diff --git a/tomcat-9.0-CVE-2021-24122.patch b/tomcat-9.0-CVE-2021-24122.patch
new file mode 100644
index 0000000..31ff7f3
--- /dev/null
+++ b/tomcat-9.0-CVE-2021-24122.patch
@@ -0,0 +1,77 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+
+ import org.apache.catalina.LifecycleException;
++import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.compat.JrePlatform;
+ import org.apache.tomcat.util.http.RequestUtil;
+
+ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+
++ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
++
+ protected static final String[] EMPTY_STRING_ARRAY = new String[0];
+
+ private File fileBase;
+@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
+ canPath = normalize(canPath);
+ }
+ if (!canPath.equals(absPath)) {
++ if (!canPath.equalsIgnoreCase(absPath)) {
++ // Typically means symlinks are in use but being ignored. Given
++ // the symlink was likely created for a reason, log a warning
++ // that it was ignored.
++ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
++ getRoot().getContext().getName(), absPath, canPath);
++ // Log issues with configuration files at a higher level
++ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
++ log.error(msg);
++ } else {
++ log.warn(msg);
++ }
++ }
+ return null;
+ }
+
+@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
+ // expression irrespective of input length.
+ for (int i = 0; i < len; i++) {
+ char c = name.charAt(i);
+- if (c == '\"' || c == '<' || c == '>') {
++ if (c == '\"' || c == '<' || c == '>' || c == ':') {
+ // These characters are disallowed in Windows file names and
+ // there are known problems for file names with these characters
+ // when using File#getCanonicalPath().
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+@@ -15,6 +15,8 @@
+
+ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+
++abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
++
+ abstractResource.getContentFail=Unable to return [{0}] as a byte array
+ abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
+
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -81,6 +81,10 @@
+ 64493: Revert possible change of returned protocol
+ attribute value on the Connector. (remm)
+
++
++ 64871: Log a warning if Tomcat blocks access to a file
++ because it uses symlinks. (markt)
++
+
+
+
diff --git a/tomcat.changes b/tomcat.changes
index 9f88ae6..b03dc9c 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood
+
+- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947)
+- Added patch:
+ * tomcat-9.0-CVE-2021-24122.patch
+
-------------------------------------------------------------------
Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood
diff --git a/tomcat.spec b/tomcat.spec
index c8d7809..37b8043 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -1,7 +1,7 @@
#
# spec file for package tomcat
#
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2000-2009, JPackage Project
#
# All modifications and additions to the file contributed by third parties
@@ -85,6 +85,7 @@ Patch5: tomcat-9.0.31-java8compat.patch
Patch6: tomcat-9.0.31-secretRequired-default.patch
Patch7: tomcat-9.0-CVE-2020-13943.patch
Patch8: tomcat-9.0-CVE-2020-17527.patch
+Patch9: tomcat-9.0-CVE-2021-24122.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@@ -162,7 +163,7 @@ The documentation of web application for Apache Tomcat.
Summary: Expression Language v3.0 API
Group: Development/Libraries/Java
Requires(post): update-alternatives
-Requires(preun): update-alternatives
+Requires(preun):update-alternatives
Provides: %{name}-el-%{elspec}-api = %{version}-%{release}
Provides: el_3_0_api = %{version}-%{release}
Provides: el_api = %{elspec}
@@ -186,7 +187,7 @@ Group: Productivity/Networking/Web/Servers
Requires: mvn(org.apache.tomcat:tomcat-el-api)
Requires: mvn(org.apache.tomcat:tomcat-servlet-api)
Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
Provides: %{name}-jsp-%{jspspec}-api
Provides: jsp = %{jspspec}
Provides: jsp23
@@ -214,7 +215,7 @@ Requires: %{name}-el-%{elspec}-api = %{version}-%{release}
Requires: %{name}-jsp-%{jspspec}-api = %{version}-%{release}
Requires: %{name}-servlet-%{servletspec}-api = %{version}-%{release}
Requires(post): ecj >= 4.4
-Requires(preun): coreutils
+Requires(preun):coreutils
Provides: jakarta-commons-dbcp-tomcat5 = 1.4
Obsoletes: jakarta-commons-dbcp-tomcat5 < 1.4
@@ -225,7 +226,7 @@ Libraries required to successfully run the Tomcat Web container
Summary: Apache Tomcat Servlet API implementation classes
Group: Productivity/Networking/Web/Servers
Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
Provides: %{name}-servlet-%{servletspec}-api = %{version}-%{release}
Provides: servlet = %{servletspec}
Provides: servlet31
@@ -261,6 +262,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -634,17 +636,17 @@ update-alternatives --install %{_javadir}/servlet.jar servlet \
%{_javadir}/%{name}-servlet-%{servletspec}-api.jar 30000
# Fix for bsc#1092163.
# Keep the /usr/share/java/tomcat-servlet.jar symlink for compatibility.
-# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
+# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
# the update-alternatives in the new version will cause a rename tomcat-servlet.jar -> servlet.jar.
# This makes sure the tomcat-servlet.jar is recreated if it's missing because of the rename.
-if [ ! -f %{_javadir}/%{name}-servlet.jar ]; then
+if [ ! -f %{_javadir}/%{name}-servlet.jar ]; then
echo "Recreating symlink %{_javadir}/%{name}-servlet.jar"
ln -s %{_javadir}/%{name}-servlet-%{servletspec}-api.jar %{_javadir}/%{name}-servlet.jar
fi
%postun servlet-4_0-api
if [ $1 -eq 0 ] ; then
- if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
+ if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
# /etc/alternatives/servlet was removed on uninstall.
# Create a broken symlink to make sure update-alternatives works correctly and falls back
# to servletapi5 or servletapi4 if they're installed.