rpm/tomcat
SHA256
1
0
Fork 0
forked from pool/tomcat
Code Pull Requests Activity

- Fixed CVEs:

Browse Source 
* CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
- Added patches:
  * tomcat-9.0-CVE-2022-23181.patch

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=232
This commit is contained in:
Michele Bussolotto 2022-01-28 14:25:17 +00:00 committed by Git OBS Bridge
parent 7b1f875f7f
commit c2fd26d820
3 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tomcat-9.0-CVE-2022-23181.patch Normal file
View File

@ -0,0 +1,36 @@
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
@@ -349,13 +349,14 @@ public final class FileStore extends Sto
String filename = id + FILE_EXT;
File file = new File(storageDir, filename);
+ File canonicalFile = file.getCanonicalFile();
// Check the file is within the storage directory
- if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+ if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
return null;
}
- return file;
+ return canonicalFile;
}
}
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -118,6 +118,10 @@
Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK
for Java. (markt)
</scode>
+ <fix>
+ Make the calculation of the session storage location more robust when
+ using file based persistent storage. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">

8
tomcat.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Jan 28 14:01:40 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
- Fixed CVEs:
* CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
- Added patches:
* tomcat-9.0-CVE-2022-23181.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de

4
tomcat.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package tomcat # spec file for package tomcat
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# Copyright (c) 2000-2009, JPackage Project # Copyright (c) 2000-2009, JPackage Project
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
@ -87,6 +87,7 @@ Patch7: tomcat-9.0-CVE-2021-41079.patch
Patch8: tomcat-9.0-CVE-2021-33037.patch Patch8: tomcat-9.0-CVE-2021-33037.patch
Patch9: tomcat-9.0-CVE-2021-30640.patch Patch9: tomcat-9.0-CVE-2021-30640.patch
Patch10: tomcat-9.0-NPE-JNDIRealm.patch Patch10: tomcat-9.0-NPE-JNDIRealm.patch
Patch11: tomcat-9.0-CVE-2022-23181.patch
BuildRequires: ant >= 1.8.1 BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr BuildRequires: ant-antlr
@ -265,6 +266,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1
# remove date from docs # remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl