Accepting request 856448 from home:admehmood:branches:Java:packages

- Fix HTTP/2 request header mix-up: CVE-2020-17527 (bsc#1179602) - Added patch: * tomcat-9.0-CVE-2020-17527.patch OBS-URL: https://build.opensuse.org/request/show/856448 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=216
2021-01-12 10:57:31 +00:00 · 2021-01-12 10:57:31 +00:00 · 52983fd500
commit 52983fd500
parent 5c88b47afb
3 changed files with 72 additions and 1 deletions
--- a/tomcat-9.0-CVE-2020-17527.patch
+++ b/tomcat-9.0-CVE-2020-17527.patch
@ -0,0 +1,62 @@
+From d56293f816d6dc9e2b47107f208fa9e95db58c65 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Mon, 9 Nov 2020 19:23:12 +0000
+Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
+---
+java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++--------
+webapps/docs/changelog.xml                     |  3 +++
+2 files changed, 7 insertions(+), 8 deletions(-)
+
+Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/HpackDecoder.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
+@@ -73,8 +73,6 @@ public class HpackDecoder {
+     private volatile boolean countedCookie;
+     private volatile int headerSize = 0;
+ 
+-    private final StringBuilder stringBuilder = new StringBuilder();
+-
+     HpackDecoder(int maxMemorySize) {
+         this.maxMemorySizeHard = maxMemorySize;
+         this.maxMemorySizeSoft = maxMemorySize;
+@@ -223,19 +221,17 @@ public class HpackDecoder {
+         if (huffman) {
+             return readHuffmanString(length, buffer);
+         }
+        StringBuilder stringBuilder = new StringBuilder(length);
+         for (int i = 0; i < length; ++i) {
+             stringBuilder.append((char) buffer.get());
+         }
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
+        return stringBuilder.toString();
+     }
+ 
+     private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
+        StringBuilder stringBuilder = new StringBuilder(length);
+         HPackHuffman.decode(buffer, length, stringBuilder);
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
+        return stringBuilder.toString();
+     }
+ 
+     private String handleIndexedHeaderName(int index) throws HpackException {
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -126,6 +126,9 @@
+         Include the target URL in the log message when a WebSocket connection
+         fails. (markt)
+       </add>
+      <fix>
+        <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
+      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Other">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood <amehmood@suse.com>
+
+- Fix HTTP/2 request header mix-up: CVE-2020-17527 (bsc#1179602)
+- Added patch:
+  * tomcat-9.0-CVE-2020-17527.patch  
+
 -------------------------------------------------------------------
 Tue Nov  3 10:08:03 UTC 2020 - Matei Albu <malbu@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -84,6 +84,7 @@ Patch5:         tomcat-9.0.31-java8compat.patch
 # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting
 Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2020-13943.patch
+Patch8:         tomcat-9.0-CVE-2020-17527.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -259,6 +260,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl