From d14a544fa7e51fa55dc78438d9cd63806ceaa91e7808bb3f84b78c81cd32a7d0 Mon Sep 17 00:00:00 2001 From: Matei Albu Date: Wed, 14 Oct 2020 08:54:21 +0000 Subject: [PATCH] Accepting request 841718 from home:mateialbu:branches:Java:packages CVE-2020-13943 and bsc#1177601 OBS-URL: https://build.opensuse.org/request/show/841718 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=209 --- tomcat-9.0-CVE-2020-13943.patch | 115 ++++++++++++++++++++++++++++++++ tomcat-9.0-jsvc.service | 4 +- tomcat-9.0.service | 4 +- tomcat-9.0.wrapper | 2 +- tomcat-named.service | 4 +- tomcat-preamble | 2 +- tomcat-server | 2 +- tomcat.changes | 9 +++ tomcat.spec | 2 + 9 files changed, 135 insertions(+), 9 deletions(-) create mode 100644 tomcat-9.0-CVE-2020-13943.patch diff --git a/tomcat-9.0-CVE-2020-13943.patch b/tomcat-9.0-CVE-2020-13943.patch new file mode 100644 index 0000000..82e0744 --- /dev/null +++ b/tomcat-9.0-CVE-2020-13943.patch @@ -0,0 +1,115 @@ +From 55911430df13f8c9998fbdee1f9716994d2db59b Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Thu, 23 Jul 2020 17:43:45 +0100 +Subject: [PATCH] Move check for current streams to end of header parsing. + +--- + java/org/apache/coyote/http2/Http2Parser.java | 2 +- + .../coyote/http2/Http2UpgradeHandler.java | 24 ++++++++++--------- + .../coyote/http2/TestHttp2Section_5_1.java | 20 ++++++++++------ + 3 files changed, 27 insertions(+), 19 deletions(-) + +Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2Parser.java ++++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java +@@ -738,7 +738,7 @@ class Http2Parser { + HeaderEmitter headersStart(int streamId, boolean headersEndStream) + throws Http2Exception, IOException; + void headersContinue(int payloadSize, boolean endOfHeaders); +- void headersEnd(int streamId) throws ConnectionException; ++ void headersEnd(int streamId) throws Http2Exception; + + // Priority frames (also headers) + void reprioritise(int streamId, int parentStreamId, boolean exclusive, int weight) +Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -1451,16 +1451,6 @@ class Http2UpgradeHandler extends Abstra + stream.checkState(FrameType.HEADERS); + stream.receivedStartOfHeaders(headersEndStream); + closeIdleStreams(streamId); +- if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { +- setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); +- // Ignoring maxConcurrentStreams increases the overhead count +- increaseOverheadCount(); +- throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams", +- Long.toString(localSettings.getMaxConcurrentStreams())), +- Http2Error.REFUSED_STREAM, streamId); +- } +- // Valid new stream reduces the overhead count +- reduceOverheadCount(); + return stream; + } else { + if (log.isDebugEnabled()) { +@@ -1528,12 +1518,24 @@ class Http2UpgradeHandler extends Abstra + + + @Override +- public void headersEnd(int streamId) throws ConnectionException { ++ public void headersEnd(int streamId) throws Http2Exception { + Stream stream = getStream(streamId, connectionState.get().isNewStreamAllowed()); + if (stream != null) { + setMaxProcessedStream(streamId); + if (stream.isActive()) { + if (stream.receivedEndOfHeaders()) { ++ ++ if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); ++ // Ignoring maxConcurrentStreams increases the overhead count ++ increaseOverheadCount(); ++ throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams", ++ Long.toString(localSettings.getMaxConcurrentStreams())), ++ Http2Error.REFUSED_STREAM, streamId); ++ } ++ // Valid new stream reduces the overhead count ++ reduceOverheadCount(); ++ + processStreamOnContainerThread(stream); + } + } +Index: apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/test/org/apache/coyote/http2/TestHttp2Section_5_1.java ++++ apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java +@@ -222,11 +222,11 @@ public class TestHttp2Section_5_1 extend + // Expecting + // 1 * headers + // 56k-1 of body (7 * ~8k) +- // 1 * error (could be in any order) +- for (int i = 0; i < 8; i++) { ++ // 1 * error ++ // for a total of 9 frames (could be in any order) ++ for (int i = 0; i < 