From 508eb30e2650db1b9cc65f842e8881dee3a3ca17 Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Fri, 19 Mar 2021 11:24:36 +0800
Subject: [PATCH] fix CVE-2019-14900

---
 CVE-2019-14900.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++
 hibernate3.spec      |  6 +++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-14900.patch

diff --git a/CVE-2019-14900.patch b/CVE-2019-14900.patch
new file mode 100644
index 0000000..8234f60
--- /dev/null
+++ b/CVE-2019-14900.patch
@@ -0,0 +1,49 @@
+From cacc327ec6af98a53dc986a98a396761ce77dac8 Mon Sep 17 00:00:00 2001
+From: zhanghua1831 <zhanghua1831@163.com>
+Date: Fri, 19 Mar 2021 09:12:05 +0800
+Subject: [PATCH] HHH-14077: CVE-2019-14900 SQL injection issue in
+Hibernate ORM
+
+---
+ .../expression/LiteralExpression.java         | 20 +++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+index bd739b7..0104226 100644
+--- a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
++++ b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+@@ -73,17 +73,25 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
+ 		return ':' + parameterName;
+ 	}
+ 
++	private String escapeLiteral(String literal) {
++		return literal.replace("'", "''");
++	}
++
++	private String inlineLiteral(String literal) {
++		return String.format( "\'%s\'", escapeLiteral( literal) );
++	}
++
+ 	@SuppressWarnings({ "unchecked" })
+ 	public String renderProjection(CriteriaQueryCompiler.RenderingContext renderingContext) {
++		if ( ValueHandlerFactory.isCharacter( literal ) ) {
++			// In case literal is a Character, pass literal.toString() as the argument.
++                        return inlineLiteral( literal.toString() );
++		}
++
+ 		// some drivers/servers do not like parameters in the select clause
+ 		final ValueHandlerFactory.ValueHandler handler =
+ 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
+-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+-			return '\'' + handler.render( literal ) + '\'';
+-		}
+-		else {
+-			return handler.render( literal );
+-		}
++		return handler.render( literal );
+ 	}
+ 
+ 	@Override
+-- 
+2.23.0
+
diff --git a/hibernate3.spec b/hibernate3.spec
index 2b7350d..a6ed1f0 100644
--- a/hibernate3.spec
+++ b/hibernate3.spec
@@ -1,6 +1,6 @@
 Name:       hibernate3
 Version:    3.6.10
-Release:    24
+Release:    25
 Summary:    Inquiry service and persistence of releationship
 License:    LGPLv2+
 URL:        http://www.hibernate.org/
@@ -10,6 +10,7 @@ Source0:    hibernate-orm-3.6.10.Final.tar.xz
 Patch0000:  hibernate-orm-fix-jacc-gid-aid.patch
 Patch0001:  hibernate-orm-cglib-3.1.patch
 Patch0002:  CVE-2020-25638.patch
+Patch0003:  CVE-2019-14900.patch
 
 BuildArch:  noarch
 
@@ -156,6 +157,9 @@ export LANG=en_US.UTF-8
 %license lgpl.txt
 
 %changelog
+* Fri Mar 19 2021 zhanghua <zhanghua40@huawei.com> - 3.6.10-25
+- fix CVE-2019-14900
+
 * Sat Dec 12 2020 zhangtao <zhangtao221@huawei.com> - 3.6.10-24
 - CVE-2020-25638
 
-- 
Gitee