Foros de discusión

Security Source Patches

Ken Sperow, modificado hace 11 años.

Security Source Patches

New Member Mensajes: 11 Fecha de incorporación: 25/04/11 Mensajes recientes
The work the CST is doing is critical and I appreciate their hard work. However, I am wondering if others have been able to successfully apply the cumulative source patch for CE GA1?

I have attempted to use both 'patch' and 'git apply' as outlined at http://www.liferay.com/community/security-team/cst-process#patchinfo but without success. I am getting the following output when using 'patch' against a new download of the GA1 source:


ksperow@localhost liferay-portal-src-6.1.0-ce-ga1]$ patch --dry-run -p1 < ~/Downloads/6.1.0-ga1...6.1.0-cumulative.patch
patching file portal-impl/src/com/liferay/portlet/documentlibrary/store/DLStoreImpl.java
Hunk #1 FAILED at 216.
Hunk #2 FAILED at 224.
Hunk #3 FAILED at 231.
Hunk #4 FAILED at 239.
Hunk #5 FAILED at 247.
Hunk #6 FAILED at 255.
Hunk #7 FAILED at 263.
Hunk #8 FAILED at 276.
Hunk #9 FAILED at 290.
9 out of 9 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portlet/documentlibrary/store/DLStoreImpl.java.rej
patching file portal-impl/src/com/liferay/portal/util/FileImpl.java
Hunk #1 FAILED at 406.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/util/FileImpl.java.rej
patching file portal-impl/src/com/liferay/portal/service/http/GroupServiceHttp.java
Hunk #1 FAILED at 611.
Hunk #2 FAILED at 625.
2 out of 2 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/http/GroupServiceHttp.java.rej
patching file portal-impl/src/com/liferay/portal/service/http/OrganizationServiceHttp.java
Hunk #1 FAILED at 353.
Hunk #2 FAILED at 367.
2 out of 2 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/http/OrganizationServiceHttp.java.rej
patching file portal-impl/src/com/liferay/portal/service/http/UserGroupServiceHttp.java
Hunk #1 FAILED at 264.
Hunk #2 FAILED at 277.
2 out of 2 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/http/UserGroupServiceHttp.java.rej
patching file portal-impl/src/com/liferay/portal/service/http/UserServiceHttp.java
Hunk #1 FAILED at 903.
Hunk #2 FAILED at 917.
Hunk #3 FAILED at 934.
Hunk #4 FAILED at 948.
4 out of 4 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/http/UserServiceHttp.java.rej
patching file portal-impl/src/com/liferay/portal/service/impl/GroupServiceImpl.java
Hunk #1 FAILED at 36.
Hunk #2 FAILED at 537.
Hunk #3 FAILED at 632.
Hunk #4 FAILED at 650.
4 out of 4 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/GroupServiceImpl.java.rej
patching file portal-impl/src/com/liferay/portal/service/impl/OrganizationServiceImpl.java
Hunk #1 FAILED at 36.
Hunk #2 FAILED at 359.
Hunk #3 FAILED at 439.
Hunk #4 FAILED at 545.
Hunk #5 FAILED at 600.
5 out of 5 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/OrganizationServiceImpl.java.rej
patching file portal-impl/src/com/liferay/portal/service/impl/RoleServiceImpl.java
Hunk #1 FAILED at 23.
Hunk #2 FAILED at 176.
Hunk #3 FAILED at 194.
Hunk #4 FAILED at 211.
Hunk #5 FAILED at 227.
Hunk #6 FAILED at 251.
Hunk #7 FAILED at 274.
7 out of 7 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/RoleServiceImpl.java.rej
patching file portal-impl/src/com/liferay/portal/service/impl/UserGroupServiceImpl.java
Hunk #1 FAILED at 24.
Hunk #2 FAILED at 169.
Hunk #3 FAILED at 235.
3 out of 3 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/UserGroupServiceImpl.java.rej
patching file portal-impl/src/com/liferay/portal/service/impl/UserServiceImpl.java
Hunk #1 FAILED at 28.
Hunk #2 FAILED at 36.
Hunk #3 FAILED at 777.
Hunk #4 FAILED at 794.
Hunk #5 FAILED at 807.
Hunk #6 FAILED at 822.
Hunk #7 FAILED at 846.
Hunk #8 FAILED at 1199.
Hunk #9 FAILED at 1399.
Hunk #10 FAILED at 1502.
Hunk #11 FAILED at 1547.
Hunk #12 FAILED at 1686.
12 out of 12 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/UserServiceImpl.java.rej
patching file portal-service/src/com/liferay/portal/service/GroupService.java
Hunk #1 FAILED at 355.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/GroupService.java.rej
patching file portal-service/src/com/liferay/portal/service/GroupServiceUtil.java
Hunk #1 FAILED at 372.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/GroupServiceUtil.java.rej
patching file portal-service/src/com/liferay/portal/service/GroupServiceWrapper.java
patching file portal-service/src/com/liferay/portal/service/OrganizationService.java
Hunk #1 FAILED at 229.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/OrganizationService.java.rej
patching file portal-service/src/com/liferay/portal/service/OrganizationServiceUtil.java
Hunk #1 FAILED at 245.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/OrganizationServiceUtil.java.rej
patching file portal-service/src/com/liferay/portal/service/OrganizationServiceWrapper.java
patching file portal-service/src/com/liferay/portal/service/UserGroupService.java
Hunk #1 FAILED at 144.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/UserGroupService.java.rej
patching file portal-service/src/com/liferay/portal/service/UserGroupServiceUtil.java
Hunk #1 FAILED at 148.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/UserGroupServiceUtil.java.rej
patching file portal-service/src/com/liferay/portal/service/UserGroupServiceWrapper.java
patching file portal-service/src/com/liferay/portal/service/UserService.java
Hunk #1 FAILED at 588.
Hunk #2 FAILED at 601.
2 out of 2 hunks FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/UserService.java.rej
patching file portal-service/src/com/liferay/portal/service/UserServiceUtil.java
Hunk #1 FAILED at 641.
Hunk #2 FAILED at 655.
2 out of 2 hunks FAILED -- saving rejects to file portal-service/src/com/liferay/portal/service/UserServiceUtil.java.rej
patching file portal-service/src/com/liferay/portal/service/UserServiceWrapper.java
patching file portal-impl/src/com/liferay/portlet/PortletRequestDispatcherImpl.java
Hunk #1 FAILED at 282.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portlet/PortletRequestDispatcherImpl.java.rej
patching file portal-impl/src/com/liferay/portlet/StrutsPortlet.java
Hunk #1 FAILED at 16.
Hunk #2 FAILED at 156.
Hunk #3 FAILED at 204.
Hunk #4 FAILED at 219.
Hunk #5 FAILED at 267.
5 out of 5 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portlet/StrutsPortlet.java.rej
patching file portal-web/docroot/WEB-INF/liferay-web.xml
Hunk #1 FAILED at 1103.
1 out of 1 hunk FAILED -- saving rejects to file portal-web/docroot/WEB-INF/liferay-web.xml.rej
patching file portal-web/docroot/WEB-INF/portlet-custom.xml
Hunk #1 FAILED at 6.
Hunk #2 FAILED at 24.
Hunk #3 FAILED at 51.
Hunk #4 FAILED at 71.
Hunk #5 FAILED at 108.
Hunk #6 FAILED at 132.
Hunk #7 FAILED at 160.
Hunk #8 FAILED at 197.
Hunk #9 FAILED at 247.
Hunk #10 FAILED at 273.
Hunk #11 FAILED at 293.
Hunk #12 FAILED at 313.
Hunk #13 FAILED at 333.
Hunk #14 FAILED at 357.
Hunk #15 FAILED at 380.
Hunk #16 FAILED at 400.
Hunk #17 FAILED at 424.
Hunk #18 FAILED at 454.
Hunk #19 FAILED at 484.
Hunk #20 FAILED at 508.
Hunk #21 FAILED at 538.
Hunk #22 FAILED at 596.
Hunk #23 FAILED at 643.
Hunk #24 FAILED at 694.
Hunk #25 FAILED at 718.
Hunk #26 FAILED at 748.
Hunk #27 FAILED at 775.
Hunk #28 FAILED at 795.
Hunk #29 FAILED at 819.
Hunk #30 FAILED at 839.
Hunk #31 FAILED at 978.
Hunk #32 FAILED at 1009.
Hunk #33 FAILED at 1033.
Hunk #34 FAILED at 1060.
Hunk #35 FAILED at 1087.
Hunk #36 FAILED at 1114.
Hunk #37 FAILED at 1137.
Hunk #38 FAILED at 1157.
Hunk #39 FAILED at 1181.
Hunk #40 FAILED at 1203.
Hunk #41 FAILED at 1214.
Hunk #42 FAILED at 1228.
Hunk #43 FAILED at 1244.
Hunk #44 FAILED at 1255.
Hunk #45 FAILED at 1281.
Hunk #46 FAILED at 1301.
Hunk #47 FAILED at 1322.
Hunk #48 FAILED at 1346.
Hunk #49 FAILED at 1376.
Hunk #50 FAILED at 1409.
Hunk #51 FAILED at 1426.
Hunk #52 FAILED at 1446.
Hunk #53 FAILED at 1470.
Hunk #54 FAILED at 1511.
Hunk #55 FAILED at 1528.
Hunk #56 FAILED at 1546.
Hunk #57 FAILED at 1573.
Hunk #58 FAILED at 1596.
Hunk #59 FAILED at 1623.
Hunk #60 FAILED at 1645.
Hunk #61 FAILED at 1666.
Hunk #62 FAILED at 1693.
Hunk #63 FAILED at 1717.
Hunk #64 FAILED at 1728.
Hunk #65 FAILED at 1745.
Hunk #66 FAILED at 1762.
Hunk #67 FAILED at 1779.
Hunk #68 FAILED at 1796.
Hunk #69 FAILED at 1813.
Hunk #70 FAILED at 1830.
Hunk #71 FAILED at 1847.
Hunk #72 FAILED at 1861.
Hunk #73 FAILED at 1878.
Hunk #74 FAILED at 1895.
Hunk #75 FAILED at 1912.
Hunk #76 FAILED at 1929.
Hunk #77 FAILED at 1943.
Hunk #78 FAILED at 1961.
Hunk #79 FAILED at 1986.
Hunk #80 FAILED at 2009.
Hunk #81 FAILED at 2032.
Hunk #82 FAILED at 2055.
Hunk #83 FAILED at 2075.
Hunk #84 FAILED at 2092.
Hunk #85 FAILED at 2113.
Hunk #86 FAILED at 2160.
Hunk #87 FAILED at 2177.
Hunk #88 FAILED at 2194.
Hunk #89 FAILED at 2211.
Hunk #90 FAILED at 2231.
Hunk #91 FAILED at 2255.
Hunk #92 FAILED at 2272.
Hunk #93 FAILED at 2286.
Hunk #94 FAILED at 2306.
Hunk #95 FAILED at 2326.
Hunk #96 FAILED at 2340.
Hunk #97 FAILED at 2357.
Hunk #98 FAILED at 2378.
Hunk #99 FAILED at 2401.
Hunk #100 FAILED at 2415.
Hunk #101 FAILED at 2439.
Hunk #102 FAILED at 2467.
Hunk #103 FAILED at 2487.
Hunk #104 FAILED at 2507.
Hunk #105 FAILED at 2534.
Hunk #106 FAILED at 2574.
Hunk #107 FAILED at 2595.
Hunk #108 FAILED at 2631.
Hunk #109 FAILED at 2648.
Hunk #110 FAILED at 2668.
Hunk #111 FAILED at 2688.
Hunk #112 FAILED at 2709.
Hunk #113 FAILED at 2766.
113 out of 113 hunks FAILED -- saving rejects to file portal-web/docroot/WEB-INF/portlet-custom.xml.rej
patching file util-bridges/src/com/liferay/util/bridges/mvc/MVCPortlet.java
Hunk #1 FAILED at 282.
1 out of 1 hunk FAILED -- saving rejects to file util-bridges/src/com/liferay/util/bridges/mvc/MVCPortlet.java.rej
patching file portal-impl/src/com/liferay/portal/action/JSONServiceAction.java
Hunk #1 FAILED at 30.
Hunk #2 FAILED at 49.
Hunk #3 FAILED at 79.
Hunk #4 FAILED at 139.
4 out of 4 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/action/JSONServiceAction.java.rej
patching file portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java
patching file portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceServiceAction.java
patching file portal-impl/src/com/liferay/portal/service/impl/UserServiceImpl.java
Hunk #1 FAILED at 556.
Hunk #2 FAILED at 1166.
Hunk #3 FAILED at 1603.
Hunk #4 FAILED at 1624.
Hunk #5 FAILED at 1636.
Hunk #6 FAILED at 1669.
Hunk #7 FAILED at 1707.
Hunk #8 FAILED at 1747.
Hunk #9 FAILED at 1788.
9 out of 9 hunks FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/service/impl/UserServiceImpl.java.rej
patching file portal-impl/src/com/liferay/portal/util/PropsValues.java
Hunk #1 FAILED at 724.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/util/PropsValues.java.rej
patching file portal-impl/src/portal.properties
Hunk #1 FAILED at 5500.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/portal.properties.rej
patching file portal-service/src/com/liferay/portal/kernel/jsonwebservice/JSONWebServiceAction.java
patching file portal-service/src/com/liferay/portal/kernel/util/PropsKeys.java
Hunk #1 FAILED at 991.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/kernel/util/PropsKeys.java.rej
patching file portal-impl/src/com/liferay/portal/action/JSONServiceAction.java
Hunk #1 FAILED at 403.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/action/JSONServiceAction.java.rej
patching file portal-impl/src/com/liferay/portal/json/JSONDeserializerImpl.java
patching file portal-impl/src/com/liferay/portal/json/PortalBeanObjectFactory.java
patching file portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java
Hunk #1 succeeded at 82 (offset -5 lines).
Hunk #2 succeeded at 140 (offset -5 lines).
Hunk #3 succeeded at 250 (offset -5 lines).
patching file portal-impl/src/com/liferay/portal/util/PropsValues.java
Hunk #1 FAILED at 722.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portal/util/PropsValues.java.rej
patching file portal-impl/src/portal.properties
Hunk #1 FAILED at 5489.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/portal.properties.rej
patching file portal-service/src/com/liferay/portal/kernel/util/PropsKeys.java
Hunk #1 FAILED at 989.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portal/kernel/util/PropsKeys.java.rej
patching file portal-impl/src/com/liferay/portlet/wiki/service/impl/WikiPageLocalServiceImpl.java
Hunk #1 FAILED at 587.
1 out of 1 hunk FAILED -- saving rejects to file portal-impl/src/com/liferay/portlet/wiki/service/impl/WikiPageLocalServiceImpl.java.rej
patching file portal-service/src/com/liferay/portal/kernel/util/TempFileNameException.java
patching file portal-service/src/com/liferay/portal/kernel/util/TempFileUtil.java
patching file portal-service/src/com/liferay/portlet/wiki/service/WikiPageLocalService.java
Hunk #1 FAILED at 340.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portlet/wiki/service/WikiPageLocalService.java.rej
patching file portal-service/src/com/liferay/portlet/wiki/service/WikiPageLocalServiceUtil.java
Hunk #1 FAILED at 420.
1 out of 1 hunk FAILED -- saving rejects to file portal-service/src/com/liferay/portlet/wiki/service/WikiPageLocalServiceUtil.java.rej
patching file portal-service/src/com/liferay/portlet/wiki/service/WikiPageLocalServiceWrapper.java



Am I missing something basic? Any feedback is appreciated.

Thanks,
Ken
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
Yes, the patches were created on Linux system. You'll have to strip the CR from the patch and liferay source code.
thumbnail
David H Nebinger, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Hitoshi Ozawa:
Yes, the patches were created on Linux system. You'll have to strip the CR from the patch and liferay source code.


Or upgrade your operating system emoticon
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
Or just run the script described in the following page. Liferay.com should do something about this to keep the source nice and neat.

http://www.wiredrevolution.com/bash-programming/convert-text-files-within-a-directory-from-windows-to-unix-format
thumbnail
James Falkner, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientes
Hitoshi Ozawa:
Or just run the script described in the following page. Liferay.com should do something about this to keep the source nice and neat.

http://www.wiredrevolution.com/bash-programming/convert-text-files-within-a-directory-from-windows-to-unix-format


Thanks guys, this is definitely a problem - I'll update the CST docs.
thumbnail
James Falkner, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientes
James Falkner:
Hitoshi Ozawa:
Or just run the script described in the following page. Liferay.com should do something about this to keep the source nice and neat.

http://www.wiredrevolution.com/bash-programming/convert-text-files-within-a-directory-from-windows-to-unix-format


Thanks guys, this is definitely a problem - I'll update the CST docs.



Ok I updated the docs on the CST page. You can use patch -p1 --binary < patchfile as a workaround (I tested this on Windows and Ubuntu). Mac doesn't seem to need it. If you find other oddities, let us know!
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
Are the patch files made with the --binary options because some files in liferay source are in LF while others are in CR+LF. It really gets more complicated if a user made some changes (example: opening a CR+LF file in Ubuntu and saved the file without making any textual changes may save the file in LF.)

Another question is, are you testing these patches with the liferay 6.1.0 CE source file download?
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
I just tested the patches and everything seems to work except for the following 2 patches. I think the problem is patches are each created from the unchanged master source instead of the patches source. That is, if the file is patched by multiple LPS's, the row number in the patch is only going to be correct in the first patch.
LPS-26940 and LSP-28934

I've use the Liferay 6.1.0 GA1 source code available from the download site (not the github nor svn).
patch -p1 --dry-run < *.patch

Some of the line number are matching so they need to be adjusted to make the command work. I've applied the patches in the order listed in the security page:
LPS-27726
LPS-26935
LPS-26940
LPS-28309
LPS-28358
LPS-26930
LPS-28423
LPS-28836
LPS-28934

EDIT: seems like the patch is deleting some necessary rows.
thumbnail
James Falkner, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientes
Hitoshi Ozawa:
I just tested the patches and everything seems to work except for the following 2 patches. I think the problem is patches are each created from the unchanged master source instead of the patches source. That is, if the file is patched by multiple LPS's, the row number in the patch is only going to be correct in the first patch.
LPS-26940 and LSP-28934

I've use the Liferay 6.1.0 GA1 source code available from the download site (not the github nor svn).
patch -p1 --dry-run < *.patch

Some of the line number are matching so they need to be adjusted to make the command work. I've applied the patches in the order listed in the security page:
LPS-27726
LPS-26935
LPS-26940
LPS-28309
LPS-28358
LPS-26930
LPS-28423
LPS-28836
LPS-28934

EDIT: seems like the patch is deleting some necessary rows.


yeah that's probably the case. If you want all the patches, then best go with the cumulative source patch. We don't test all of the possible combinations of individual patches. We do a best effort test of the cumulative patch. I'll add this to the CST information page.
thumbnail
James Falkner, modificado hace 11 años.

RE: Security Source Patches

Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientes
James Falkner:
James Falkner:
Hitoshi Ozawa:
Or just run the script described in the following page. Liferay.com should do something about this to keep the source nice and neat.

http://www.wiredrevolution.com/bash-programming/convert-text-files-within-a-directory-from-windows-to-unix-format


Thanks guys, this is definitely a problem - I'll update the CST docs.



Ok I updated the docs on the CST page. You can use patch -p1 --binary < patchfile as a workaround (I tested this on Windows and Ubuntu). Mac doesn't seem to need it. If you find other oddities, let us know!



BTW, I was wrong: --binary does absolutely nothing to help here on Linux emoticon I was testing using the Github source bundle, which has no issues. It is the SourceForge source bundle that is the problem. That is the one where the line endings on the source files themselves need to be converted before the patch will apply. I've updated the CST docs! And we are checking to see what can be done about SourceForge.
Ken Sperow, modificado hace 11 años.

RE: Security Source Patches

New Member Mensajes: 11 Fecha de incorporación: 25/04/11 Mensajes recientes
Thank you for the updated instructions within the CST process page. We do all our work within Linux and I had not been bitten by the Windows CR issue in a number of years (dos2unix is your friend). With GA2 now released we are using it, but it is only a matter of time before another security issue is identified and fixed.

Thank you to the CST.
Ken