diff --git a/guava-avoid-presizing-arrays.patch b/guava-avoid-presizing-arrays.patch new file mode 100644 index 0000000..f4e785c --- /dev/null +++ b/guava-avoid-presizing-arrays.patch @@ -0,0 +1,46 @@ +From 0dcc4f04883cfd87a3cbf814f61c603c7d066399 Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Wed, 2 May 2018 15:22:08 +0200 +Subject: [PATCH] Avoid presizing arrays + +--- + .../common/util/concurrent/AtomicDoubleArray.java | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java b/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java +index 407cd7c..14d0e48 100644 +--- a/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java ++++ b/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java +@@ -16,8 +16,12 @@ package com.google.common.util.concurrent; + import static java.lang.Double.doubleToRawLongBits; + import static java.lang.Double.longBitsToDouble; + ++import java.util.ArrayList; ++import java.util.List; + import java.util.concurrent.atomic.AtomicLongArray; + ++import com.google.common.primitives.Longs; ++ + /** + * A {@code double} array in which elements may be updated atomically. + * See the {@link java.util.concurrent.atomic} package specification +@@ -256,13 +260,11 @@ public class AtomicDoubleArray implements java.io.Serializable { + throws java.io.IOException, ClassNotFoundException { + s.defaultReadObject(); + +- // Read in array length and allocate array + int length = s.readInt(); +- this.longs = new AtomicLongArray(length); +- +- // Read in all elements in the proper order. ++ List builder = new ArrayList(); + for (int i = 0; i < length; i++) { +- set(i, s.readDouble()); ++ builder.add(doubleToRawLongBits(s.readDouble())); + } ++ this.longs = new AtomicLongArray(Longs.toArray(builder)); + } + } +-- +2.17.0 + diff --git a/guava.spec b/guava.spec index 7999c10..4e4023a 100644 --- a/guava.spec +++ b/guava.spec @@ -4,7 +4,7 @@ Name: guava Version: 18.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Google Core Libraries for Java License: ASL 2.0 URL: https://github.com/google/guava @@ -14,6 +14,7 @@ Source0: https://github.com/google/guava/archive/v%{version}.tar.gz Patch0: %{name}-java8.patch Patch1: guava-jdk8-HashMap-testfix.patch +Patch2: guava-avoid-presizing-arrays.patch BuildRequires: maven-local BuildRequires: mvn(com.google.code.findbugs:jsr305) @@ -50,6 +51,7 @@ guava-testlib provides additional functionality for conveinent unit testing %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 find . -name '*.jar' -delete %pom_disable_module guava-gwt @@ -91,6 +93,9 @@ find . -name '*.jar' -delete %endif %changelog +* Thu May 03 2018 Michael Simacek - 18.0-12 +- Backport fix for CVE-2018-10237 + * Wed Jul 26 2017 Fedora Release Engineering - 18.0-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild