi %endif Eclipse OSGi - Equinox @@ -293,6 +299,7 @@ Eclipse OSGi - Equinox Requires: eclipse-equinox-osgi-bootstrap = %{version}-%{release} Requires: eclipse-swt-bootstrap = %{version}-%{release} %else + %package platform Requires: %{name}-equinox-osgi = %{version}-%{release} Requires: %{name}-swt = %{version}-%{release} @@ -373,6 +380,7 @@ Requires: eclipse-emf-core >= 2.14.0 %if %{with bootstrap} %description -n eclipse-platform-bootstrap %else + %description platform %endif The Eclipse Platform is the base of all IDE plugins. This does not include the @@ -382,6 +390,7 @@ Java Development Tools or the Plugin Development Environment. %package -n eclipse-jdt-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package jdt Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-jdt-bootstrap @@ -397,6 +406,7 @@ BuildArch: noarch %if %{with bootstrap} %description -n eclipse-jdt-bootstrap %else + %description jdt %endif Eclipse Java Development Tools. This package is required to use Eclipse for @@ -407,6 +417,7 @@ developing software written in the Java programming language. Requires: eclipse-jdt-bootstrap = %{version}-%{release} Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package pde Requires: %{name}-jdt = %{version}-%{release} Requires: %{name}-platform = %{version}-%{release} @@ -419,6 +430,7 @@ Requires: objectweb-asm >= 7.0 %if %{with bootstrap} %description -n eclipse-pde-bootstrap %else + %description pde %endif Eclipse Plugin Development Environment. This package is required for @@ -428,6 +440,7 @@ developing Eclipse plugins. %package -n eclipse-p2-discovery-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package p2-discovery Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-p2-discovery-bootstrap @@ -439,6 +452,7 @@ BuildArch: noarch %if %{with bootstrap} %description -n eclipse-p2-discovery-bootstrap %else + %description p2-discovery %endif The p2 Discovery mechanism provides a simplified and branded front-end for the @@ -451,6 +465,7 @@ installer UIs. %package -n eclipse-contributor-tools-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package contributor-tools Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-contributor-tools-bootstrap @@ -463,6 +478,7 @@ Obsoletes: %{name}-tests < 4.14-2 %if %{with bootstrap} %description -n eclipse-contributor-tools-bootstrap %else + %description contributor-tools %endif This package contains tools specifically for Eclipse contributors. It includes @@ -505,6 +521,7 @@ tar --strip-components=1 -xf %{SOURCE1} %patch31 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 # Optional (unused) multipart support (see patch 25) rm rt.equinox.bundles/bundles/org.eclipse.equinox.http.servlet/src/org/eclipse/equinox/http/servlet/internal/multipart/MultipartSupport{Impl,FactoryImpl,Part}.java @@ -959,6 +976,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-swt-bootstrap -f .mfiles-swt %else + %files swt -f .mfiles-swt %endif %{_eclipsedir}/plugins/org.eclipse.swt_* @@ -969,6 +987,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-platform-bootstrap %else + %files platform %endif %{_bindir}/eclipse @@ -1154,6 +1173,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-jdt-bootstrap -f .mfiles-jdt %else + %files jdt -f .mfiles-jdt %endif %{_datadir}/appdata/eclipse-jdt.metainfo.xml @@ -1161,6 +1181,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-pde-bootstrap -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk %else + %files pde -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk %endif %{_datadir}/appdata/eclipse-pde.metainfo.xml @@ -1168,6 +1189,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-p2-discovery-bootstrap -f .mfiles-p2-discovery %else + %files p2-discovery -f .mfiles-p2-discovery %endif @@ -1175,6 +1197,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-contributor-tools-bootstrap -f .mfiles-contributor-tools %else + %files contributor-tools -f .mfiles-contributor-tools %endif %endif @@ -1182,6 +1205,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %if %{with bootstrap} %files -n eclipse-equinox-osgi-bootstrap -f .mfiles-equinox-osgi %else + %files equinox-osgi -f .mfiles-equinox-osgi %endif %{_eclipsedir}/plugins/org.eclipse.osgi_*