- Fixed CVEs:

* CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255) - Added patches: * tomcat-9.0-CVE-2022-23181.patch OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=232
2022-01-28 14:25:17 +00:00 · 2022-01-28 14:25:17 +00:00 · c2fd26d820
commit c2fd26d820
parent 7b1f875f7f
3 changed files with 47 additions and 1 deletions
--- a/tomcat-9.0-CVE-2022-23181.patch
+++ b/tomcat-9.0-CVE-2022-23181.patch
@ -0,0 +1,36 @@
+Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
+@@ -349,13 +349,14 @@ public final class FileStore extends Sto
+ 
+         String filename = id + FILE_EXT;
+         File file = new File(storageDir, filename);
+        File canonicalFile = file.getCanonicalFile();
+ 
+         // Check the file is within the storage directory
+-        if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+        if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+             log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+             return null;
+         }
+ 
+-        return file;
+        return canonicalFile;
+     }
+ }
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -118,6 +118,10 @@
+         Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK
+         for Java. (markt)
+       </scode>
+      <fix>
+        Make the calculation of the session storage location more robust when
+        using file based persistent storage. (markt)
+      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jan 28 14:01:40 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
+- Added patches:
+  * tomcat-9.0-CVE-2022-23181.patch
+
 -------------------------------------------------------------------
 Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de

--- a/tomcat.spec
+++ b/tomcat.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -87,6 +87,7 @@ Patch7:         tomcat-9.0-CVE-2021-41079.patch
 Patch8:         tomcat-9.0-CVE-2021-33037.patch
 Patch9:         tomcat-9.0-CVE-2021-30640.patch
 Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
+Patch11:        tomcat-9.0-CVE-2022-23181.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -265,6 +266,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl