pool/tomcat
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 880711 from Java:packages

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/880711
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=76
This commit is contained in:
Dominique Leuenberger 2021-03-24 15:15:06 +00:00 committed by Git OBS Bridge
commit e486fff548
4 changed files with 185 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
tomcat-9.0-CVE-2021-25122.patch Normal file
View File

@ -0,0 +1,31 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
if (state == SocketState.UPGRADING) {
// Get the HTTP upgrade handler
UpgradeToken upgradeToken = processor.getUpgradeToken();
- // Retrieve leftover input
+ // Restore leftover input to the wrapper so the upgrade
+ // processor can process it.
ByteBuffer leftOverInput = processor.getLeftoverInput();
+ wrapper.unRead(leftOverInput);
if (upgradeToken == null) {
// Assume direct HTTP/2 connection
UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -170,6 +170,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ Additional fix for <bug>64830</bug> to address an edge case that could
+ trigger request corruption with h2c connections. (markt)
+ </fix>
+ <fix>
Reduce reflection use and remove AJP specific code in the Connector.
(remm/markt/fhanik)
</fix>

139
tomcat-9.0-CVE-2021-25329.patch Normal file
View File

@ -0,0 +1,139 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -2131,7 +2131,7 @@ public class DefaultServlet extends Http
// First check that the resulting path is under the provided base
try {
- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
return null;
}
} catch (IOException ioe) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
@@ -351,7 +351,7 @@ public final class FileStore extends Sto
File file = new File(storageDir, filename);
// Check the file is within the storage directory
- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
return null;
}
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ContextConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
@@ -653,7 +653,8 @@ public class ContextConfig implements Li
String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
// Re-calculate now docBase is a canonical path
- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
+ boolean docBaseCanonicalInAppBase =
+ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
String docBase;
if (docBaseCanonicalInAppBase) {
docBase = docBaseCanonical.substring(appBase.getPath().length());
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ExpandWar.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.nio.channels.FileChannel;
+import java.nio.file.Path;
import java.util.Enumeration;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
@@ -116,10 +117,7 @@ public class ExpandWar {
}
// Expand the WAR into the new document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
// Creating war tracker parent (normally META-INF)
File warTrackerParent = warTracker.getParentFile();
@@ -134,14 +132,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Trying to expand outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
int last = name.lastIndexOf('/');
if (last >= 0) {
@@ -217,10 +214,7 @@ public class ExpandWar {
File docBase = new File(host.getAppBaseFile(), pathname);
// Calculate the document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
JarURLConnection juc = (JarURLConnection) war.openConnection();
juc.setUseCaches(false);
try (JarFile jarFile = juc.getJarFile()) {
@@ -229,14 +223,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Entry located outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
}
} catch (IOException e) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/HostConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
@@ -598,8 +598,7 @@ public class HostConfig implements Lifec
docBase = new File(host.getAppBaseFile(), context.getDocBase());
}
// If external docBase, register .xml as redeploy first
- if (!docBase.getCanonicalPath().startsWith(
- host.getAppBaseFile().getAbsolutePath() + File.separator)) {
+ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
isExternal = true;
deployedApp.redeployResources.put(
contextXml.getAbsolutePath(),
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -159,6 +159,10 @@
<update>
Update dependency on bnd to 5.1.0. (markt)
</update>
+ <scode>
+ Use <code>java.nio.file.Path</code> to test for one directory being a
+ sub-directory of another in a consistent way. (markt)
+ </scode>
</changelog>
</subsection>
</section>

10
tomcat.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Mar 22 13:11:34 UTC 2021 - Abid Mehmood <amehmood@suse.com>
- Fixed CVEs:
* CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912)
* CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
- Added patches:
* tomcat-9.0-CVE-2021-25122.patch
* tomcat-9.0-CVE-2021-25329.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com> Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>

6
tomcat.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package tomcat # spec file for package tomcat
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2000-2009, JPackage Project # Copyright (c) 2000-2009, JPackage Project
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
@ -86,6 +86,8 @@ Patch6: tomcat-9.0.31-secretRequired-default.patch
Patch7: tomcat-9.0-CVE-2020-13943.patch Patch7: tomcat-9.0-CVE-2020-13943.patch
Patch8: tomcat-9.0-CVE-2020-17527.patch Patch8: tomcat-9.0-CVE-2020-17527.patch
Patch9: tomcat-9.0-CVE-2021-24122.patch Patch9: tomcat-9.0-CVE-2021-24122.patch
Patch10: tomcat-9.0-CVE-2021-25122.patch
Patch11: tomcat-9.0-CVE-2021-25329.patch
BuildRequires: ant >= 1.8.1 BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr BuildRequires: ant-antlr
@ -263,6 +265,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1
# remove date from docs # remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl