Accepting request 967588 from Java:packages

OBS-URL: https://build.opensuse.org/request/show/967588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=83
2022-04-07 22:28:32 +00:00 · 2022-04-07 22:28:32 +00:00 · 889daa511d
commit 889daa511d
parent e9c006bd2f 45b1f5a3f7
3 changed files with 59 additions and 0 deletions
--- a/tomcat-9.0-hardening_getResources.patch
+++ b/tomcat-9.0-hardening_getResources.patch
@ -0,0 +1,51 @@
+From 8a904f6065080409a1e00606cd7bceec6ad8918c Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Wed, 30 Mar 2022 20:22:49 +0100
+Subject: [PATCH] Security hardening. Deprecate getResources() and always
+ return null.
+
+This method is never used by Tomcat. If something accidently exposes the
+class loader then this method can be used to gain access to Tomcat
+internals.
+---
+ .../apache/catalina/loader/WebappClassLoaderBase.java  |  7 ++++++-
+ webapps/docs/changelog.xml                             | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+@@ -425,10 +425,15 @@ public abstract class WebappClassLoaderB
+     // ------------------------------------------------------------- Properties
+ 
+     /**
+     * Unused. Always returns {@code null}.
+     *
+      * @return associated resources.
+     *
+     * @deprecated This will be removed in Tomcat 10.1.x onwards
+      */
+    @Deprecated
+     public WebResourceRoot getResources() {
+-        return this.resources;
+        return null;
+     }
+ 
+ 
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -106,6 +106,12 @@
+ <section name="Tomcat 9.0.43 (markt)">
+   <subsection name="Catalina">
+     <changelog>
+      <add>
+         Effectively disable the
+         <code>WebappClassLoaderBase.getResources()</code> method as it is not
+         used and if something accidently exposes the class loader this method
+         can be used to gain access to Tomcat internals. (markt)
+      </add>
+       <fix>
+         <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
+         is given. (fschumacher)
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Apr  7 08:48:46 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Security hardening. Deprecate getResources() and always return null. (bsc#1198136)
+- Added patch: tomcat-9.0-hardening_getResources.patch
+
 -------------------------------------------------------------------
 Wed Feb 23 11:57:30 UTC 2022 - Fridrich Strba <fstrba@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -87,6 +87,7 @@ Patch8:         tomcat-9.0-CVE-2021-33037.patch
 Patch9:         tomcat-9.0-CVE-2021-30640.patch
 Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:        tomcat-9.0-CVE-2022-23181.patch
+Patch12:        tomcat-9.0-hardening_getResources.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -264,6 +265,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl