diff --git a/tomcat-9.0-CVE-2020-17527.patch b/tomcat-9.0-CVE-2020-17527.patch new file mode 100644 index 0000000..901797d --- /dev/null +++ b/tomcat-9.0-CVE-2020-17527.patch @@ -0,0 +1,62 @@ +From d56293f816d6dc9e2b47107f208fa9e95db58c65 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Mon, 9 Nov 2020 19:23:12 +0000 +Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder + +https://bz.apache.org/bugzilla/show_bug.cgi?id=64830 +--- +java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++-------- +webapps/docs/changelog.xml | 3 +++ +2 files changed, 7 insertions(+), 8 deletions(-) + +Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java +=================================================================== +--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/HpackDecoder.java ++++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java +@@ -73,8 +73,6 @@ public class HpackDecoder { + private volatile boolean countedCookie; + private volatile int headerSize = 0; + +- private final StringBuilder stringBuilder = new StringBuilder(); +- + HpackDecoder(int maxMemorySize) { + this.maxMemorySizeHard = maxMemorySize; + this.maxMemorySizeSoft = maxMemorySize; +@@ -223,19 +221,17 @@ public class HpackDecoder { + if (huffman) { + return readHuffmanString(length, buffer); + } ++ StringBuilder stringBuilder = new StringBuilder(length); + for (int i = 0; i < length; ++i) { + stringBuilder.append((char) buffer.get()); + } +- String ret = stringBuilder.toString(); +- stringBuilder.setLength(0); +- return ret; ++ return stringBuilder.toString(); + } + + private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException { ++ StringBuilder stringBuilder = new StringBuilder(length); + HPackHuffman.decode(buffer, length, stringBuilder); +- String ret = stringBuilder.toString(); +- stringBuilder.setLength(0); +- return ret; ++ return stringBuilder.toString(); + } + + private String handleIndexedHeaderName(int index) throws HpackException { +Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml +@@ -126,6 +126,9 @@ + Include the target URL in the log message when a WebSocket connection + fails. (markt) + ++ ++ 64830: Fix concurrency issue in HPACK decoder. (markt) ++ + + + diff --git a/tomcat.changes b/tomcat.changes index bda7bea..9f88ae6 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood + +- Fix HTTP/2 request header mix-up: CVE-2020-17527 (bsc#1179602) +- Added patch: + * tomcat-9.0-CVE-2020-17527.patch + ------------------------------------------------------------------- Tue Nov 3 10:08:03 UTC 2020 - Matei Albu diff --git a/tomcat.spec b/tomcat.spec index d644f1c..c8d7809 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -84,6 +84,7 @@ Patch5: tomcat-9.0.31-java8compat.patch # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting Patch6: tomcat-9.0.31-secretRequired-default.patch Patch7: tomcat-9.0-CVE-2020-13943.patch +Patch8: tomcat-9.0-CVE-2020-17527.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -259,6 +260,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl