rpm/tomcat
SHA256
1
0
Fork 0
forked from pool/tomcat
Code Pull Requests Activity

Accepting request 1037056 from home:mbussolotto:branches:Java:packages

Browse Source 
- Fixed CVEs:
  * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
- Added patches:
  * tomcat-9.0.43-CVE-2022-42252.patch

OBS-URL: https://build.opensuse.org/request/show/1037056
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=245
This commit is contained in:
Fridrich Strba 2022-11-21 12:28:39 +00:00 committed by Git OBS Bridge
parent 803dc2e41e
commit d041727005
3 changed files with 118 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
tomcat-9.0.43-CVE-2022-42252.patch Normal file
View File

@ -0,0 +1,108 @@
From 4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 3 Oct 2022 11:59:01 +0100
Subject: [PATCH] Requests with invalid content-length should always be
rejected
---
Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -886,7 +886,7 @@ public class Http11InputBuffer implement
headerData.lastSignificantChar = pos;
byteBuffer.position(byteBuffer.position() - 1);
// skipLine() will handle the error
- return skipLine();
+ return skipLine(false);
}
// chr is next byte of header name. Convert to lowercase.
@@ -897,7 +897,7 @@ public class Http11InputBuffer implement
// Skip the line and ignore the header
if (headerParsePos == HeaderParsePosition.HEADER_SKIPLINE) {
- return skipLine();
+ return skipLine(false);
}
//
@@ -948,15 +948,11 @@ public class Http11InputBuffer implement
} else if (prevChr == Constants.CR && chr == Constants.LF) {
eol = true;
} else if (prevChr == Constants.CR) {
- // Invalid value
- // Delete the header (it will be the most recent one)
- headers.removeHeader(headers.size() - 1);
- return skipLine();
+ // Invalid value - also need to delete header
+ return skipLine(true);
} else if (chr != Constants.HT && HttpParser.isControl(chr)) {
- // Invalid value
- // Delete the header (it will be the most recent one)
- headers.removeHeader(headers.size() - 1);
- return skipLine();
+ // Invalid value - also need to delete header
+ return skipLine(true);
} else if (chr == Constants.SP || chr == Constants.HT) {
byteBuffer.put(headerData.realPos, chr);
headerData.realPos++;
@@ -1004,7 +1000,27 @@ public class Http11InputBuffer implement
}
- private HeaderParseStatus skipLine() throws IOException {
+ private HeaderParseStatus skipLine(boolean deleteHeader) throws IOException {
+ boolean rejectThisHeader = rejectIllegalHeader;
+ // Check if rejectIllegalHeader is disabled and needs to be overridden
+ // for this header. The header name is required to determine if this
+ // override is required. The header name is only available once the
+ // header has been created. If the header has been created then
+ // deleteHeader will be true.
+ if (!rejectThisHeader && deleteHeader) {
+ if (headers.getName(headers.size() - 1).equalsIgnoreCase("content-length")) {
+ // Malformed content-length headers must always be rejected
+ // RFC 9112, section 6.3, bullet 5.
+ rejectThisHeader = true;
+ } else {
+ // Only need to delete the header if the request isn't going to
+ // be rejected (it will be the most recent one)
+ headers.removeHeader(headers.size() - 1);
+ }
+ }
+
+ // Parse the rest of the invalid header so we can construct a useful
+ // exception and/or debug message.
headerParsePos = HeaderParsePosition.HEADER_SKIPLINE;
boolean eol = false;
@@ -1029,11 +1045,11 @@ public class Http11InputBuffer implement
headerData.lastSignificantChar = pos;
}
}
- if (rejectIllegalHeader || log.isDebugEnabled()) {
+ if (rejectThisHeader || log.isDebugEnabled()) {
String message = sm.getString("iib.invalidheader",
HeaderUtil.toPrintableString(byteBuffer.array(), headerData.lineStart,
headerData.lastSignificantChar - headerData.lineStart + 1));
- if (rejectIllegalHeader) {
+ if (rejectThisHeader) {
throw new IllegalArgumentException(message);
}
log.debug(message);
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -223,6 +223,11 @@
Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
when the destination buffers state is changed concurrently. (remm)
</fix>
+ <fix>
+ Enforce the requirement of RFC 7230 onwards that a request with a
+ malformed <code>content-length</code> header should always be rejected
+ with a 400 response. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">

8
tomcat.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Nov 21 07:42:34 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
- Fixed CVEs:
* CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
- Added patches:
* tomcat-9.0.43-CVE-2022-42252.patch
-------------------------------------------------------------------
Wed Jul 13 13:41:43 UTC 2022 - Fridrich Strba <fstrba@suse.com>

2
tomcat.spec
View File

@ -89,6 +89,7 @@ Patch10: tomcat-9.0-NPE-JNDIRealm.patch
Patch11: tomcat-9.0-CVE-2022-23181.patch
Patch12: tomcat-9.0-hardening_getResources.patch
Patch13: tomcat-9.0.43-CVE-2021-43980.patch
Patch14: tomcat-9.0.43-CVE-2022-42252.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@ -268,6 +269,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl