Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logback for openSUSE:Factory checked in at 2026-01-29 17:46:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logback (Old) and /work/SRC/openSUSE:Factory/.logback.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logback" Thu Jan 29 17:46:18 2026 rev:12 rq:1329765 version:1.2.13 Changes: -------- --- /work/SRC/openSUSE:Factory/logback/logback.changes 2025-10-03 15:46:42.968739666 +0200 +++ /work/SRC/openSUSE:Factory/.logback.new.1995/logback.changes 2026-01-29 17:49:06.623946260 +0100 @@ -1,0 +2,8 @@ +Thu Jan 29 06:56:29 UTC 2026 - Fridrich Strba <[email protected]> + +- Added patch: + * logback-CVE-2026-1225.patch + + backport of upstream fix for bsc#1257094, CVE-2026-1225: ACE + vulnerability in configuration file + +------------------------------------------------------------------- New: ---- logback-CVE-2026-1225.patch ----------(New B)---------- New:- Added patch: * logback-CVE-2026-1225.patch + backport of upstream fix for bsc#1257094, CVE-2026-1225: ACE ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logback.spec ++++++ --- /var/tmp/diff_new_pack.mjCdQd/_old 2026-01-29 17:49:07.383978818 +0100 +++ /var/tmp/diff_new_pack.mjCdQd/_new 2026-01-29 17:49:07.383978818 +0100 @@ -27,6 +27,7 @@ Patch1: logback-CVE-2024-12801-CVE-2024-12798.patch Patch2: filtering.patch Patch3: logback-CVE-2025-11226.patch +Patch4: logback-CVE-2026-1225.patch BuildRequires: fdupes BuildRequires: maven-local BuildRequires: mvn(javax.mail:mail) ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.mjCdQd/_old 2026-01-29 17:49:07.423980531 +0100 +++ /var/tmp/diff_new_pack.mjCdQd/_new 2026-01-29 17:49:07.431980874 +0100 @@ -1,6 +1,6 @@ -mtime: 1759475660 -commit: 2111227464331c40e1296817d0e389bd3f88031f6060f5b046401a407e3d789b +mtime: 1769670082 +commit: cc77896acb21f9ec1ac3cd541797ea527a882a78265a9682326d509b85446e78 url: https://src.opensuse.org/java-packages/logback.git -revision: 2111227464331c40e1296817d0e389bd3f88031f6060f5b046401a407e3d789b +revision: cc77896acb21f9ec1ac3cd541797ea527a882a78265a9682326d509b85446e78 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-01-29 08:01:48.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ logback-CVE-2026-1225.patch ++++++ --- a/logback-core/src/main/java/ch/qos/logback/core/joran/action/IADataForComplexProperty.java +++ b/logback-core/src/main/java/ch/qos/logback/core/joran/action/IADataForComplexProperty.java @@ -26,6 +26,7 @@ public class IADataForComplexProperty { final AggregationType aggregationType; final String complexPropertyName; private Object nestedComplexProperty; + private Class<?> expectedPropertyType; boolean inError; public IADataForComplexProperty(PropertySetter parentBean, AggregationType aggregationType, String complexPropertyName) { @@ -46,6 +47,14 @@ public class IADataForComplexProperty { return complexPropertyName; } + public Class<?> getExpectedPropertyType() { + return expectedPropertyType; + } + + public void setExpectedPropertyType(Class<?> expectedPropertyType) { + this.expectedPropertyType = expectedPropertyType; + } + public void setNestedComplexProperty(Object nestedComplexProperty) { this.nestedComplexProperty = nestedComplexProperty; } --- a/logback-core/src/main/java/ch/qos/logback/core/joran/action/NestedComplexPropertyIA.java +++ b/logback-core/src/main/java/ch/qos/logback/core/joran/action/NestedComplexPropertyIA.java @@ -76,7 +76,9 @@ public class NestedComplexPropertyIA extends ImplicitAction { // we only push action data if NestComponentIA is applicable case AS_COMPLEX_PROPERTY_COLLECTION: case AS_COMPLEX_PROPERTY: + Class<?> propertyType = parentBean.getTypeForComplexProperty(nestedElementTagName, aggregationType); IADataForComplexProperty ad = new IADataForComplexProperty(parentBean, aggregationType, nestedElementTagName); + ad.setExpectedPropertyType(propertyType); actionDataStack.push(ad); return true; @@ -118,7 +120,11 @@ public class NestedComplexPropertyIA extends ImplicitAction { addInfo("Assuming default type [" + componentClass.getName() + "] for [" + localName + "] property"); } - actionData.setNestedComplexProperty(componentClass.newInstance()); + Class<?> expectedPropertyType = actionData.getExpectedPropertyType(); + + Object object = OptionHelper.instantiateClassWithSuperclassRestriction(componentClass, expectedPropertyType); + + actionData.setNestedComplexProperty(object); // pass along the repository if (actionData.getNestedComplexProperty() instanceof ContextAware) { --- a/logback-core/src/main/java/ch/qos/logback/core/joran/util/PropertySetter.java +++ b/logback-core/src/main/java/ch/qos/logback/core/joran/util/PropertySetter.java @@ -395,4 +395,36 @@ public class PropertySetter extends ContextAwareBase { return getByConcreteType(name, relevantMethod); } + public Class<?> getTypeForComplexProperty(String nestedElementTagName, AggregationType aggregationType) { + + Method aMethod = null; + switch (aggregationType) { + case AS_COMPLEX_PROPERTY: + aMethod = findSetterMethod(nestedElementTagName); + break; + case AS_COMPLEX_PROPERTY_COLLECTION: + aMethod = findAdderMethod(nestedElementTagName); + } + + + checkParameterCount(aMethod, nestedElementTagName); + + Class<?>[] paramTypes = aMethod.getParameterTypes(); + return paramTypes[0]; + + } + + private void checkParameterCount(Method aMethod, String nestedElementTagName) { + if(aMethod == null) { + String msg = "Could not find method for property [" + nestedElementTagName + "]."; + addError(msg); + throw new IllegalStateException(msg); + } + int parameterCount = aMethod.getParameterCount(); + if (parameterCount != 1) { + String msg = "Expected ["+aMethod.getName()+"] for property [" + nestedElementTagName + "] to have exactly one parameter."; + addError(msg); + throw new IllegalStateException(msg); + } + } } --- a/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java +++ b/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java @@ -14,6 +14,7 @@ package ch.qos.logback.core.util; import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; import java.util.Properties; import ch.qos.logback.core.Context; @@ -44,6 +45,19 @@ public class OptionHelper { return instantiateByClassNameAndParameter(className, superClass, classLoader, null, null); } + public static Object instantiateClassWithSuperclassRestriction(Class<?> classObj, Class<?> superClass) + throws IncompatibleClassException, DynamicClassLoadingException { + if (!superClass.isAssignableFrom(classObj)) { + throw new IncompatibleClassException(superClass, classObj); + } + + try { + return classObj.getConstructor().newInstance(); + } catch (NoSuchMethodException|InstantiationException|IllegalAccessException|InvocationTargetException e) { + throw new DynamicClassLoadingException("Failed to instantiate type " + classObj.getName(), e); + } + } + public static Object instantiateByClassNameAndParameter(String className, Class<?> superClass, ClassLoader classLoader, Class<?> type, Object parameter) throws IncompatibleClassException, DynamicClassLoadingException {
