diff -Nru junit4-4.12/debian/changelog junit4-4.12/debian/changelog --- junit4-4.12/debian/changelog 2019-02-26 16:39:32.000000000 +0000 +++ junit4-4.12/debian/changelog 2021-02-10 15:17:35.000000000 +0000 @@ -1,3 +1,15 @@ +junit4 (4.12-8~18.04.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Exposure of Sensitive Information + - debian/patches/CVE-2020-15250.patch: fix local information disclosure + vulnerability. + - CVE-2020-15250 + * Other fixes + - debian/patches/maven2-compatibility.patch: Remove the prerequisite on + Maven 3. + + -- Paulo Flabiano Smorigo Wed, 10 Feb 2021 15:17:35 +0000 + junit4 (4.12-8~18.04) bionic; urgency=medium * Backport for OpenJDK 11. LP: #1814133. diff -Nru junit4-4.12/debian/patches/CVE-2020-15250.patch junit4-4.12/debian/patches/CVE-2020-15250.patch --- junit4-4.12/debian/patches/CVE-2020-15250.patch 1970-01-01 00:00:00.000000000 +0000 +++ junit4-4.12/debian/patches/CVE-2020-15250.patch 2021-02-10 15:14:47.000000000 +0000 @@ -0,0 +1,136 @@ +Description: CVE-2020-15250 + local information disclosure vulnerability +--- + +Origin: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae +Bug-Debian: https://bugs.debian.org/972231 +Last-Update: 2020-11-01 + +--- junit4-4.12.orig/src/main/java/org/junit/rules/TemporaryFolder.java ++++ junit4-4.12/src/main/java/org/junit/rules/TemporaryFolder.java +@@ -2,6 +2,9 @@ package org.junit.rules; + + import java.io.File; + import java.io.IOException; ++import java.lang.reflect.Array; ++import java.lang.reflect.InvocationTargetException; ++import java.lang.reflect.Method; + + import org.junit.Rule; + +@@ -130,7 +133,45 @@ public class TemporaryFolder extends Ext + return createTemporaryFolderIn(getRoot()); + } + +- private File createTemporaryFolderIn(File parentFolder) throws IOException { ++ private static File createTemporaryFolderIn(File parentFolder) throws IOException { ++ try { ++ return createTemporaryFolderWithNioApi(parentFolder); ++ } catch (ClassNotFoundException ignore) { ++ // Fallback for Java 5 and 6 ++ return createTemporaryFolderWithFileApi(parentFolder); ++ } catch (InvocationTargetException e) { ++ Throwable cause = e.getCause(); ++ if (cause instanceof IOException) { ++ throw (IOException) cause; ++ } ++ if (cause instanceof RuntimeException) { ++ throw (RuntimeException) cause; ++ } ++ IOException exception = new IOException("Failed to create temporary folder in " + parentFolder); ++ exception.initCause(cause); ++ throw exception; ++ } catch (Exception e) { ++ throw new RuntimeException("Failed to create temporary folder in " + parentFolder, e); ++ } ++ } ++ ++ private static File createTemporaryFolderWithNioApi(File parentFolder) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException { ++ Class filesClass = Class.forName("java.nio.file.Files"); ++ Object fileAttributeArray = Array.newInstance(Class.forName("java.nio.file.attribute.FileAttribute"), 0); ++ Class pathClass = Class.forName("java.nio.file.Path"); ++ Object tempDir; ++ if (parentFolder != null) { ++ Method createTempDirectoryMethod = filesClass.getDeclaredMethod("createTempDirectory", pathClass, String.class, fileAttributeArray.getClass()); ++ Object parentPath = File.class.getDeclaredMethod("toPath").invoke(parentFolder); ++ tempDir = createTempDirectoryMethod.invoke(null, parentPath, "junit", fileAttributeArray); ++ } else { ++ Method createTempDirectoryMethod = filesClass.getDeclaredMethod("createTempDirectory", String.class, fileAttributeArray.getClass()); ++ tempDir = createTempDirectoryMethod.invoke(null, "junit", fileAttributeArray); ++ } ++ return (File) pathClass.getDeclaredMethod("toFile").invoke(tempDir); ++ } ++ ++ private static File createTemporaryFolderWithFileApi(File parentFolder) throws IOException { + File createdFolder = File.createTempFile("junit", "", parentFolder); + createdFolder.delete(); + createdFolder.mkdir(); +--- junit4-4.12.orig/src/test/java/org/junit/tests/experimental/rules/TempFolderRuleTest.java ++++ junit4-4.12/src/test/java/org/junit/tests/experimental/rules/TempFolderRuleTest.java +@@ -2,22 +2,30 @@ package org.junit.tests.experimental.rul + + import static org.hamcrest.CoreMatchers.hasItem; + import static org.hamcrest.core.IsNot.not; ++import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertFalse; + import static org.junit.Assert.assertThat; + import static org.junit.Assert.assertTrue; ++import static org.junit.Assume.assumeTrue; + import static org.junit.experimental.results.PrintableResult.testResult; + import static org.junit.experimental.results.ResultMatchers.failureCountIs; + import static org.junit.experimental.results.ResultMatchers.isSuccessful; + + import java.io.File; + import java.io.IOException; ++import java.lang.reflect.Array; ++import java.lang.reflect.InvocationTargetException; + import java.lang.reflect.Method; + import java.util.Arrays; ++import java.util.Set; ++import java.util.SortedSet; ++import java.util.TreeSet; ++import org.junit.rules.TemporaryFolder; + + import org.junit.After; ++import org.junit.AssumptionViolatedException; + import org.junit.Rule; + import org.junit.Test; +-import org.junit.rules.TemporaryFolder; + + public class TempFolderRuleTest { + private static File[] createdFiles = new File[20]; +@@ -175,6 +183,34 @@ public class TempFolderRuleTest { + assertFalse(folder.getRoot().exists()); + } + ++ @Test ++ public void tempFolderIsOnlyAccessibleByOwner() throws IOException { ++ TemporaryFolder folder = new TemporaryFolder(); ++ folder.create(); ++ ++ Set expectedPermissions = new TreeSet(Arrays.asList("OWNER_READ", "OWNER_WRITE", "OWNER_EXECUTE")); ++ Set actualPermissions = getPosixFilePermissions(folder.getRoot()); ++ assertEquals(expectedPermissions, actualPermissions); ++ } ++ ++ private Set getPosixFilePermissions(File root) { ++ try { ++ Class pathClass = Class.forName("java.nio.file.Path"); ++ Object linkOptionArray = Array.newInstance(Class.forName("java.nio.file.LinkOption"), 0); ++ Class filesClass = Class.forName("java.nio.file.Files"); ++ Object path = File.class.getDeclaredMethod("toPath").invoke(root); ++ Method posixFilePermissionsMethod = filesClass.getDeclaredMethod("getPosixFilePermissions", pathClass, linkOptionArray.getClass()); ++ Set permissions = (Set) posixFilePermissionsMethod.invoke(null, path, linkOptionArray); ++ SortedSet convertedPermissions = new TreeSet(); ++ for (Object item : permissions) { ++ convertedPermissions.add(item.toString()); ++ } ++ return convertedPermissions; ++ } catch (Exception e) { ++ throw new AssumptionViolatedException("Test requires at least Java 1.7", e); ++ } ++ } ++ + public static class NameClashes { + @Rule + public TemporaryFolder folder = new TemporaryFolder(); diff -Nru junit4-4.12/debian/patches/maven2-compatibility.patch junit4-4.12/debian/patches/maven2-compatibility.patch --- junit4-4.12/debian/patches/maven2-compatibility.patch 1970-01-01 00:00:00.000000000 +0000 +++ junit4-4.12/debian/patches/maven2-compatibility.patch 2021-02-10 15:14:46.000000000 +0000 @@ -0,0 +1,14 @@ +Description: Remove the prerequisite on Maven 3 +Author: Emmanuel Bourg +Forwarded: not-needed +--- junit4-4.12.orig/pom.xml ++++ junit4-4.12/pom.xml +@@ -65,7 +65,7 @@ + + + +- 3.0.4 ++ 2.2.1 + + + diff -Nru junit4-4.12/debian/patches/series junit4-4.12/debian/patches/series --- junit4-4.12/debian/patches/series 2018-05-07 22:34:12.000000000 +0000 +++ junit4-4.12/debian/patches/series 2021-02-10 15:14:47.000000000 +0000 @@ -3,3 +3,5 @@ privacy-breach-logo.patch java9-compatibility.patch java10-compatibility.patch +maven2-compatibility.patch +CVE-2020-15250.patch