From db57f882c4039d1463b57aa9e9f516e73990881d67144df9a42df3d038b99628 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Fri, 3 Mar 2023 05:35:10 +0000 Subject: [PATCH] Accepting request 1068181 from home:mbussolotto:branches:Java:packages - Fixed CVEs: * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513) - Added patches: * tomcat-9.0.43-CVE-2023-24998.patch OBS-URL: https://build.opensuse.org/request/show/1068181 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=252 --- tomcat-9.0.43-CVE-2023-24998.patch | 262 +++++++++++++++++++++++++++++ tomcat.changes | 8 + tomcat.spec | 5 +- 3 files changed, 273 insertions(+), 2 deletions(-) create mode 100644 tomcat-9.0.43-CVE-2023-24998.patch diff --git a/tomcat-9.0.43-CVE-2023-24998.patch b/tomcat-9.0.43-CVE-2023-24998.patch new file mode 100644 index 0000000..37c6b64 --- /dev/null +++ b/tomcat-9.0.43-CVE-2023-24998.patch @@ -0,0 +1,262 @@ +From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Tue, 13 Dec 2022 17:55:34 +0000 +Subject: [PATCH] Update packaged renamed fork of Commons File Upload + +--- + MERGE.txt | 2 +- + .../apache/catalina/connector/Request.java | 10 +++- + .../apache/tomcat/util/http/Parameters.java | 5 ++ + .../util/http/fileupload/FileUploadBase.java | 29 +++++++++++ + .../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++ + webapps/docs/changelog.xml | 8 +++ + webapps/docs/config/ajp.xml | 15 +++--- + webapps/docs/config/http.xml | 15 +++--- + 8 files changed, 120 insertions(+), 14 deletions(-) + create mode 100644 java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java + +Index: apache-tomcat-9.0.43-src/MERGE.txt +=================================================================== +--- apache-tomcat-9.0.43-src.orig/MERGE.txt ++++ apache-tomcat-9.0.43-src/MERGE.txt +@@ -51,7 +51,7 @@ FileUpload + Sub-tree: + src/main/java/org/apache/commons/fileupload2 + The SHA1 ID / tag for the most recent commit to be merged to Tomcat is: +-ee0a7131b6b87586b28542de354951414dedac3f (2021-01-15) ++34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d (2023-01-03) + + Note: Tomcat's copy of fileupload also includes classes copied manually from + Commons IO. +Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java +=================================================================== +--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/connector/Request.java ++++ apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java +@@ -2862,8 +2862,9 @@ public class Request implements HttpServ + } + } + ++ int maxParameterCount = getConnector().getMaxParameterCount(); + Parameters parameters = coyoteRequest.getParameters(); +- parameters.setLimit(getConnector().getMaxParameterCount()); ++ parameters.setLimit(maxParameterCount); + + boolean success = false; + try { +@@ -2915,6 +2916,13 @@ public class Request implements HttpServ + upload.setFileItemFactory(factory); + upload.setFileSizeMax(mce.getMaxFileSize()); + upload.setSizeMax(mce.getMaxRequestSize()); ++ if (maxParameterCount > -1) { ++ // There is a limit. The limit for parts needs to be reduced by ++ // the number of parameters we have already parsed. ++ // Must be under the limit else parsing parameters would have ++ // triggered an exception. ++ upload.setFileCountMax(maxParameterCount - parameters.size()); ++ } + + parts = new ArrayList<>(); + try { +Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java +=================================================================== +--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/Parameters.java ++++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java +@@ -125,6 +125,11 @@ public final class Parameters { + } + + ++ public int size() { ++ return parameterCount; ++ } ++ ++ + public void recycle() { + parameterCount = 0; + paramHashValues.clear(); +Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java +=================================================================== +--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java ++++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java +@@ -25,6 +25,7 @@ import java.util.Locale; + import java.util.Map; + import java.util.Objects; + ++import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException; + import org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl; + import org.apache.tomcat.util.http.fileupload.impl.FileItemStreamImpl; + import org.apache.tomcat.util.http.fileupload.impl.FileUploadIOException; +@@ -133,6 +134,12 @@ public abstract class FileUploadBase { + private long fileSizeMax = -1; + + /** ++ * The maximum permitted number of files that may be uploaded in a single ++ * request. A value of -1 indicates no maximum. ++ */ ++ private long fileCountMax = -1; ++ ++ /** + * The content encoding to use when reading part headers. + */ + private String headerEncoding; +@@ -209,6 +216,24 @@ public abstract class FileUploadBase { + } + + /** ++ * Returns the maximum number of files allowed in a single request. ++ * ++ * @return The maximum number of files allowed in a single request. ++ */ ++ public long getFileCountMax() { ++ return fileCountMax; ++ } ++ ++ /** ++ * Sets the maximum number of files allowed per request/ ++ * ++ * @param fileCountMax The new limit. {@code -1} means no limit. ++ */ ++ public void setFileCountMax(long fileCountMax) { ++ this.fileCountMax = fileCountMax; ++ } ++ ++ /** + * Retrieves the character encoding used when reading the headers of an + * individual part. When not specified, or {@code null}, the request + * encoding is used. If that is also not specified, or {@code null}, +@@ -281,6 +306,10 @@ public abstract class FileUploadBase { + final FileItemFactory fileItemFactory = Objects.requireNonNull(getFileItemFactory(), "No FileItemFactory has been set."); + final byte[] buffer = new byte[Streams.DEFAULT_BUFFER_SIZE]; + while (iter.hasNext()) { ++ if (items.size() == fileCountMax) { ++ // The next item will exceed the limit. ++ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax()); ++ } + final FileItemStream item = iter.next(); + // Don't use getName() here to prevent an InvalidFileNameException. + final String fileName = ((FileItemStreamImpl) item).getName(); +Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java +=================================================================== +--- /dev/null ++++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java +@@ -0,0 +1,50 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.http.fileupload.impl; ++ ++import org.apache.tomcat.util.http.fileupload.FileUploadException; ++ ++/** ++ * This exception is thrown if a request contains more files than the specified ++ * limit. ++ */ ++public class FileCountLimitExceededException extends FileUploadException { ++ ++ private static final long serialVersionUID = 2408766352570556046L; ++ ++ private final long limit; ++ ++ /** ++ * Creates a new instance. ++ * ++ * @param message The detail message ++ * @param limit The limit that was exceeded ++ */ ++ public FileCountLimitExceededException(final String message, final long limit) { ++ super(message); ++ this.limit = limit; ++ } ++ ++ /** ++ * Retrieves the limit that was exceeded. ++ * ++ * @return The limit that was exceeded by the request ++ */ ++ public long getLimit() { ++ return limit; ++ } ++} +Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml +@@ -142,6 +142,14 @@ + + + ++ ++ ++ ++ Update the internal fork of Apache Commons FileUpload to 34eb241 ++ (2023-01-03, 2.0-SNAPSHOT). (markt) ++ ++ ++ + +
+ +Index: apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml +=================================================================== +--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/ajp.xml ++++ apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml +@@ -136,12 +136,15 @@ + + + +-

