From c2fd26d82081d13541b8f92dc3d406715c66850d9f70f03ddcbd8bbe2eea86cf Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Fri, 28 Jan 2022 14:25:17 +0000 Subject: [PATCH] - Fixed CVEs: * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255) - Added patches: * tomcat-9.0-CVE-2022-23181.patch OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=232 --- tomcat-9.0-CVE-2022-23181.patch | 36 +++++++++++++++++++++++++++++++++ tomcat.changes | 8 ++++++++ tomcat.spec | 4 +++- 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tomcat-9.0-CVE-2022-23181.patch diff --git a/tomcat-9.0-CVE-2022-23181.patch b/tomcat-9.0-CVE-2022-23181.patch new file mode 100644 index 0000000..79623ca --- /dev/null +++ b/tomcat-9.0-CVE-2022-23181.patch @@ -0,0 +1,36 @@ +Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java +=================================================================== +--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java ++++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java +@@ -349,13 +349,14 @@ public final class FileStore extends Sto + + String filename = id + FILE_EXT; + File file = new File(storageDir, filename); ++ File canonicalFile = file.getCanonicalFile(); + + // Check the file is within the storage directory +- if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) { ++ if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) { + log.warn(sm.getString("fileStore.invalid", file.getPath(), id)); + return null; + } + +- return file; ++ return canonicalFile; + } + } +Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +@@ -118,6 +118,10 @@ + Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK + for Java. (markt) + ++ ++ Make the calculation of the session storage location more robust when ++ using file based persistent storage. (markt) ++ + + + diff --git a/tomcat.changes b/tomcat.changes index 54d9941..c06549f 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Jan 28 14:01:40 UTC 2022 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255) +- Added patches: + * tomcat-9.0-CVE-2022-23181.patch + ------------------------------------------------------------------- Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de diff --git a/tomcat.spec b/tomcat.spec index 2e15b89..be96942 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -87,6 +87,7 @@ Patch7: tomcat-9.0-CVE-2021-41079.patch Patch8: tomcat-9.0-CVE-2021-33037.patch Patch9: tomcat-9.0-CVE-2021-30640.patch Patch10: tomcat-9.0-NPE-JNDIRealm.patch +Patch11: tomcat-9.0-CVE-2022-23181.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -265,6 +266,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl