Accepting request 1068181 from home:mbussolotto:branches:Java:packages

- Fixed CVEs: * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513) - Added patches: * tomcat-9.0.43-CVE-2023-24998.patch OBS-URL: https://build.opensuse.org/request/show/1068181 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=252
2023-03-03 05:35:10 +00:00 · 2023-03-03 05:35:10 +00:00 · db57f882c4
commit db57f882c4
parent 503278cde3
3 changed files with 273 additions and 2 deletions
--- a/tomcat-9.0.43-CVE-2023-24998.patch
+++ b/tomcat-9.0.43-CVE-2023-24998.patch
@ -0,0 +1,262 @@
+From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 13 Dec 2022 17:55:34 +0000
+Subject: [PATCH] Update packaged renamed fork of Commons File Upload
+
+---
+ MERGE.txt                                     |  2 +-
+ .../apache/catalina/connector/Request.java    | 10 +++-
+ .../apache/tomcat/util/http/Parameters.java   |  5 ++
+ .../util/http/fileupload/FileUploadBase.java  | 29 +++++++++++
+ .../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++
+ webapps/docs/changelog.xml                    |  8 +++
+ webapps/docs/config/ajp.xml                   | 15 +++---
+ webapps/docs/config/http.xml                  | 15 +++---
+ 8 files changed, 120 insertions(+), 14 deletions(-)
+ create mode 100644 java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
+
+Index: apache-tomcat-9.0.43-src/MERGE.txt
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/MERGE.txt
+++ apache-tomcat-9.0.43-src/MERGE.txt
+@@ -51,7 +51,7 @@ FileUpload
+ Sub-tree:
+ src/main/java/org/apache/commons/fileupload2
+ The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
+-ee0a7131b6b87586b28542de354951414dedac3f (2021-01-15)
+34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d (2023-01-03)
+ 
+ Note: Tomcat's copy of fileupload also includes classes copied manually from
+       Commons IO.
+Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
+@@ -2862,8 +2862,9 @@ public class Request implements HttpServ
+             }
+         }
+ 
+        int maxParameterCount = getConnector().getMaxParameterCount();
+         Parameters parameters = coyoteRequest.getParameters();
+-        parameters.setLimit(getConnector().getMaxParameterCount());
+        parameters.setLimit(maxParameterCount);
+ 
+         boolean success = false;
+         try {
+@@ -2915,6 +2916,13 @@ public class Request implements HttpServ
+             upload.setFileItemFactory(factory);
+             upload.setFileSizeMax(mce.getMaxFileSize());
+             upload.setSizeMax(mce.getMaxRequestSize());
+            if (maxParameterCount > -1) {
+                // There is a limit. The limit for parts needs to be reduced by
+                // the number of parameters we have already parsed.
+                // Must be under the limit else parsing parameters would have
+                // triggered an exception.
+                upload.setFileCountMax(maxParameterCount - parameters.size());
+            }
+ 
+             parts = new ArrayList<>();
+             try {
+Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/Parameters.java
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java
+@@ -125,6 +125,11 @@ public final class Parameters {
+     }
+ 
+ 
+    public int size() {
+        return parameterCount;
+    }
+
+
+     public void recycle() {
+         parameterCount = 0;
+         paramHashValues.clear();
+Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+@@ -25,6 +25,7 @@ import java.util.Locale;
+ import java.util.Map;
+ import java.util.Objects;
+ 
+import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
+ import org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl;
+ import org.apache.tomcat.util.http.fileupload.impl.FileItemStreamImpl;
+ import org.apache.tomcat.util.http.fileupload.impl.FileUploadIOException;
+@@ -133,6 +134,12 @@ public abstract class FileUploadBase {
+     private long fileSizeMax = -1;
+ 
+     /**
+     * The maximum permitted number of files that may be uploaded in a single
+     * request. A value of -1 indicates no maximum.
+     */
+    private long fileCountMax = -1;
+
+    /**
+      * The content encoding to use when reading part headers.
+      */
+     private String headerEncoding;
+@@ -209,6 +216,24 @@ public abstract class FileUploadBase {
+     }
+ 
+     /**
+     * Returns the maximum number of files allowed in a single request.
+     *
+     * @return The maximum number of files allowed in a single request.
+     */
+    public long getFileCountMax() {
+        return fileCountMax;
+    }
+
+    /**
+     * Sets the maximum number of files allowed per request/
+     *
+     * @param fileCountMax The new limit. {@code -1} means no limit.
+     */
+    public void setFileCountMax(long fileCountMax) {
+        this.fileCountMax = fileCountMax;
+    }
+
+    /**
+      * Retrieves the character encoding used when reading the headers of an
+      * individual part. When not specified, or {@code null}, the request
+      * encoding is used. If that is also not specified, or {@code null},
+@@ -281,6 +306,10 @@ public abstract class FileUploadBase {
+             final FileItemFactory fileItemFactory = Objects.requireNonNull(getFileItemFactory(), "No FileItemFactory has been set.");
+             final byte[] buffer = new byte[Streams.DEFAULT_BUFFER_SIZE];
+             while (iter.hasNext()) {
+                if (items.size() == fileCountMax) {
+                    // The next item will exceed the limit.
+                    throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
+                }
+                 final FileItemStream item = iter.next();
+                 // Don't use getName() here to prevent an InvalidFileNameException.
+                 final String fileName = ((FileItemStreamImpl) item).getName();
+Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
+===================================================================
+--- /dev/null
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
+@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.http.fileupload.impl;
+
+import org.apache.tomcat.util.http.fileupload.FileUploadException;
+
+/**
+ * This exception is thrown if a request contains more files than the specified
+ * limit.
+ */
+public class FileCountLimitExceededException extends FileUploadException {
+
+    private static final long serialVersionUID = 2408766352570556046L;
+
+    private final long limit;
+
+    /**
+     * Creates a new instance.
+     *
+     * @param message The detail message
+     * @param limit The limit that was exceeded
+     */
+    public FileCountLimitExceededException(final String message, final long limit) {
+        super(message);
+        this.limit = limit;
+    }
+
+    /**
+     * Retrieves the limit that was exceeded.
+     *
+     * @return The limit that was exceeded by the request
+     */
+    public long getLimit() {
+        return limit;
+    }
+}
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -142,6 +142,14 @@
+       </fix>
+     </changelog>
+   </subsection>
+  <subsection name="Other">
+    <changelog>
+      <update>
+        Update the internal fork of Apache Commons FileUpload to 34eb241
+        (2023-01-03, 2.0-SNAPSHOT). (markt)
+      </update>
+    </changelog>
+  </subsection>
+ </section>
+ <section name="Tomcat 9.0.42 (markt)" rtext="not released">
+   <subsection name="Catalina">
+Index: apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/ajp.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml
+@@ -136,12 +136,15 @@
+     </attribute>
+ 
+     <attribute name="maxParameterCount" required="false">
+-      <p>The maximum number of parameter and value pairs (GET plus POST) which
+-      will be automatically parsed by the container. Parameter and value pairs
+-      beyond this limit will be ignored. A value of less than 0 means no limit.
+-      If not specified, a default of 10000 is used. Note that
+-      <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+-      used to reject requests that hit the limit.</p>
+      <p>The maximum total number of request parameters (including uploaded
+      files) obtained from the query string and, for POST requests, the request
+      body if the content type is
+      <code>application/x-www-form-urlencoded</code> or
+      <code>multipart/form-data</code>. Request parameters beyond this limit
+      will be ignored. A value of less than 0 means no limit. If not specified,
+      a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+      <a href="filter.html">filter</a> can be used to reject requests that
+      exceed the limit.</p>
+     </attribute>
+ 
+     <attribute name="maxPostSize" required="false">
+Index: apache-tomcat-9.0.43-src/webapps/docs/config/http.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/http.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/config/http.xml
+@@ -153,12 +153,15 @@
+     </attribute>
+ 
+     <attribute name="maxParameterCount" required="false">
+-      <p>The maximum number of parameter and value pairs (GET plus POST) which
+-      will be automatically parsed by the container. Parameter and value pairs
+-      beyond this limit will be ignored. A value of less than 0 means no limit.
+-      If not specified, a default of 10000 is used. Note that
+-      <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+-      used to reject requests that hit the limit.</p>
+      <p>The maximum total number of request parameters (including uploaded
+      files) obtained from the query string and, for POST requests, the request
+      body if the content type is
+      <code>application/x-www-form-urlencoded</code> or
+      <code>multipart/form-data</code>. Request parameters beyond this limit
+      will be ignored. A value of less than 0 means no limit. If not specified,
+      a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+      <a href="filter.html">filter</a> can be used to reject requests that
+      exceed the limit.</p>
+     </attribute>
+ 
+     <attribute name="maxPostSize" required="false">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Feb 28 11:14:24 UTC 2023 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513)
+- Added patches:
+  * tomcat-9.0.43-CVE-2023-24998.patch
+
 -------------------------------------------------------------------
 Fri Dec 23 08:20:55 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -91,6 +91,7 @@ Patch13:        tomcat-9.0.43-CVE-2021-43980.patch
 Patch14:        tomcat-9.0.43-CVE-2022-42252.patch
 Patch15:        tomcat-9.0-fix_catalina.patch
 Patch16:        tomcat-9.0-logrotate_everything.patch
+Patch17:        tomcat-9.0.43-CVE-2023-24998.patch

 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@ -273,6 +274,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@ -693,7 +695,6 @@ fi
 %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/host-manager path=/host-manager contextXml=%{tomcatappdir}/host-manager/META-INF/context.xml
 %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/manager path=/manager contextXml=%{tomcatappdir}/manager/META-INF/context.xml

-
 %postun admin-webapps
 if [ $1 -eq 0 ]; then # uninstall only
  %{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/host-manager path=/host-manager