The maximum number of parameter and value pairs (GET plus POST) which +- will be automatically parsed by the container. Parameter and value pairs +- beyond this limit will be ignored. A value of less than 0 means no limit. +- If not specified, a default of 10000 is used. Note that +- FailedRequestFilter filter can be +- used to reject requests that hit the limit.

++

The maximum total number of request parameters (including uploaded ++ files) obtained from the query string and, for POST requests, the request ++ body if the content type is ++ application/x-www-form-urlencoded or ++ multipart/form-data. Request parameters beyond this limit ++ will be ignored. A value of less than 0 means no limit. If not specified, ++ a default of 10000 is used. Note that FailedRequestFilter ++ filter can be used to reject requests that ++ exceed the limit.

+ + + +Index: apache-tomcat-9.0.43-src/webapps/docs/config/http.xml +=================================================================== +--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/http.xml ++++ apache-tomcat-9.0.43-src/webapps/docs/config/http.xml +@@ -153,12 +153,15 @@ + + + +-

The maximum number of parameter and value pairs (GET plus POST) which +- will be automatically parsed by the container. Parameter and value pairs +- beyond this limit will be ignored. A value of less than 0 means no limit. +- If not specified, a default of 10000 is used. Note that +- FailedRequestFilter filter can be +- used to reject requests that hit the limit.

++

The maximum total number of request parameters (including uploaded ++ files) obtained from the query string and, for POST requests, the request ++ body if the content type is ++ application/x-www-form-urlencoded or ++ multipart/form-data. Request parameters beyond this limit ++ will be ignored. A value of less than 0 means no limit. If not specified, ++ a default of 10000 is used. Note that FailedRequestFilter ++ filter can be used to reject requests that ++ exceed the limit.

+ + + diff --git a/tomcat.changes b/tomcat.changes index 3fcc3ef..627001d 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Feb 28 11:14:24 UTC 2023 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513) +- Added patches: + * tomcat-9.0.43-CVE-2023-24998.patch + ------------------------------------------------------------------- Fri Dec 23 08:20:55 UTC 2022 - Michele Bussolotto diff --git a/tomcat.spec b/tomcat.spec index 80ed731..8df393b 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -91,6 +91,7 @@ Patch13: tomcat-9.0.43-CVE-2021-43980.patch Patch14: tomcat-9.0.43-CVE-2022-42252.patch Patch15: tomcat-9.0-fix_catalina.patch Patch16: tomcat-9.0-logrotate_everything.patch +Patch17: tomcat-9.0.43-CVE-2023-24998.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -273,6 +274,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl @@ -693,7 +695,6 @@ fi %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/host-manager path=/host-manager contextXml=%{tomcatappdir}/host-manager/META-INF/context.xml %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/manager path=/manager contextXml=%{tomcatappdir}/manager/META-INF/context.xml - %postun admin-webapps if [ $1 -eq 0 ]; then # uninstall only %{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/host-manager path=/host-manager