Accepting request 880011 from Java:packages

CVE-2021-24122

OBS-URL: https://build.opensuse.org/request/show/880011
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=75

tomcat-9.0-CVE-2021-24122.patch

@@ -0,0 +1,77 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+ 
+ import org.apache.catalina.LifecycleException;
++import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.compat.JrePlatform;
+ import org.apache.tomcat.util.http.RequestUtil;
+ 
+ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ 
++    private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
++
+     protected static final String[] EMPTY_STRING_ARRAY = new String[0];
+ 
+     private File fileBase;
+@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
+             canPath = normalize(canPath);
+         }
+         if (!canPath.equals(absPath)) {
++            if (!canPath.equalsIgnoreCase(absPath)) {
++                // Typically means symlinks are in use but being ignored. Given
++                // the symlink was likely created for a reason, log a warning
++                // that it was ignored.
++                String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
++                        getRoot().getContext().getName(), absPath, canPath);
++                // Log issues with configuration files at a higher level
++                if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
++                    log.error(msg);
++                } else {
++                    log.warn(msg);
++                }
++            }
+             return null;
+         }
+ 
+@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
+         // expression irrespective of input length.
+         for (int i = 0; i < len; i++) {
+             char c = name.charAt(i);
+-            if (c == '\"' || c == '<' || c == '>') {
++            if (c == '\"' || c == '<' || c == '>' || c == ':') {
+                 // These characters are disallowed in Windows file names and
+                 // there are known problems for file names with these characters
+                 // when using File#getCanonicalPath().
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+@@ -15,6 +15,8 @@
+ 
+ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+ 
++abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
++
+ abstractResource.getContentFail=Unable to return [{0}] as a byte array
+ abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
+ 
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -81,6 +81,10 @@
+         <bug>64493</bug>: Revert possible change of returned protocol
+         attribute value on the <code>Connector</code>. (remm)
+       </fix>
++      <add>
++        <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
++        because it uses symlinks. (markt)
++      </add>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">

tomcat.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>
+
+- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) 
+- Added patch:
+  * tomcat-9.0-CVE-2021-24122.patch
+
 -------------------------------------------------------------------
 Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood <amehmood@suse.com>
 

tomcat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -85,6 +85,7 @@ Patch5:         tomcat-9.0.31-java8compat.patch
 Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2020-13943.patch
 Patch8:         tomcat-9.0-CVE-2020-17527.patch
+Patch9:         tomcat-9.0-CVE-2021-24122.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -162,7 +163,7 @@ The documentation of web application for Apache Tomcat.
 Summary:        Expression Language v3.0 API
 Group:          Development/Libraries/Java
 Requires(post): update-alternatives
-Requires(preun): update-alternatives
+Requires(preun):update-alternatives
 Provides:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Provides:       el_3_0_api = %{version}-%{release}
 Provides:       el_api = %{elspec}
@@ -186,7 +187,7 @@ Group:          Productivity/Networking/Web/Servers
 Requires:       mvn(org.apache.tomcat:tomcat-el-api)
 Requires:       mvn(org.apache.tomcat:tomcat-servlet-api)
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:       %{name}-jsp-%{jspspec}-api
 Provides:       jsp = %{jspspec}
 Provides:       jsp23
@@ -214,7 +215,7 @@ Requires:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Requires:       %{name}-jsp-%{jspspec}-api = %{version}-%{release}
 Requires:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires(post): ecj >= 4.4
-Requires(preun): coreutils
+Requires(preun):coreutils
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:      jakarta-commons-dbcp-tomcat5 < 1.4
 
@@ -225,7 +226,7 @@ Libraries required to successfully run the Tomcat Web container
 Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
 Provides:       servlet31
@@ -261,6 +262,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -634,17 +636,17 @@ update-alternatives --install %{_javadir}/servlet.jar servlet \
     %{_javadir}/%{name}-servlet-%{servletspec}-api.jar 30000
 # Fix for bsc#1092163.
 # Keep the /usr/share/java/tomcat-servlet.jar symlink for compatibility.
-# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink 
+# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
 # the update-alternatives in the new version will cause a rename tomcat-servlet.jar -> servlet.jar.
 # This makes sure the tomcat-servlet.jar is recreated if it's missing because of the rename.
-if [ ! -f %{_javadir}/%{name}-servlet.jar ]; then 
+if [ ! -f %{_javadir}/%{name}-servlet.jar ]; then
     echo "Recreating symlink %{_javadir}/%{name}-servlet.jar"
     ln -s %{_javadir}/%{name}-servlet-%{servletspec}-api.jar %{_javadir}/%{name}-servlet.jar
 fi
 
 %postun servlet-4_0-api
 if [ $1 -eq 0 ] ; then
-    if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then 
+    if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
         # /etc/alternatives/servlet was removed on uninstall.
         # Create a broken symlink to make sure update-alternatives works correctly and falls back
         # to servletapi5 or servletapi4 if they're installed.