rpm/tomcat
SHA256
1
0
Fork 0
forked from pool/tomcat
Code Pull Requests Activity

Accepting request 926112 from home:balta3:tomcat9

Browse Source 
Update Tomcat to 9.0.43, ecj 4.18 as submitted in another request is required

- Update to Tomcat 9.0.43. See changelog at
  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt)
- Removed Patches because fixed upstream now:
  * tomcat-9.0-CVE-2021-25122.patch
  * tomcat-9.0-CVE-2021-25329.patch

- Update to Tomcat 9.0.41. See changelog at
  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)

- Update to Tomcat 9.0.40. See changelog at
  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt)
- Removed Patches because fixed upstream now:
  * tomcat-9.0-CVE-2020-17527.patch
  * tomcat-9.0-CVE-2021-24122.patch

OBS-URL: https://build.opensuse.org/request/show/926112
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=224
This commit is contained in:
Fridrich Strba 2021-10-19 05:08:40 +00:00 committed by Git OBS Bridge
parent 7c32e22b9c
commit 2574a121fc
11 changed files with 302 additions and 595 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apache-tomcat-9.0.39-src.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2f6ed1a6ae4f9a67da9e75f79ba6629ce309f7101bce072e1b52c7abb6e2a93c
size 5966825

16
apache-tomcat-9.0.39-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAl98fisACgkQEMAcWi9g
Wed+WQ//QwG6pcX8dVwkyuymZgFS3oKXpJHujnpuY2K4aFzAptkioFH+Fqw+IeJK
hXc/i1IiWw69zJBX1GDhlTFrW9g3cX0KqsUSXkRXo+AATOb5fdIjofnuPDbbXKtN
nK0eQsm+OFh1WW8mbMVZSgQ3uqbVJYwukZCjwelrdDLKuhl2yHFWGteTQOTo0LdU
cgYrEenMp5c+hBVBw8iJ4HUbr2NBfXRD0KRUOD9m4f75BJshVNFxMUu0WOENIkNw
JixJIYHhf7k+eXCJUHKcV52haHsStaWcqi+2Pcg7sOl33bKjL4H4ANH+WLqbzANF
NDY3YxV71w+yC5MxPRTjTnIfUNYOcARs19tVVORaUzNqiRIY/ymur7jZi9bHgnZW
tZ/ldQKDOWmfuRgRPbgKFvpZubiECy9EiILVSDZcU2HRNGwEpboRkx+RZtavGvnm
DizEN8beYgsr4Xf/62p+BhsDGVVKEmgVIecPDiwFWoZwv3lmC31809uHze6wlVge
sFFNS1ly/xiNjLPXzPx1XQ4nLsLVC7ERKG0v1b2NmH1oayWXeRqDzTNV9/d420xU
nCWNg36Y8SEiCdiYpKYladggwmg5j5VWx9H3DuDWxrrqhOqJBOLwC3fnTm9slLqC
lLdaflcWqqtj6v1qmhDwnSesCfzubN/XYtT2eIWYMnt1OHuFRW0=
=l6Lm
-----END PGP SIGNATURE-----

3
apache-tomcat-9.0.43-src.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:28db36e1f1440c8517513a282f71383d825fe1383d8e5317e22e5122803c40ca
size 6042010

16
apache-tomcat-9.0.43-src.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmATIH8ACgkQEMAcWi9g
Wecu9hAAhNGHtILVHGLWoqGJPVC29l2kgXiDshkFbgHKxeR6K5kooaxIB0N9QGGb
9H/BEwM92Kdl2VwQwtZBrW+x+worRQWIAHLCS9KF/UaVMLSIO54E5+aeJ6+vgBPC
AQdIn2mZ4o4RtUfYWsGgtPrQvGR/M+VSLKALn6SeB9O60zHrDvgpdVp0coFw0aIY
mi0HWsfoZltGTqscsgVEsSvolkvo7Au0c9DAGVGSLzhavlHT3Wnvsg8RuQ+oV2G+
aX1R1J7xuPyDxrvLHShOu9ERxxHmEIgJ5/wrWgGUEwJJQmSAqFQHW7q1kswOmL5a
mfWYSsqrqcsc+8QI6oYnVfN6Yu/Podcb1Tbs0elYdn+rEU0j73j6gGITSzSFokkZ
2tueXJ/U5rHthWMiL8xLZXp9RpOzGgpo91TY3qSHsvpVi7HSX9kLsUq4gHFPDehF
s+5ycfYy+fzsRUs6Fsa/2FfRIy9zEatzcjX2yvFCjBaeKbv8cRixeVCqsERopIwW
5hwh1hmqQNn4FuOS/Ei03QkRHGPHWhrBU5GS0ZEruhUNfc4kfogBBsaUBQkfv94C
EScu+rTeOSEv4exWAH/IiaOHPPYQTH9RXJ+aPbZpZ+7BOzpYU30hFGZwhRli1hqa
Ib7wuGMQXfNJQ8ndAlzPIMjp12dLOYeOeoRqHK5duaXfK9e+WN8=
=KHse
-----END PGP SIGNATURE-----

62
tomcat-9.0-CVE-2020-17527.patch
View File

@ -1,62 +0,0 @@
From d56293f816d6dc9e2b47107f208fa9e95db58c65 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 9 Nov 2020 19:23:12 +0000
Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder
https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++--------
webapps/docs/changelog.xml | 3 +++
2 files changed, 7 insertions(+), 8 deletions(-)
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/HpackDecoder.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
@@ -73,8 +73,6 @@ public class HpackDecoder {
private volatile boolean countedCookie;
private volatile int headerSize = 0;
- private final StringBuilder stringBuilder = new StringBuilder();
-
HpackDecoder(int maxMemorySize) {
this.maxMemorySizeHard = maxMemorySize;
this.maxMemorySizeSoft = maxMemorySize;
@@ -223,19 +221,17 @@ public class HpackDecoder {
if (huffman) {
return readHuffmanString(length, buffer);
}
+ StringBuilder stringBuilder = new StringBuilder(length);
for (int i = 0; i < length; ++i) {
stringBuilder.append((char) buffer.get());
}
- String ret = stringBuilder.toString();
- stringBuilder.setLength(0);
- return ret;
+ return stringBuilder.toString();
}
private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
+ StringBuilder stringBuilder = new StringBuilder(length);
HPackHuffman.decode(buffer, length, stringBuilder);
- String ret = stringBuilder.toString();
- stringBuilder.setLength(0);
- return ret;
+ return stringBuilder.toString();
}
private String handleIndexedHeaderName(int index) throws HpackException {
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -126,6 +126,9 @@
Include the target URL in the log message when a WebSocket connection
fails. (markt)
</add>
+ <fix>
+ <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">

77
tomcat-9.0-CVE-2021-24122.patch
View File

@ -1,77 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
import java.net.URL;
import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.http.RequestUtil;
public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
+
protected static final String[] EMPTY_STRING_ARRAY = new String[0];
private File fileBase;
@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
canPath = normalize(canPath);
}
if (!canPath.equals(absPath)) {
+ if (!canPath.equalsIgnoreCase(absPath)) {
+ // Typically means symlinks are in use but being ignored. Given
+ // the symlink was likely created for a reason, log a warning
+ // that it was ignored.
+ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+ getRoot().getContext().getName(), absPath, canPath);
+ // Log issues with configuration files at a higher level
+ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
+ log.error(msg);
+ } else {
+ log.warn(msg);
+ }
+ }
return null;
}
@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
// expression irrespective of input length.
for (int i = 0; i < len; i++) {
char c = name.charAt(i);
- if (c == '\"' || c == '<' || c == '>') {
+ if (c == '\"' || c == '<' || c == '>' || c == ':') {
// These characters are disallowed in Windows file names and
// there are known problems for file names with these characters
// when using File#getCanonicalPath().
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
@@ -15,6 +15,8 @@
abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
+
abstractResource.getContentFail=Unable to return [{0}] as a byte array
abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -81,6 +81,10 @@
<bug>64493</bug>: Revert possible change of returned protocol
attribute value on the <code>Connector</code>. (remm)
</fix>
+ <add>
+ <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
+ because it uses symlinks. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">

31
tomcat-9.0-CVE-2021-25122.patch
View File

@ -1,31 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
if (state == SocketState.UPGRADING) {
// Get the HTTP upgrade handler
UpgradeToken upgradeToken = processor.getUpgradeToken();
- // Retrieve leftover input
+ // Restore leftover input to the wrapper so the upgrade
+ // processor can process it.
ByteBuffer leftOverInput = processor.getLeftoverInput();
+ wrapper.unRead(leftOverInput);
if (upgradeToken == null) {
// Assume direct HTTP/2 connection
UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -170,6 +170,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ Additional fix for <bug>64830</bug> to address an edge case that could
+ trigger request corruption with h2c connections. (markt)
+ </fix>
+ <fix>
Reduce reflection use and remove AJP specific code in the Connector.
(remm/markt/fhanik)
</fix>

139
tomcat-9.0-CVE-2021-25329.patch
View File

@ -1,139 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -2131,7 +2131,7 @@ public class DefaultServlet extends Http
// First check that the resulting path is under the provided base
try {
- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
return null;
}
} catch (IOException ioe) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
@@ -351,7 +351,7 @@ public final class FileStore extends Sto
File file = new File(storageDir, filename);
// Check the file is within the storage directory
- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
return null;
}
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ContextConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
@@ -653,7 +653,8 @@ public class ContextConfig implements Li
String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
// Re-calculate now docBase is a canonical path
- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
+ boolean docBaseCanonicalInAppBase =
+ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
String docBase;
if (docBaseCanonicalInAppBase) {
docBase = docBaseCanonical.substring(appBase.getPath().length());
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ExpandWar.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.nio.channels.FileChannel;
+import java.nio.file.Path;
import java.util.Enumeration;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
@@ -116,10 +117,7 @@ public class ExpandWar {
}
// Expand the WAR into the new document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
// Creating war tracker parent (normally META-INF)
File warTrackerParent = warTracker.getParentFile();
@@ -134,14 +132,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Trying to expand outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
int last = name.lastIndexOf('/');
if (last >= 0) {
@@ -217,10 +214,7 @@ public class ExpandWar {
File docBase = new File(host.getAppBaseFile(), pathname);
// Calculate the document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
JarURLConnection juc = (JarURLConnection) war.openConnection();
juc.setUseCaches(false);
try (JarFile jarFile = juc.getJarFile()) {
@@ -229,14 +223,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Entry located outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
}
} catch (IOException e) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/HostConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
@@ -598,8 +598,7 @@ public class HostConfig implements Lifec
docBase = new File(host.getAppBaseFile(), context.getDocBase());
}
// If external docBase, register .xml as redeploy first
- if (!docBase.getCanonicalPath().startsWith(
- host.getAppBaseFile().getAbsolutePath() + File.separator)) {
+ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
isExternal = true;
deployedApp.redeployResources.put(
contextXml.getAbsolutePath(),
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -159,6 +159,10 @@
<update>
Update dependency on bnd to 5.1.0. (markt)
</update>
+ <scode>
+ Use <code>java.nio.file.Path</code> to test for one directory being a
+ sub-directory of another in a consistent way. (markt)
+ </scode>
</changelog>
</subsection>
</section>

514
tomcat-9.0.39-java8compat.patch → tomcat-9.0.43-java8compat.patch
View File

File diff suppressed because it is too large Load Diff

24
tomcat.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Mon Oct 18 21:42:48 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.43. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt)
- Removed Patches because fixed upstream now:
* tomcat-9.0-CVE-2021-25122.patch
* tomcat-9.0-CVE-2021-25329.patch
-------------------------------------------------------------------
Mon Oct 18 18:26:39 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.41. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)
-------------------------------------------------------------------
Mon Oct 18 13:05:17 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.40. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt)
- Removed Patches because fixed upstream now:
* tomcat-9.0-CVE-2020-17527.patch
* tomcat-9.0-CVE-2021-24122.patch
-------------------------------------------------------------------
Mon Mar 22 13:11:34 UTC 2021 - Abid Mehmood <amehmood@suse.com>

12
tomcat.spec
View File

@ -22,7 +22,7 @@
%define elspec 3.0
%define major_version 9
%define minor_version 0
%define micro_version 39
%define micro_version 43
%define packdname apache-tomcat-%{version}-src
%define serverxmltool_version 1.0
# FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
@ -80,13 +80,9 @@ Patch3: %{name}-%{major_version}.%{minor_version}-javadoc.patch
# PATCH-FIX-OPENSUSE: include all necessary aqute-bnd jars
Patch4: tomcat-9.0-osgi-build.patch
# PATCH-FIX-OPENSUSE: cast ByteBuffer to Buffer in cases where there is a risk of using Java 9+ apis
Patch5: tomcat-9.0.39-java8compat.patch
Patch5: tomcat-9.0.43-java8compat.patch
# PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting
Patch6: tomcat-9.0.31-secretRequired-default.patch
Patch8: tomcat-9.0-CVE-2020-17527.patch
Patch9: tomcat-9.0-CVE-2021-24122.patch
Patch10: tomcat-9.0-CVE-2021-25122.patch
Patch11: tomcat-9.0-CVE-2021-25329.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@ -261,10 +257,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl