You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2022/01/03 14:21:00 UTC
[jira] [Assigned] (KARAF-7303) overrides.properties explicit version range is compared against wrong version
[ https://issues.apache.org/jira/browse/KARAF-7303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré reassigned KARAF-7303:
-------------------------------------------
Assignee: Jean-Baptiste Onofré
> overrides.properties explicit version range is compared against wrong version
> -----------------------------------------------------------------------------
>
> Key: KARAF-7303
> URL: https://issues.apache.org/jira/browse/KARAF-7303
> Project: Karaf
> Issue Type: Bug
> Components: karaf
> Affects Versions: 4.1.6, 4.3.3
> Reporter: Robert Schulte
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> h2. Context
> I encountered this issue when I tried to hotfix a dated Karaf w.r.t the log4shell vulnerabilies. I have tested the following behavior on 4.1.6. After reviewing the source code, I believe this issue still exists on master
> h2. Steps to Reproduce
> * Place [pax-logging-api|https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/1.11.12] in system directory (or make sure, that Karaf can download from Maven Central)
> * Create etc/overrides.properties with contents: mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.10.0,1.11.0)
> * do a clean start of Karaf
> * On Karaf shell, inspect the output of: list -t 0 | grep "Pax Logging - API"
> h2. Expected Results
> pax-logging-api 1.11.12 should be active
> {noformat}
> 6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
> 51 | Active | 8 | 1.11.12 | OPS4J Pax Logging - API
> {noformat}
> Note: Since Karaf 4.1.6 ships pax-logging-api 1.10.1 by default, the range spec [1.10.0,1.11.0) should trigger the override
> h2. Actual Results
> Only the stock version of pax-logging-api is active:
> {noformat}
> 6 | Active | 8 | 1.10.1 | OPS4J Pax Logging - API
> {noformat}
> Changing etc/overrides.properties contents to
> {noformat}
> mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;range=[1.11.12,1.11.13)
> {noformat}
> followed by a clean start will result in the expected version (1.11.12) to be active
> h2. Conjecture
> In [Overrides L141|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L141]
> {code:java}
> return range.contains(getVersion(override)) && getVersion(resource).compareTo(getVersion(override)) < 0;
> {code}
> range.contains should be checked against {{resource}} and not {{override}} version. This issue is hidden by a second error in the code that creates the implicit version range (which makes it work for implicit range, as both errors cancel out in this case). See [Overrides L133-L138|https://github.com/apache/karaf/blob/karaf-4.3.5/features/core/src/main/java/org/apache/karaf/features/internal/service/Overrides.java#L133-L138]
> {code:java}
> if (explicitRange == null) {
> // default to micro version compatibility
> Version v1 = getVersion(resource);
> Version v2 = new Version(v1.getMajor(), v1.getMinor() + 1, 0);
> range = new VersionRange(false, v1, v2, true);
> }
> {code}
> The implicit range must be created based on {{{}override{}}}'s version and not the version of {{resource}}
> h2. Further Considerations
> This cannot (should not) be fixed or otherwise existing overrides.properties that rely on the buggy behavior stop working. A solution could be to add an alternative range spec that works as intended. For example
> {noformat}
> mvn:org.ops4j.pax.logging/pax-logging-api/1.11.12;overrideVersions=[1.10.0,1.11.0)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)