From 6bc85246b38af186fcf978b858f810e9d0858f446e09051b0d6c245076685e47 Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Fri, 7 Apr 2023 08:08:28 +0000 Subject: [PATCH] Accepting request 1077841 from home:mbussolotto:branches:Java:packages - Fixed CVEs: * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840) - Added patches: * tomcat-9.0.43-CVE-2022-45143.patch OBS-URL: https://build.opensuse.org/request/show/1077841 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=256 --- tomcat-9.0.43-CVE-2022-45143.patch | 208 +++++++++++++++++++++++++++++ tomcat.changes | 8 ++ tomcat.spec | 2 + 3 files changed, 218 insertions(+) create mode 100644 tomcat-9.0.43-CVE-2022-45143.patch diff --git a/tomcat-9.0.43-CVE-2022-45143.patch b/tomcat-9.0.43-CVE-2022-45143.patch new file mode 100644 index 0000000..f5e613e --- /dev/null +++ b/tomcat-9.0.43-CVE-2022-45143.patch @@ -0,0 +1,208 @@ +From b336f4e58893ea35114f1e4a415657f723b1298e Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Wed, 9 Nov 2022 12:39:15 +0000 +Subject: [PATCH] Avoid invalid JSON in JSONErrorReportValve output + +--- + .../catalina/valves/JsonErrorReportValve.java | 7 +- + .../apache/tomcat/util/json/JSONFilter.java | 61 ++++++++++++++ + .../tomcat/util/json/TestJSONFilter.java | 82 +++++++++++++++++++ + webapps/docs/changelog.xml | 5 ++ + 4 files changed, 152 insertions(+), 3 deletions(-) + create mode 100644 java/org/apache/tomcat/util/json/JSONFilter.java + create mode 100644 test/org/apache/tomcat/util/json/TestJSONFilter.java + +Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java +=================================================================== +--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/valves/JsonErrorReportValve.java ++++ apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java +@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Req + import org.apache.catalina.connector.Response; + import org.apache.coyote.ActionCode; + import org.apache.tomcat.util.ExceptionUtils; ++import org.apache.tomcat.util.json.JSONFilter; + import org.apache.tomcat.util.res.StringManager; + + /** +@@ -82,9 +83,9 @@ public class JsonErrorReportValve extend + } + } + String jsonReport = "{\n" + +- " \"type\": \"" + type + "\",\n" + +- " \"message\": \"" + message + "\"\n" + +- " \"description\": \"" + description + "\"\n" + ++ " \"type\": \"" + JSONFilter.escape(type) + "\",\n" + ++ " \"message\": \"" + JSONFilter.escape(message) + "\",\n" + ++ " \"description\": \"" + JSONFilter.escape(description) + "\"\n" + + "}"; + try { + try { +Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java +=================================================================== +--- /dev/null ++++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java +@@ -0,0 +1,61 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.json; ++ ++/** ++ * Provides escaping of values so they can be included in a JSON document. ++ * Escaping is based on the definition of JSON found in ++ * RFC 8259. ++ */ ++public class JSONFilter { ++ ++ private JSONFilter() { ++ // Utility class. Hide the default constructor. ++ } ++ ++ public static String escape(String input) { ++ /* ++ * While any character MAY be escaped, only U+0000 to U+001F (control ++ * characters), U+0022 (quotation mark) and U+005C (reverse solidus) ++ * MUST be escaped. ++ */ ++ char[] chars = input.toCharArray(); ++ StringBuffer escaped = null; ++ int lastUnescapedStart = 0; ++ for (int i = 0; i < chars.length; i++) { ++ if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) { ++ if (escaped == null) { ++ escaped = new StringBuffer(chars.length + 20); ++ } ++ if (lastUnescapedStart < i) { ++ escaped.append(input.subSequence(lastUnescapedStart, i)); ++ } ++ lastUnescapedStart = i + 1; ++ escaped.append("\\u"); ++ escaped.append(String.format("%04X", Integer.valueOf(chars[i]))); ++ } ++ } ++ if (escaped == null) { ++ return input; ++ } else { ++ if (lastUnescapedStart < chars.length) { ++ escaped.append(input.subSequence(lastUnescapedStart, chars.length)); ++ } ++ return escaped.toString(); ++ } ++ } ++} +Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +@@ -133,6 +133,11 @@ + RemoteIpFilter determines that this request was submitted + via a secure channel. (lihan) + ++ ++ Escape values used to construct output for the ++ JsonErrorReportValve to ensure that it always outputs valid ++ JSON. (markt) ++ + + + +Index: apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java +=================================================================== +--- /dev/null ++++ apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java +@@ -0,0 +1,82 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.json; ++ ++import java.util.ArrayList; ++import java.util.Collection; ++ ++import org.junit.Assert; ++import org.junit.Test; ++import org.junit.runner.RunWith; ++import org.junit.runners.Parameterized; ++import org.junit.runners.Parameterized.Parameter; ++ ++ ++@RunWith(Parameterized.class) ++public class TestJSONFilter { ++ ++ @Parameterized.Parameters(name = "{index}: input[{0}], output[{1}]") ++ public static Collection parameters() { ++ Collection parameterSets = new ArrayList<>(); ++ ++ // Empty ++ parameterSets.add(new String[] { "", "" }); ++ ++ // Must escape ++ parameterSets.add(new String[] { "\"", "\\u0022" }); ++ parameterSets.add(new String[] { "\\", "\\u005C" }); ++ // Sample of controls ++ parameterSets.add(new String[] { "\t", "\\u0009" }); ++ parameterSets.add(new String[] { "\n", "\\u000A" }); ++ parameterSets.add(new String[] { "\r", "\\u000D" }); ++ ++ // No escape ++ parameterSets.add(new String[] { "aaa", "aaa" }); ++ ++ // Start ++ parameterSets.add(new String[] { "\naaa", "\\u000Aaaa" }); ++ parameterSets.add(new String[] { "\n\naaa", "\\u000A\\u000Aaaa" }); ++ ++ // Middle ++ parameterSets.add(new String[] { "aaa\naaa", "aaa\\u000Aaaa" }); ++ parameterSets.add(new String[] { "aaa\n\naaa", "aaa\\u000A\\u000Aaaa" }); ++ ++ // End ++ parameterSets.add(new String[] { "aaa\n", "aaa\\u000A" }); ++ parameterSets.add(new String[] { "aaa\n\n", "aaa\\u000A\\u000A" }); ++ ++ // Start, middle and end ++ parameterSets.add(new String[] { "\naaa\naaa\n", "\\u000Aaaa\\u000Aaaa\\u000A" }); ++ parameterSets.add(new String[] { "\n\naaa\n\naaa\n\n", "\\u000A\\u000Aaaa\\u000A\\u000Aaaa\\u000A\\u000A" }); ++ ++ // Multiple ++ parameterSets.add(new String[] { "\n\n", "\\u000A\\u000A" }); ++ ++ return parameterSets; ++ } ++ ++ @Parameter(0) ++ public String input; ++ ++ @Parameter(1) ++ public String output; ++ ++ @Test ++ public void testStringEscaping() { ++ Assert.assertEquals(output, JSONFilter.escape(input));; ++ } ++} diff --git a/tomcat.changes b/tomcat.changes index 90e9bdb..35e3ec3 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Apr 7 07:56:31 UTC 2023 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840) +- Added patches: + * tomcat-9.0.43-CVE-2022-45143.patch + ------------------------------------------------------------------- Thu Mar 23 08:06:31 UTC 2023 - Michele Bussolotto diff --git a/tomcat.spec b/tomcat.spec index 0d1ed33..016cfff 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -93,6 +93,7 @@ Patch15: tomcat-9.0-fix_catalina.patch Patch16: tomcat-9.0-logrotate_everything.patch Patch17: tomcat-9.0.43-CVE-2023-24998.patch Patch18: tomcat-9.0.43-CVE-2023-28708.patch +Patch19: tomcat-9.0.43-CVE-2022-45143.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -277,6 +278,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl