Accepting request 880011 from Java:packages

CVE-2021-24122 OBS-URL: https://build.opensuse.org/request/show/880011 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=75
2021-03-19 15:42:50 +00:00 · 2021-03-19 15:42:50 +00:00 · 4f4c21c76b
commit 4f4c21c76b
parent d9af3c549b b87f5648b0
3 changed files with 94 additions and 8 deletions
--- a/tomcat-9.0-CVE-2021-24122.patch
+++ b/tomcat-9.0-CVE-2021-24122.patch
@ -0,0 +1,77 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+ 
+ import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.compat.JrePlatform;
+ import org.apache.tomcat.util.http.RequestUtil;
+ 
+ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ 
+    private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
+
+     protected static final String[] EMPTY_STRING_ARRAY = new String[0];
+ 
+     private File fileBase;
+@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
+             canPath = normalize(canPath);
+         }
+         if (!canPath.equals(absPath)) {
+            if (!canPath.equalsIgnoreCase(absPath)) {
+                // Typically means symlinks are in use but being ignored. Given
+                // the symlink was likely created for a reason, log a warning
+                // that it was ignored.
+                String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+                        getRoot().getContext().getName(), absPath, canPath);
+                // Log issues with configuration files at a higher level
+                if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
+                    log.error(msg);
+                } else {
+                    log.warn(msg);
+                }
+            }
+             return null;
+         }
+ 
+@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
+         // expression irrespective of input length.
+         for (int i = 0; i < len; i++) {
+             char c = name.charAt(i);
+-            if (c == '\"' || c == '<' || c == '>') {
+            if (c == '\"' || c == '<' || c == '>' || c == ':') {
+                 // These characters are disallowed in Windows file names and
+                 // there are known problems for file names with these characters
+                 // when using File#getCanonicalPath().
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+@@ -15,6 +15,8 @@
+ 
+ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+ 
+abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
+
+ abstractResource.getContentFail=Unable to return [{0}] as a byte array
+ abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
+ 
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -81,6 +81,10 @@
+         <bug>64493</bug>: Revert possible change of returned protocol
+         attribute value on the <code>Connector</code>. (remm)
+       </fix>
+      <add>
+        <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
+        because it uses symlinks. (markt)
+      </add>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>
+
+- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) 
+- Added patch:
+  * tomcat-9.0-CVE-2021-24122.patch
+
 -------------------------------------------------------------------
 Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood <amehmood@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -85,6 +85,7 @@ Patch5:         tomcat-9.0.31-java8compat.patch
 Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2020-13943.patch
 Patch8:         tomcat-9.0-CVE-2020-17527.patch
+Patch9:         tomcat-9.0-CVE-2021-24122.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -162,7 +163,7 @@ The documentation of web application for Apache Tomcat.
 Summary:        Expression Language v3.0 API
 Group:          Development/Libraries/Java
 Requires(post): update-alternatives
-Requires(preun): update-alternatives
+Requires(preun):update-alternatives
 Provides:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Provides:       el_3_0_api = %{version}-%{release}
 Provides:       el_api = %{elspec}
@ -186,7 +187,7 @@ Group:          Productivity/Networking/Web/Servers
 Requires:       mvn(org.apache.tomcat:tomcat-el-api)
 Requires:       mvn(org.apache.tomcat:tomcat-servlet-api)
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:       %{name}-jsp-%{jspspec}-api
 Provides:       jsp = %{jspspec}
 Provides:       jsp23
@ -214,7 +215,7 @@ Requires:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Requires:       %{name}-jsp-%{jspspec}-api = %{version}-%{release}
 Requires:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires(post): ecj >= 4.4
-Requires(preun): coreutils
+Requires(preun):coreutils
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:      jakarta-commons-dbcp-tomcat5 < 1.4

@ -225,7 +226,7 @@ Libraries required to successfully run the Tomcat Web container
 Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
 Provides:       servlet31
@ -261,6 +262,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl