From 4a8fbc25f3f4f735d64e3823a7ff957e47fbe8e2226b364fe9a2c1ae7e2d7011 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 23 Mar 2021 11:26:59 +0000 Subject: [PATCH] Accepting request 880517 from home:admehmood:branches:Java:packages * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) - Added patches: * tomcat-9.0-CVE-2021-25122.patch * tomcat-9.0-CVE-2021-25329.patch OBS-URL: https://build.opensuse.org/request/show/880517 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=221 --- tomcat-9.0-CVE-2021-25122.patch | 31 +++++++ tomcat-9.0-CVE-2021-25329.patch | 139 ++++++++++++++++++++++++++++++++ tomcat.changes | 10 +++ tomcat.spec | 6 +- 4 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 tomcat-9.0-CVE-2021-25122.patch create mode 100644 tomcat-9.0-CVE-2021-25329.patch diff --git a/tomcat-9.0-CVE-2021-25122.patch b/tomcat-9.0-CVE-2021-25122.patch new file mode 100644 index 0000000..194be17 --- /dev/null +++ b/tomcat-9.0-CVE-2021-25122.patch @@ -0,0 +1,31 @@ +Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java ++++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java +@@ -870,8 +870,10 @@ public abstract class AbstractProtocol + + ++ Additional fix for 64830 to address an edge case that could ++ trigger request corruption with h2c connections. (markt) ++ ++ + Reduce reflection use and remove AJP specific code in the Connector. + (remm/markt/fhanik) + diff --git a/tomcat-9.0-CVE-2021-25329.patch b/tomcat-9.0-CVE-2021-25329.patch new file mode 100644 index 0000000..bc78ebc --- /dev/null +++ b/tomcat-9.0-CVE-2021-25329.patch @@ -0,0 +1,139 @@ +Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java ++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java +@@ -2131,7 +2131,7 @@ public class DefaultServlet extends Http + + // First check that the resulting path is under the provided base + try { +- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) { ++ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) { + return null; + } + } catch (IOException ioe) { +Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/session/FileStore.java ++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java +@@ -351,7 +351,7 @@ public final class FileStore extends Sto + File file = new File(storageDir, filename); + + // Check the file is within the storage directory +- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) { ++ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) { + log.warn(sm.getString("fileStore.invalid", file.getPath(), id)); + return null; + } +Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ContextConfig.java ++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java +@@ -653,7 +653,8 @@ public class ContextConfig implements Li + String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath(); + + // Re-calculate now docBase is a canonical path +- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar); ++ boolean docBaseCanonicalInAppBase = ++ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath()); + String docBase; + if (docBaseCanonicalInAppBase) { + docBase = docBaseCanonical.substring(appBase.getPath().length()); +Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ExpandWar.java ++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java +@@ -26,6 +26,7 @@ import java.net.JarURLConnection; + import java.net.URL; + import java.net.URLConnection; + import java.nio.channels.FileChannel; ++import java.nio.file.Path; + import java.util.Enumeration; + import java.util.jar.JarEntry; + import java.util.jar.JarFile; +@@ -116,10 +117,7 @@ public class ExpandWar { + } + + // Expand the WAR into the new document base directory +- String canonicalDocBasePrefix = docBase.getCanonicalPath(); +- if (!canonicalDocBasePrefix.endsWith(File.separator)) { +- canonicalDocBasePrefix += File.separator; +- } ++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath(); + + // Creating war tracker parent (normally META-INF) + File warTrackerParent = warTracker.getParentFile(); +@@ -134,14 +132,13 @@ public class ExpandWar { + JarEntry jarEntry = jarEntries.nextElement(); + String name = jarEntry.getName(); + File expandedFile = new File(docBase, name); +- if (!expandedFile.getCanonicalPath().startsWith( +- canonicalDocBasePrefix)) { ++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) { + // Trying to expand outside the docBase + // Throw an exception to stop the deployment + throw new IllegalArgumentException( + sm.getString("expandWar.illegalPath",war, name, + expandedFile.getCanonicalPath(), +- canonicalDocBasePrefix)); ++ canonicalDocBasePath)); + } + int last = name.lastIndexOf('/'); + if (last >= 0) { +@@ -217,10 +214,7 @@ public class ExpandWar { + File docBase = new File(host.getAppBaseFile(), pathname); + + // Calculate the document base directory +- String canonicalDocBasePrefix = docBase.getCanonicalPath(); +- if (!canonicalDocBasePrefix.endsWith(File.separator)) { +- canonicalDocBasePrefix += File.separator; +- } ++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath(); + JarURLConnection juc = (JarURLConnection) war.openConnection(); + juc.setUseCaches(false); + try (JarFile jarFile = juc.getJarFile()) { +@@ -229,14 +223,13 @@ public class ExpandWar { + JarEntry jarEntry = jarEntries.nextElement(); + String name = jarEntry.getName(); + File expandedFile = new File(docBase, name); +- if (!expandedFile.getCanonicalPath().startsWith( +- canonicalDocBasePrefix)) { ++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) { + // Entry located outside the docBase + // Throw an exception to stop the deployment + throw new IllegalArgumentException( + sm.getString("expandWar.illegalPath",war, name, + expandedFile.getCanonicalPath(), +- canonicalDocBasePrefix)); ++ canonicalDocBasePath)); + } + } + } catch (IOException e) { +Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/HostConfig.java ++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java +@@ -598,8 +598,7 @@ public class HostConfig implements Lifec + docBase = new File(host.getAppBaseFile(), context.getDocBase()); + } + // If external docBase, register .xml as redeploy first +- if (!docBase.getCanonicalPath().startsWith( +- host.getAppBaseFile().getAbsolutePath() + File.separator)) { ++ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) { + isExternal = true; + deployedApp.redeployResources.put( + contextXml.getAbsolutePath(), +Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml +@@ -159,6 +159,10 @@ + + Update dependency on bnd to 5.1.0. (markt) + ++ ++ Use java.nio.file.Path to test for one directory being a ++ sub-directory of another in a consistent way. (markt) ++ + + + diff --git a/tomcat.changes b/tomcat.changes index b03dc9c..351c3c9 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Mar 22 13:11:34 UTC 2021 - Abid Mehmood + +- Fixed CVEs: + * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) + * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) +- Added patches: + * tomcat-9.0-CVE-2021-25122.patch + * tomcat-9.0-CVE-2021-25329.patch + ------------------------------------------------------------------- Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood diff --git a/tomcat.spec b/tomcat.spec index 37b8043..df37405 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -86,6 +86,8 @@ Patch6: tomcat-9.0.31-secretRequired-default.patch Patch7: tomcat-9.0-CVE-2020-13943.patch Patch8: tomcat-9.0-CVE-2020-17527.patch Patch9: tomcat-9.0-CVE-2021-24122.patch +Patch10: tomcat-9.0-CVE-2021-25122.patch +Patch11: tomcat-9.0-CVE-2021-25329.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -263,6 +265,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl