PR#10: please update jansi to 2.3.3 in F34 as in F35 to build log4j-2.15.0 - rpms/jansi

rpms / jansi

#10 please update jansi to 2.3.3 in F34 as in F35 to build log4j-2.15.0

Closed 2 years ago by mizdebsk. Opened 2 years ago by sergiomb.

Unknown source f34 into f34

Avoid possible NullPointerException

Marian Koncek • 2 years ago

32d5209

Install native artifact into a fixed location

Marian Koncek • 2 years ago

0333e5e

- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

Fedora Release Engineering • 2 years ago

380c21a

Version 2.3.3

Jerry James • 2 years ago

179e740

Clean tarball from content with questionable licensing

Mikolaj Izdebski • 2 years ago

3923fa7

Non-bootstrap build

Mikolaj Izdebski • 2 years ago

3a3016f

Bootstrap build

Mikolaj Izdebski • 2 years ago

abfd114

Implement bootstrap mode

Mikolaj Izdebski • 2 years ago

524cc26

.gitignore

file modified

		`@@ -9,3 +9,4 @@`
		`/jansi-project-1.17.1.tar.gz`
		`/jansi-project-1.18.tar.gz`
		`/jansi-2.1.1.tar.gz`
		`+ /jansi-2.3.3.tar.gz`

0001-Avoid-NPE.patch

file added

+26

		`@@ -0,0 +1,26 @@`
		`+ From d94c5832e14504d44abeba47866dfa7dac5992b5 Mon Sep 17 00:00:00 2001`
		`+ From: Guillaume Nodet <gnodet@gmail.com>`
		`+ Date: Fri, 23 Jul 2021 09:22:19 +0200`
		`+ Subject: [PATCH] Avoid possible NPE, fixes #214`
		`+`
		`+ ---`
		`+ src/main/java/org/fusesource/jansi/AnsiPrintStream.java \| 6 +++++-`
		`+ 1 file changed, 5 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/src/main/java/org/fusesource/jansi/AnsiPrintStream.java b/src/main/java/org/fusesource/jansi/AnsiPrintStream.java`
		`+ index e153c43..df6e5a6 100644`
		`+ --- a/src/main/java/org/fusesource/jansi/AnsiPrintStream.java`
		`+ +++ b/src/main/java/org/fusesource/jansi/AnsiPrintStream.java`
		`+ @@ -76,7 +76,11 @@ public void install() throws IOException {`
		`+ }`
		`+`
		`+ public void uninstall() throws IOException {`
		`+ - getOut().uninstall();`
		`+ + // If the system output stream has been closed, out should be null, so avoid a NPE`
		`+ + AnsiOutputStream out = getOut();`
		`+ + if (out != null) {`
		`+ + out.uninstall();`
		`+ + }`
		`+ }`
		`+`
		`+ @Override`

generate-tarball.sh

file added

+20

		`@@ -0,0 +1,20 @@`
		`+ #!/bin/bash`
		`+ set -e`
		`+`
		`+ name=jansi`
		`+ version="$(sed -n 's/Version:\s//p' .spec)"`
		`+`
		`+ # RETRIEVE`
		`+ wget "https://github.com/fusesource/jansi/archive/jansi-${version}.tar.gz" -O "${name}-${version}.orig.tar.gz"`
		`+`
		`+ rm -rf tarball-tmp`
		`+ mkdir tarball-tmp`
		`+ pushd tarball-tmp`
		`+ tar xf "../${name}-${version}.orig.tar.gz"`
		`+`
		`+ # CLEAN TARBALL`
		`+ rm -r */src/main/native/inc_{mac,win}/`
		`+`
		`+ tar -czf "../${name}-${version}.tar.gz" *`
		`+ popd`
		`+ rm -r tarball-tmp "${name}-${version}.orig.tar.gz"`

jansi.spec

file modified

+42 -10

		`@@ -1,21 +1,32 @@`
		`+ %bcond_with bootstrap`
		`+`
		`Name: jansi`
		`- Version: 2.1.1`
		`- Release: 3%{?dist}`
		`+ Version: 2.3.3`
		`+ Release: 4%{?dist}`
		`Summary: Generate and interpret ANSI escape sequences in Java`
		`-`
		`License: ASL 2.0`
		`URL: http://fusesource.github.io/jansi/`
		`- Source0: https://github.com/fusesource/jansi/archive/jansi-%{version}.tar.gz`
		`+`
		`+ # ./generate-tarball.sh`
		`+ Source0: %{name}-%{version}.tar.gz`
		`+ # Remove bundled binaries which cannot be easily verified for licensing`
		`+ Source1: generate-tarball.sh`
		`+`
		`# Change the location of the native artifact to where Fedora wants it`
		`Patch0: %{name}-jni.patch`
		`+ Patch1: 0001-Avoid-NPE.patch`

		`BuildRequires: gcc`
		`BuildRequires: maven-local`
		`+ %if %{with bootstrap}`
		`+ BuildRequires: javapackages-bootstrap`
		`+ %else`
		`BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)`
		`BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin)`
		`BuildRequires: mvn(org.apache.maven.surefire:surefire-junit-platform)`
		`BuildRequires: mvn(org.fusesource:fusesource-pom:pom:)`
		`BuildRequires: mvn(org.junit.jupiter:junit-jupiter-engine)`
		`+ %endif`

		`%description`
		`Jansi is a small java library that allows you to use ANSI escape sequences`
		`@@ -45,8 +56,7 @@`
		`%pom_remove_dep :picocli-codegen`

		`# Build for JDK 1.8 at a minimum`
		`- %pom_xpath_set "//pom:plugin[pom:artifactId='maven-compiler-plugin']//pom:source" 1.8`
		`- %pom_xpath_set "//pom:plugin[pom:artifactId='maven-compiler-plugin']//pom:target" 1.8`
		`+ %pom_xpath_set "//pom:properties/pom:jdkTarget" 1.8`

		`# Remove prebuilt shared objects`
		`rm -fr src/main/resources/org/fusesource/jansi/internal`
		`@@ -57,7 +67,7 @@`
		`ln -s %{java_home}/include/linux/jni_md.h src/main/native/inc_linux`

		`# Set the JNI path`
		`- sed -i 's,@LIBDIR@,%{libdir},' \`
		`+ sed -i 's,@LIBDIR@,%{_prefix}/lib,' \`
		`src/main/java/org/fusesource/jansi/internal/JansiLoader.java`

		`%build`
		`@@ -77,8 +87,8 @@`

		`%install`
		`# Install the native artifact`
		`- mkdir -p %{buildroot}%{_libdir}/%{name}`
		`- cp -p src/main/native/libjansi.so %{buildroot}%{_libdir}/%{name}`
		`+ mkdir -p %{buildroot}%{_prefix}/lib/%{name}`
		`+ cp -p src/main/native/libjansi.so %{buildroot}%{_prefix}/lib/%{name}`

		`# Install the Java artifacts`
		`%mvn_install`
		`@@ -86,12 +96,34 @@`
		`%files -f .mfiles`
		`%license license.txt`
		`%doc readme.md changelog.md`
		`- %{_libdir}/%{name}/`
		`+ %{_prefix}/lib/%{name}/`

		`%files javadoc -f .mfiles-javadoc`
		`%license license.txt`

		`%changelog`
		`+ * Mon Nov 08 2021 Marian Koncek <mkoncek@redhat.com> - 2.3.3-4`
		`+ - Avoid possible NullPointerException`
		`+ - Resolves: rhbz#1995022`
		`+`
		`+ * Fri Sep 24 2021 Marian Koncek <mkoncek@redhat.com> - 2.3.3-3`
		`+ - Install native artifact into a fixed location`
		`+ - Related: rhbz#1994935`
		`+`
		`+ * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2`
		`+ - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild`
		`+`
		`+ * Wed Jun 23 2021 Jerry James <loganjerry@gmail.com> - 2.3.3-1`
		`+ - Version 2.3.3`
		`+`
		`+ * Fri Jun 18 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.1.1-5`
		`+ - Clean tarball from content with questionable licensing`
		`+ - Resolves: rhbz#1973738`
		`+`
		`+ * Mon May 17 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.1.1-4`
		`+ - Bootstrap build`
		`+ - Non-bootstrap build`
		`+`
		`* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (jansi-2.1.1.tar.gz) = ccdb7b13da6715398b0b1d53bb1272ac445774dea7f643882c7df0182e17350b41dd1c782161f5350028209c82ac3588c22ceaaacd4930ec78645230b335bc4a`
		`+ SHA512 (jansi-2.3.3.tar.gz) = 11a27519c05f762f5a6bb076f7f7eb57b6e1df9984df8039a24294cbbf341adc060cb04e66ebcf7d269842bbe599ec0d17be7b3dadeddbabbbd158895aabe8f7`

no initial comment

sergiomb commented 2 years ago

to Fix CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
https://bugzilla.redhat.com/show_bug.cgi?id=2030932

mizdebsk commented 2 years ago

Why is this necessary? How this change relates to Log4J vulnerability? I don't like rebasing packages in stable releases.

sergiomb commented 2 years ago

as you can see in this link https://copr.fedorainfracloud.org/coprs/sergiomb/builds_for_Stable_Releases/build/3031548/ builds of log4j-2.15.0 fails on F34 because [1]
if we update jansi on F34 with F35 , it build successfully

[1]
[ERROR] /builddir/build/BUILD/apache-log4j-2.15.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/JAnsiTextRenderer.java:[19,47] error: package org.fusesource.jansi.AnsiRenderer does not exist
https://download.copr.fedorainfracloud.org/results/sergiomb/builds_for_Stable_Releases/fedora-34-x86_64/03031548-log4j/build.log.gz

mcinglis commented 2 years ago

+1 to needing this in F34; we on Amazon Linux team realized necessity having Jansi 2.3 in AL22 (which is mostly F34), when updating its log4j to the 2.15.0-rc2 on Friday.

See PR for updating to log4j-2.15.0: https://src.fedoraproject.org/rpms/log4j/pull-request/8

mizdebsk commented 2 years ago

That's a strong indication that Log4J should not be rebased to a new version, but patched. Have you considered patching Log4J to backport upstream fix, or to patch it to work with older JANSI?

Anyway, some of the changes such as changing path where native library is installed are definitely not acceptable in stable release. Before I can accept this PR justify that patching Log4J is not feasible, update the PR to preserve the old .so path (eg. by adding a symlink) and provide some evidence of backwards compatibility (like API compat report, upstream changelog, or rebuild of dependent packages).

That being said, dist-git pull request is not a mechanism for reporting bugs or requesting package changes. If this issue is critical or in any way time sensitive, please open a bug in Red Hat Bugzilla to ensure it receives the proper attention and prioritization to assure a timely resolution.

sergiomb commented 2 years ago

yes please do it