Tony Mancill · Tony Mancill · Tony Mancill · Tony Mancill · Tony Mancill · Tony Mancill
--- a/debian/changelog
+++ b/debian/changelog
+libcommons-compress-java (1.18-3) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for CVE-2019-12402 (Debian: #939610)
+  * Refresh whitespace in debian/patches
+  * Bump Standards-Version to 4.4.0
+  * Use debhelper 12
+
+ -- tony mancill <tmancill@debian.org>  Sun, 15 Sep 2019 10:45:24 -0700
+
 libcommons-compress-java (1.18-2) unstable; urgency=medium

  * Team upload.

--- a/debian/compat
+++ b/debian/compat
-11
+12
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Uploaders:
 Jakub Adam <jakub.adam@ktknet.cz>,
 Emmanuel Bourg <ebourg@apache.org>
 Build-Depends:
- debhelper (>= 11),
+ debhelper (>= 12),
 default-jdk,
 javahelper,
 junit4,
@@ -17,7 +17,7 @@ Build-Depends:
 libmaven-javadoc-plugin-java,
 libxz-java (>= 1.5),
 maven-debian-helper
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
 Vcs-Git: https://salsa.debian.org/java-team/libcommons-compress-java.git
 Vcs-Browser: https://salsa.debian.org/java-team/libcommons-compress-java
 Homepage: https://commons.apache.org/proper/commons-compress/

--- a/debian/patches/CVE-2019-12402-939610.patch
+++ b/debian/patches/CVE-2019-12402-939610.patch
+Description: addresses CVE-2019-12402 (Debian: #939610)
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Fri, 23 Aug 2019 14:12:05 +0000 (+0200)
+Subject: unit tests for encoding logic
+X-Git-Tag: 1.19-RC1~6
+X-Git-Url: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff_plain;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
+
+unit tests for encoding logic
+---
+
+diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+index 0a7581a..4ce9c20 100644
+--- a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+@@ -112,6 +112,9 @@ class NioZipEncoding implements ZipEncoding, CharsetAccessor {
+             } else if (res.isOverflow()) {
+                 int increment = estimateIncrementalEncodingSize(enc, cb.remaining());
+                 out = ZipEncodingHelper.growBufferBy(out, increment);
+
+            } else if (res.isUnderflow() || res.isError()) {
+                break;
+             }
+         }
+         // tell the encoder we are done
+diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+new file mode 100644
+index 0000000..a04730c
+--- /dev/null
+++ b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.commons.compress.archivers.zip;
+
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class NioZipEncodingTest {
+
+    private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
+
+    @Test
+    public void umlautToUTF16BE() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
+        ByteBuffer bb = e.encode(UMLAUTS);
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result);
+    }
+
+    @Test
+    public void umlautToUTF8() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
+        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result);
+    }
+
+    @Test
+    public void umlautToISO88591() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true);
+        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
+    }
+
+    @Test
+    public void unmappableUmlauts() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
+        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII));
+    }
+
+    private static final String RAINBOW_EMOJI = "\ud83c\udf08";
+
+    @Test
+    public void unmappableRainbowEmoji() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
+        ByteBuffer bb = e.encode(RAINBOW_EMOJI);
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII));
+    }
+
+    @Test
+    public void rainbowEmojiToSurrogatePairUTF16() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
+        ByteBuffer bb = e.encode(RAINBOW_EMOJI);
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result);
+    }
+
+    @Test
+    public void partialSurrogatePair() {
+        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
+        ByteBuffer bb = e.encode("\ud83c");
+        final int off = bb.arrayOffset();
+        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
+        Assert.assertEquals(0, result.length);
+    }
+}
--- a/debian/patches/disable-brotli.patch
+++ b/debian/patches/disable-brotli.patch
 --- a/pom.xml
 +++ b/pom.xml
-@@ -314,6 +314,17 @@
+@@ -331,6 +331,17 @@
     </pluginManagement>
     <plugins>
       <plugin>

--- a/debian/patches/disable-osgi-tests.patch
+++ b/debian/patches/disable-osgi-tests.patch
 --- a/pom.xml
 +++ b/pom.xml
-@@ -323,6 +323,7 @@
+@@ -340,6 +340,7 @@
           <testExcludes>
             <testExclude>**/brotli/**</testExclude>
             <testExclude>**/zstandard/**</testExclude>

--- a/debian/patches/disable-zstd.patch
+++ b/debian/patches/disable-zstd.patch
 --- a/pom.xml
 +++ b/pom.xml
-@@ -318,9 +318,11 @@
+@@ -335,9 +335,11 @@
         <configuration>
           <excludes>
             <exclude>**/brotli/**</exclude>

--- a/debian/patches/series
+++ b/debian/patches/series
 disable-brotli.patch
 disable-zstd.patch
 disable-osgi-tests.patch
+CVE-2019-12402-939610.patch