OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=30

2024-02-15 08:20:45 +00:00 · 2024-02-15 08:20:45 +00:00 · f9dc8097f3
commit f9dc8097f3
parent 4842fe2b5e
2 changed files with 22 additions and 15 deletions
--- a/tomcat10.changes
+++ b/tomcat10.changes
@ -1,7 +1,7 @@
-------------------------------------------------------------------
-Tue Feb  6 10:04:21 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+Fri Jan 26 12:37:05 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

- rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530)
+- Fixed CVEs:
+  * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)

 -------------------------------------------------------------------
 Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
--- a/tomcat10.spec
+++ b/tomcat10.spec
@ -138,8 +138,6 @@ Requires:       libtcnative-1-0 >= 1.2.38
 Requires:       logrotate
 BuildArch:      noarch
 Conflicts:      %{app_name}
-Provides:       group(tomcat)
-Provides:       user(tomcat)

 %description
 Tomcat is the servlet container that is used in the official Reference
@ -593,7 +591,8 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
 %post
 %service_add_post %{app_name}.service
 %{fillup_only %{app_name}}
-xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
+chown -R tomcat:tomcat %{confdir}/server.xml
+runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml

 %preun
 %service_del_preun %{app_name}.service
@ -665,17 +664,22 @@ rm -f \
    %{libdir}/\[ecj\].jar >/dev/null 2>&1

 %post webapps
-xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
-if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
-    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
-fi
-xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/examples ]; then
    ln -sf %{tomcatappdir}/examples %{_datadir}/%{app_name}/webapps/examples
 fi
 #use the same context.xml for sample war
+mkdir -p %{tomcatappdir}/ROOT/META-INF
+chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
+    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
+fi
+#use the same context.xml for sample war
 mkdir -p %{tomcatappdir}/webapps/sample/META-INF
-xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/sample ]; then
    ln -sf %{tomcatappdir}/sample  %{_datadir}/%{app_name}/webapps/sample
 fi
@ -687,18 +691,21 @@ if [ $1 -eq 0 ]; then # uninstall only
 fi

 %post admin-webapps
-xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/manager ]; then
    ln -sf %{tomcatappdir}/manager %{_datadir}/%{app_name}/webapps/manager
 fi

-xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/host-manager ]; then
    ln -sf %{tomcatappdir}/host-manager %{_datadir}/%{app_name}/webapps/host-manager
 fi

 %post docs-webapp
-xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/docs ]; then
    ln -sf %{tomcatappdir}/docs %{_datadir}/%{app_name}/webapps/docs
 fi