Accepting request 880517 from home:admehmood:branches:Java:packages

* CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) - Added patches: * tomcat-9.0-CVE-2021-25122.patch * tomcat-9.0-CVE-2021-25329.patch OBS-URL: https://build.opensuse.org/request/show/880517 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=221
2021-03-23 11:26:59 +00:00 · 2021-03-23 11:26:59 +00:00 · 4a8fbc25f3
commit 4a8fbc25f3
parent b87f5648b0
4 changed files with 185 additions and 1 deletions
--- a/tomcat-9.0-CVE-2021-25122.patch
+++ b/tomcat-9.0-CVE-2021-25122.patch
@ -0,0 +1,31 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
+@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
+                     if (state == SocketState.UPGRADING) {
+                         // Get the HTTP upgrade handler
+                         UpgradeToken upgradeToken = processor.getUpgradeToken();
+-                        // Retrieve leftover input
+                        // Restore leftover input to the wrapper so the upgrade
+                        // processor can process it.
+                         ByteBuffer leftOverInput = processor.getLeftoverInput();
+                        wrapper.unRead(leftOverInput);
+                         if (upgradeToken == null) {
+                             // Assume direct HTTP/2 connection
+                             UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -170,6 +170,10 @@
+   <subsection name="Catalina">
+     <changelog>
+       <fix>
+        Additional fix for <bug>64830</bug> to address an edge case that could
+        trigger request corruption with h2c connections. (markt)
+      </fix>
+      <fix>
+         Reduce reflection use and remove AJP specific code in the Connector.
+         (remm/markt/fhanik)
+       </fix>
--- a/tomcat-9.0-CVE-2021-25329.patch
+++ b/tomcat-9.0-CVE-2021-25329.patch
@ -0,0 +1,139 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -2131,7 +2131,7 @@ public class DefaultServlet extends Http
+ 
+         // First check that the resulting path is under the provided base
+         try {
+-            if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+            if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
+                 return null;
+             }
+         } catch (IOException ioe) {
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
+@@ -351,7 +351,7 @@ public final class FileStore extends Sto
+         File file = new File(storageDir, filename);
+ 
+         // Check the file is within the storage directory
+-        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+        if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+             log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+             return null;
+         }
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ContextConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
+@@ -653,7 +653,8 @@ public class ContextConfig implements Li
+         String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
+ 
+         // Re-calculate now docBase is a canonical path
+-        boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
+        boolean docBaseCanonicalInAppBase =
+                docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
+         String docBase;
+         if (docBaseCanonicalInAppBase) {
+             docBase = docBaseCanonical.substring(appBase.getPath().length());
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ExpandWar.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
+@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
+ import java.net.URL;
+ import java.net.URLConnection;
+ import java.nio.channels.FileChannel;
+import java.nio.file.Path;
+ import java.util.Enumeration;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+@@ -116,10 +117,7 @@ public class ExpandWar {
+         }
+ 
+         // Expand the WAR into the new document base directory
+-        String canonicalDocBasePrefix = docBase.getCanonicalPath();
+-        if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+-            canonicalDocBasePrefix += File.separator;
+-        }
+        Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+ 
+         // Creating war tracker parent (normally META-INF)
+         File warTrackerParent = warTracker.getParentFile();
+@@ -134,14 +132,13 @@ public class ExpandWar {
+                 JarEntry jarEntry = jarEntries.nextElement();
+                 String name = jarEntry.getName();
+                 File expandedFile = new File(docBase, name);
+-                if (!expandedFile.getCanonicalPath().startsWith(
+-                        canonicalDocBasePrefix)) {
+                if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+                     // Trying to expand outside the docBase
+                     // Throw an exception to stop the deployment
+                     throw new IllegalArgumentException(
+                             sm.getString("expandWar.illegalPath",war, name,
+                                     expandedFile.getCanonicalPath(),
+-                                    canonicalDocBasePrefix));
+                                    canonicalDocBasePath));
+                 }
+                 int last = name.lastIndexOf('/');
+                 if (last >= 0) {
+@@ -217,10 +214,7 @@ public class ExpandWar {
+         File docBase = new File(host.getAppBaseFile(), pathname);
+ 
+         // Calculate the document base directory
+-        String canonicalDocBasePrefix = docBase.getCanonicalPath();
+-        if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+-            canonicalDocBasePrefix += File.separator;
+-        }
+        Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+         JarURLConnection juc = (JarURLConnection) war.openConnection();
+         juc.setUseCaches(false);
+         try (JarFile jarFile = juc.getJarFile()) {
+@@ -229,14 +223,13 @@ public class ExpandWar {
+                 JarEntry jarEntry = jarEntries.nextElement();
+                 String name = jarEntry.getName();
+                 File expandedFile = new File(docBase, name);
+-                if (!expandedFile.getCanonicalPath().startsWith(
+-                        canonicalDocBasePrefix)) {
+                if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+                     // Entry located outside the docBase
+                     // Throw an exception to stop the deployment
+                     throw new IllegalArgumentException(
+                             sm.getString("expandWar.illegalPath",war, name,
+                                     expandedFile.getCanonicalPath(),
+-                                    canonicalDocBasePrefix));
+                                    canonicalDocBasePath));
+                 }
+             }
+         } catch (IOException e) {
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/HostConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
+@@ -598,8 +598,7 @@ public class HostConfig implements Lifec
+                     docBase = new File(host.getAppBaseFile(), context.getDocBase());
+                 }
+                 // If external docBase, register .xml as redeploy first
+-                if (!docBase.getCanonicalPath().startsWith(
+-                        host.getAppBaseFile().getAbsolutePath() + File.separator)) {
+                if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
+                     isExternal = true;
+                     deployedApp.redeployResources.put(
+                             contextXml.getAbsolutePath(),
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -159,6 +159,10 @@
+       <update>
+         Update dependency on bnd to 5.1.0. (markt)
+       </update>
+      <scode>
+        Use <code>java.nio.file.Path</code> to test for one directory being a
+        sub-directory of another in a consistent way. (markt)
+      </scode>
+     </changelog>
+   </subsection>
+ </section>
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Mar 22 13:11:34 UTC 2021 - Abid Mehmood <amehmood@suse.com>
+
+- Fixed CVEs:
+  * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912)
+  * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
+- Added patches:
+  * tomcat-9.0-CVE-2021-25122.patch 
+  * tomcat-9.0-CVE-2021-25329.patch  
+
 -------------------------------------------------------------------
 Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -86,6 +86,8 @@ Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2020-13943.patch
 Patch8:         tomcat-9.0-CVE-2020-17527.patch
 Patch9:         tomcat-9.0-CVE-2021-24122.patch
+Patch10:        tomcat-9.0-CVE-2021-25122.patch
+Patch11:        tomcat-9.0-CVE-2021-25329.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -263,6 +265,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl