From 18516cea32f07870ba8898e79de910e483a8c69d Mon Sep 17 00:00:00 2001
From: wenxin <wx02272781@alibaba-inc.com>
Date: Tue, 26 Aug 2025 14:34:41 +0800
Subject: [PATCH] fix CVE-2024-29857,CVE-2024-30172

---
 0001-CVE-2024-34447.patch                     | 214 ------------------
 ...k18on-1.77.pom => bcjmail-jdk18on-1.78.pom |   8 +-
 ...dk18on-1.77.pom => bcmail-jdk18on-1.78.pom |   8 +-
 ...-jdk18on-1.77.pom => bcpg-jdk18on-1.78.pom |   4 +-
 ...dk18on-1.77.pom => bcpkix-jdk18on-1.78.pom |   6 +-
 ...dk18on-1.77.pom => bcprov-jdk18on-1.78.pom |   2 +-
 ...jdk18on-1.77.pom => bctls-jdk18on-1.78.pom |   6 +-
 ...dk18on-1.77.pom => bcutil-jdk18on-1.78.pom |   4 +-
 bouncycastle.spec                             |  14 +-
 download                                      |   2 +-
 10 files changed, 28 insertions(+), 240 deletions(-)
 delete mode 100644 0001-CVE-2024-34447.patch
 rename bcjmail-jdk18on-1.77.pom => bcjmail-jdk18on-1.78.pom (93%)
 rename bcmail-jdk18on-1.77.pom => bcmail-jdk18on-1.78.pom (93%)
 rename bcpg-jdk18on-1.77.pom => bcpg-jdk18on-1.78.pom (96%)
 rename bcpkix-jdk18on-1.77.pom => bcpkix-jdk18on-1.78.pom (94%)
 rename bcprov-jdk18on-1.77.pom => bcprov-jdk18on-1.78.pom (97%)
 rename bctls-jdk18on-1.77.pom => bctls-jdk18on-1.78.pom (93%)
 rename bcutil-jdk18on-1.77.pom => bcutil-jdk18on-1.78.pom (95%)

diff --git a/0001-CVE-2024-34447.patch b/0001-CVE-2024-34447.patch
deleted file mode 100644
index f59983f..0000000
--- a/0001-CVE-2024-34447.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From c47f6444a744396135322784b5fea1d35d46a8a7 Mon Sep 17 00:00:00 2001
-From: Peter Dettman <peter.dettman@bouncycastle.org>
-Date: Wed, 3 Apr 2024 21:24:27 +0700
-Subject: [PATCH] BCJSSE: Improved workaround for InetAddress limitation
-
-- URLConnectionUtil now calls BCSSLSocket.setHost instead of direct SNI config
----
- .../jsse/provider/ProvSSLSocketDirect.java    | 14 ++--
- .../jsse/provider/ProvSSLSocketWrap.java      | 14 ++--
- .../jsse/util/SetHostSocketFactory.java       | 80 +++++++++++++++++++
- .../jsse/util/URLConnectionUtil.java          |  2 +-
- 4 files changed, 99 insertions(+), 11 deletions(-)
- create mode 100644 tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
-
-diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
-index fe2d7138c1..245b1eb461 100644
---- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
-+++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
-@@ -345,7 +345,6 @@ public synchronized void setEnableSessionCreation(boolean flag)
-     public synchronized void setHost(String host)
-     {
-         this.peerHost = host;
--        this.peerHostSNI = host;
-     }
- 
-     @Override
-@@ -531,6 +530,7 @@ synchronized void notifyConnected()
-         InetAddress peerAddress = getInetAddress();
-         if (null == peerAddress)
-         {
-+            this.peerHostSNI = null;
-             return;
-         }
- 
-@@ -538,8 +538,8 @@ synchronized void notifyConnected()
-          * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be
-          * usable as a default SNI host_name.
-          */
--//        String originalHostName = null;
--//        if (null != originalHostName)
-+//        String originalHostName = peerAddress.holder().getOriginalHostName();
-+//        if (JsseUtils.isNameSpecified(originalHostName))
- //        {
- //            this.peerHost = originalHostName;
- //            this.peerHostSNI = originalHostName;
-@@ -555,13 +555,17 @@ synchronized void notifyConnected()
-             return;
-         }
- 
--        if (useClientMode && provJdkTlsTrustNameService)
-+        if (!useClientMode)
-+        {
-+            this.peerHost = peerAddress.getHostAddress();
-+        }
-+        else if (provJdkTlsTrustNameService)
-         {
-             this.peerHost = peerAddress.getHostName();
-         }
-         else
-         {
--            this.peerHost = peerAddress.getHostAddress();
-+            this.peerHost = null;
-         }
- 
-         this.peerHostSNI = null;
-diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
-index b31f215289..59fabd7bb4 100644
---- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
-+++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
-@@ -470,7 +470,6 @@ public synchronized void setEnableSessionCreation(boolean flag)
-     public synchronized void setHost(String host)
-     {
-         this.peerHost = host;
--        this.peerHostSNI = host;
-     }
- 
-     @Override
-@@ -720,6 +719,7 @@ synchronized void notifyConnected()
-         InetAddress peerAddress = getInetAddress();
-         if (null == peerAddress)
-         {
-+            this.peerHostSNI = null;
-             return;
-         }
- 
-@@ -727,8 +727,8 @@ synchronized void notifyConnected()
-          * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be
-          * usable as a default SNI host_name.
-          */
--//        String originalHostName = null;
--//        if (null != originalHostName)
-+//        String originalHostName = peerAddress.holder().getOriginalHostName();
-+//        if (JsseUtils.isNameSpecified(originalHostName))
- //        {
- //            this.peerHost = originalHostName;
- //            this.peerHostSNI = originalHostName;
-@@ -744,13 +744,17 @@ synchronized void notifyConnected()
-             return;
-         }
- 
--        if (useClientMode && provJdkTlsTrustNameService)
-+        if (!useClientMode)
-+        {
-+            this.peerHost = peerAddress.getHostAddress();
-+        }
-+        else if (provJdkTlsTrustNameService)
-         {
-             this.peerHost = peerAddress.getHostName();
-         }
-         else
-         {
--            this.peerHost = peerAddress.getHostAddress();
-+            this.peerHost = null;
-         }
- 
-         this.peerHostSNI = null;
-diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
-new file mode 100644
-index 0000000000..0eeccaf367
---- /dev/null
-+++ b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java
-@@ -0,0 +1,80 @@
-+package org.bouncycastle.jsse.util;
-+
-+import java.net.Socket;
-+import java.net.URL;
-+import java.util.concurrent.Callable;
-+import java.util.logging.Logger;
-+
-+import javax.net.SocketFactory;
-+import javax.net.ssl.SSLSocketFactory;
-+
-+import org.bouncycastle.jsse.BCSSLSocket;
-+
-+public class SetHostSocketFactory extends CustomSSLSocketFactory
-+{
-+    private static final Logger LOG = Logger.getLogger(SetHostSocketFactory.class.getName());
-+
-+    protected static final ThreadLocal<SetHostSocketFactory> threadLocal = new ThreadLocal<SetHostSocketFactory>();
-+
-+    /**
-+     * Signature matches {@link SSLSocketFactory#getDefault()} so that it can be
-+     * used with e.g. the "java.naming.ldap.factory.socket" property or similar.
-+     * 
-+     * @see #call(Callable)
-+     */
-+    public static SocketFactory getDefault()
-+    {
-+        SSLSocketFactory sslSocketFactory = threadLocal.get();
-+        if (null != sslSocketFactory)
-+        {
-+            return sslSocketFactory;
-+        }
-+
-+        return SSLSocketFactory.getDefault();
-+    }
-+
-+    protected final URL url;
-+
-+    public SetHostSocketFactory(SSLSocketFactory delegate, URL url)
-+    {
-+        super(delegate);
-+
-+        this.url = url;
-+    }
-+
-+    /**
-+     * Calls a {@link Callable} in a context where this class's static
-+     * {@link #getDefault()} method will return this {@link SetHostSocketFactory}.
-+     */
-+    public <V> V call(Callable<V> callable) throws Exception
-+    {
-+        try
-+        {
-+            threadLocal.set(this);
-+
-+            return callable.call();
-+        }
-+        finally
-+        {
-+            threadLocal.remove();
-+        }
-+    }
-+
-+    @Override
-+    protected Socket configureSocket(Socket s)
-+    {
-+        if (url != null && s instanceof BCSSLSocket)
-+        {
-+            BCSSLSocket ssl = (BCSSLSocket)s;
-+
-+            String host = url.getHost();
-+            if (host != null)
-+            {
-+                LOG.fine("Setting host on socket: " + host);
-+
-+                ssl.setHost(host);
-+            }
-+        }
-+        return s;
-+    }
-+}
-diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
-index 63a7db5a0b..6eb4861f2d 100644
---- a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
-+++ b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java
-@@ -66,6 +66,6 @@ protected URLConnection configureConnection(URL url, URLConnection connection)
- 
-     protected SSLSocketFactory createSSLSocketFactory(SSLSocketFactory delegate, URL url)
-     {
--        return new SNISocketFactory(delegate, url);
-+        return new SetHostSocketFactory(delegate, url);
-     }
- }
diff --git a/bcjmail-jdk18on-1.77.pom b/bcjmail-jdk18on-1.78.pom
similarity index 93%
rename from bcjmail-jdk18on-1.77.pom
rename to bcjmail-jdk18on-1.78.pom
index 7741c25..5efc8b4 100644
--- a/bcjmail-jdk18on-1.77.pom
+++ b/bcjmail-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcjmail-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle Jakarta S/MIME API</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The Jakarta Mail API and the Jakarta activation framework will also be needed.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -33,19 +33,19 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bcmail-jdk18on-1.77.pom b/bcmail-jdk18on-1.78.pom
similarity index 93%
rename from bcmail-jdk18on-1.77.pom
rename to bcmail-jdk18on-1.78.pom
index 19ab672..c18ad33 100644
--- a/bcmail-jdk18on-1.77.pom
+++ b/bcmail-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcmail-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle S/MIME API</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -33,19 +33,19 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bcpg-jdk18on-1.77.pom b/bcpg-jdk18on-1.78.pom
similarity index 96%
rename from bcpg-jdk18on-1.77.pom
rename to bcpg-jdk18on-1.78.pom
index 9a00878..c8e8231 100644
--- a/bcpg-jdk18on-1.77.pom
+++ b/bcpg-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcpg-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle OpenPGP API</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -38,7 +38,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bcpkix-jdk18on-1.77.pom b/bcpkix-jdk18on-1.78.pom
similarity index 94%
rename from bcpkix-jdk18on-1.77.pom
rename to bcpkix-jdk18on-1.78.pom
index 4819e5b..1ebddf3 100644
--- a/bcpkix-jdk18on-1.77.pom
+++ b/bcpkix-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcpkix-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -33,13 +33,13 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bcprov-jdk18on-1.77.pom b/bcprov-jdk18on-1.78.pom
similarity index 97%
rename from bcprov-jdk18on-1.77.pom
rename to bcprov-jdk18on-1.78.pom
index 4dbd87a..6697303 100644
--- a/bcprov-jdk18on-1.77.pom
+++ b/bcprov-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcprov-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle Provider</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
diff --git a/bctls-jdk18on-1.77.pom b/bctls-jdk18on-1.78.pom
similarity index 93%
rename from bctls-jdk18on-1.77.pom
rename to bctls-jdk18on-1.78.pom
index 4f13967..3ff0eae 100644
--- a/bctls-jdk18on-1.77.pom
+++ b/bctls-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bctls-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle JSSE provider and TLS/DTLS API</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java APIs for TLS and DTLS, including a provider for the JSSE.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -33,13 +33,13 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bcutil-jdk18on-1.77.pom b/bcutil-jdk18on-1.78.pom
similarity index 95%
rename from bcutil-jdk18on-1.77.pom
rename to bcutil-jdk18on-1.78.pom
index abde4ab..0afe657 100644
--- a/bcutil-jdk18on-1.77.pom
+++ b/bcutil-jdk18on-1.78.pom
@@ -5,7 +5,7 @@
   <artifactId>bcutil-jdk18on</artifactId>
   <packaging>jar</packaging>
   <name>Bouncy Castle ASN.1 Extension and Utility APIs</name>
-  <version>1.77</version>
+  <version>1.78</version>
   <description>The Bouncy Castle Java APIs for ASN.1 extension and utility APIs used to support bcpkix and bctls. This jar contains APIs for JDK 1.8 and up.</description>
   <url>https://www.bouncycastle.org/java.html</url>
   <licenses>
@@ -33,7 +33,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.77</version>
+      <version>1.78</version>
       <type>jar</type>
     </dependency>
   </dependencies>
diff --git a/bouncycastle.spec b/bouncycastle.spec
index a39ed00..bccfbaf 100644
--- a/bouncycastle.spec
+++ b/bouncycastle.spec
@@ -1,6 +1,6 @@
-%define anolis_release 2
-	
-%global gittag r1rv77
+%define anolis_release 1
+ 
+%global gittag r1rv78v1
 %global classname org.bouncycastle.jce.provider.BouncyCastleProvider
 %global profilen 1.8
 %global profile %(echo %{profilen} | sed "s/\\.//g" )
@@ -8,7 +8,7 @@
  
 Summary:          Bouncy Castle Cryptography APIs for Java
 Name:             bouncycastle
-Version:          1.77
+Version:          1.78
 Release:          %{anolis_release}%{?dist}
 License:          MIT
 URL:              http://www.bouncycastle.org
@@ -29,8 +29,6 @@ Source8:          get-poms.sh
 
 # From https://src.fedoraproject.org/rpms/bouncycastle/blob/d0ad563d8f8f61b9631e5562028b30b407d97094/f/jmail.packages.patch 
 Patch0: 1001-jmail_packages.patch
-# From https://kkgithub.com/bcgit/bc-java/commit/c47f6444a744396135322784b5fea1d35d46a8a7
-Patch1: 0001-CVE-2024-34447.patch
  
 BuildArch:        noarch
 ExclusiveArch:  %{java_arches} noarch
@@ -244,6 +242,10 @@ fi
 %license LICENSE.html
 
 %changelog
+* Tue Aug 26 2025 wenxin <wx02272781@alibaba-inc.com> - 1.78-1
+- update to 1.78.1 to fix CVE-2024-29857,CVE-2024-30172
+- Removed redundant patch files now included in the upgraded version
+
 * Mon Jun 16 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 1.77-2
 - add patch to fix CVE-2024-34447
 
diff --git a/download b/download
index 8abf25a..48881ec 100644
--- a/download
+++ b/download
@@ -1 +1 @@
-86d470bf1965cc585767a4d2984cfa4e  r1rv77.tar.gz
+81cf388a3030c8d0e52eca7dda4cd720  r1rv78v1.tar.gz
\ No newline at end of file
-- 
Gitee