9; i++) { + parser.readFrame(true); + } +- parser.readFrame(true); + + Assert.assertTrue(output.getTrace(), + output.getTrace().contains("5-RST-[" + +@@ -238,14 +238,20 @@ public class TestHttp2Section_5_1 extend + + // Release the remaining body + sendWindowUpdate(0, (1 << 31) - 2); +- // Allow for the 8k still in the stream window ++ // Allow for the ~8k still in the stream window + sendWindowUpdate(3, (1 << 31) - 8193); + +- // 192k of body (24 * 8k) +- // 1 * error (could be in any order) +- for (int i = 0; i < 24; i++) { ++ // Read until the end of stream 3 ++ while (!output.getTrace().contains("3-EndOfStream")) { + parser.readFrame(true); + } ++ output.clearTrace(); ++ ++ // Confirm another request can be sent once concurrency falls back below limit ++ sendSimpleGetRequest(7); ++ parser.readFrame(true); ++ parser.readFrame(true); ++ Assert.assertEquals(getSimpleResponseTrace(7), output.getTrace()); + } + + diff --git a/tomcat-9.0-jsvc.service b/tomcat-9.0-jsvc.service index 934c7bc..5cc309b 100644 --- a/tomcat-9.0-jsvc.service +++ b/tomcat-9.0-jsvc.service @@ -14,8 +14,8 @@ After=syslog.target network.target Type=simple EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=" "USE_JSVC=true" -ExecStart=/usr/lib/tomcat/server start -ExecStop=/usr/lib/tomcat/server stop +ExecStart=/usr/libexec/tomcat/server start +ExecStop=/usr/libexec/tomcat/server stop [Install] WantedBy=multi-user.target diff --git a/tomcat-9.0.service b/tomcat-9.0.service index f039831..7ef3d01 100644 --- a/tomcat-9.0.service +++ b/tomcat-9.0.service @@ -14,8 +14,8 @@ Type=simple EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=" EnvironmentFile=-/etc/sysconfig/tomcat -ExecStart=/usr/lib/tomcat/server start -ExecStop=/usr/lib/tomcat/server stop +ExecStart=/usr/libexec/tomcat/server start +ExecStop=/usr/libexec/tomcat/server stop SuccessExitStatus=143 User=tomcat Group=tomcat diff --git a/tomcat-9.0.wrapper b/tomcat-9.0.wrapper index 21eaa4c..d8167ad 100644 --- a/tomcat-9.0.wrapper +++ b/tomcat-9.0.wrapper @@ -1,7 +1,7 @@ #!/bin/bash if [ "$1" = "version" ]; then - . /usr/lib/tomcat/preamble + . /usr/libexec/tomcat/preamble exec ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \ org.apache.catalina.util.ServerInfo fi diff --git a/tomcat-named.service b/tomcat-named.service index db49f77..a7f78c7 100644 --- a/tomcat-named.service +++ b/tomcat-named.service @@ -15,8 +15,8 @@ Type=simple EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=%I" EnvironmentFile=-/etc/sysconfig/tomcat@%I -ExecStart=/usr/lib/tomcat/server start -ExecStop=/usr/lib/tomcat/server stop +ExecStart=/usr/libexec/tomcat/server start +ExecStop=/usr/libexec/tomcat/server stop SuccessExitStatus=143 User=tomcat Group=tomcat diff --git a/tomcat-preamble b/tomcat-preamble index 5313ae7..731c83c 100644 --- a/tomcat-preamble +++ b/tomcat-preamble @@ -1,6 +1,6 @@ #!/bin/bash -. /usr/lib/tomcat/functions +. /usr/libexec/tomcat/functions # Get the tomcat config (use this for environment specific settings) diff --git a/tomcat-server b/tomcat-server index 969a849..40a6f8f 100644 --- a/tomcat-server +++ b/tomcat-server @@ -1,6 +1,6 @@ #!/bin/bash -. /usr/lib/tomcat/preamble +. /usr/libexec/tomcat/preamble MAIN_CLASS=org.apache.catalina.startup.Bootstrap diff --git a/tomcat.changes b/tomcat.changes index bc2d3f6..35efca1 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Oct 13 11:23:32 UTC 2020 - Matei Albu + +- Fix CVE-2020-13943 (bsc#1177582) +- Added patch: + * tomcat-9.0-CVE-2020-13943.patch +- Change /usr/lib/tomcat to /usr/libexec/tomcat in startup + scripts (bsc#1177601) + ------------------------------------------------------------------- Wed Aug 26 06:04:58 UTC 2020 - Fridrich Strba diff --git a/tomcat.spec b/tomcat.spec index 50ab6b5..562bad2 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -83,6 +83,7 @@ Patch4: tomcat-9.0-osgi-build.patch Patch5: tomcat-9.0.31-java8compat.patch # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting Patch6: tomcat-9.0.31-secretRequired-default.patch +Patch7: tomcat-9.0-CVE-2020-13943.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -262,6 +263,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl