[Git][java-team/tomcat9][buster] 3 commits: Fixed CVE-2020-13935: WebSocket Denial of Service
Emmanuel Bourg
gitlab at salsa.debian.org
Tue Jul 14 21:17:06 BST 2020
Emmanuel Bourg pushed to branch buster at Debian Java Maintainers / tomcat9
Commits:
674d2cf7 by Emmanuel Bourg at 2020-07-14T22:07:54+02:00
Fixed CVE-2020-13935: WebSocket Denial of Service
- - - - -
b9b647aa by Emmanuel Bourg at 2020-07-14T22:11:38+02:00
Fixed CVE-2020-13934: HTTP/2 Denial of Service
- - - - -
ca222445 by Emmanuel Bourg at 2020-07-14T22:12:14+02:00
Upload to buster-security
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2020-13934.patch
- + debian/patches/CVE-2020-13935.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+tomcat9 (9.0.31-1~deb10u2) buster-security; urgency=medium
+
+ * Team upload.
+ * Fixed CVE-2020-13935: WebSocket Denial of Service. The payload length
+ in a WebSocket frame was not correctly validated. Invalid payload lengths
+ could trigger an infinite loop. Multiple requests with invalid payload
+ lengths could lead to a denial of service.
+ * Fixed CVE-2020-13934: HTTP/2 Denial of Service. An h2c direct connection
+ did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a
+ sufficient number of such requests were made, an OutOfMemoryException
+ could occur leading to a denial of service.
+
+ -- Emmanuel Bourg <ebourg at apache.org> Tue, 14 Jul 2020 22:11:58 +0200
+
tomcat9 (9.0.31-1~deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2020-13934.patch
=====================================
@@ -0,0 +1,30 @@
+Description: Fixes CVE-2020-13934: HTTP/2 Denial of Service.
+ An h2c direct connection did not release the HTTP/1.1 processor after the
+ upgrade to HTTP/2. If a sufficient number of such requests were made, an
+ OutOfMemoryException could occur leading to a denial of service.
+Origin: backport, https://github.com/apache/tomcat/commit/172977f0
+--- a/java/org/apache/coyote/AbstractProtocol.java
++++ b/java/org/apache/coyote/AbstractProtocol.java
+@@ -876,8 +876,10 @@
+ // Assume direct HTTP/2 connection
+ UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
+ if (upgradeProtocol != null) {
+- processor = upgradeProtocol.getProcessor(
+- wrapper, getProtocol().getAdapter());
++ // Release the Http11 processor to be re-used
++ release(processor);
++ // Create the upgrade processor
++ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+ wrapper.unRead(leftOverInput);
+ // Associate with the processor with the connection
+ wrapper.setCurrentProcessor(processor);
+@@ -887,7 +889,8 @@
+ "abstractConnectionHandler.negotiatedProcessor.fail",
+ "h2c"));
+ }
+- return SocketState.CLOSED;
++ // Exit loop and trigger appropriate clean-up
++ state = SocketState.CLOSED;
+ }
+ } else {
+ HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler();
=====================================
debian/patches/CVE-2020-13935.patch
=====================================
@@ -0,0 +1,32 @@
+Description: Fixes CVE-2020-13935: WebSocket Denial of Service
+ The payload length in a WebSocket frame was not correctly validated.
+ Invalid payload lengths could trigger an infinite loop. Multiple
+ requests with invalid payload lengths could lead to a denial of service.
+Origin: backport, https://github.com/apache/tomcat/commit/40fa74c7
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=64563
+--- a/java/org/apache/tomcat/websocket/LocalStrings.properties
++++ b/java/org/apache/tomcat/websocket/LocalStrings.properties
+@@ -71,6 +71,7 @@
+ wsFrame.notMasked=The client frame was not masked but all client frames must be masked
+ wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
+ wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
++wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
+ wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
+ wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
+ wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
+--- a/java/org/apache/tomcat/websocket/WsFrameBase.java
++++ b/java/org/apache/tomcat/websocket/WsFrameBase.java
+@@ -261,6 +261,13 @@
+ } else if (payloadLength == 127) {
+ payloadLength = byteArrayToLong(inputBuffer.array(),
+ inputBuffer.arrayOffset() + inputBuffer.position(), 8);
++ // The most significant bit of those 8 bytes is required to be zero
++ // (see RFC 6455, section 5.2). If the most significant bit is set,
++ // the resulting payload length will be negative so test for that.
++ if (payloadLength < 0) {
++ throw new WsIOException(
++ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
++ }
+ inputBuffer.position(inputBuffer.position() + 8);
+ }
+ if (Util.isControl(opCode)) {
=====================================
debian/patches/series
=====================================
@@ -12,3 +12,5 @@
0026-easymock4-compatibility.patch
0027-java11-compilation.patch
JDTCompiler.patch
+CVE-2020-13934.patch
+CVE-2020-13935.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/f65e52e2087e8e852cb62d75454cfe10ed740095...ca222445de686c1ff1922ee9b0bef559ac2dcc35
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/f65e52e2087e8e852cb62d75454cfe10ed740095...ca222445de686c1ff1922ee9b0bef559ac2dcc35
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200714/1d4ec498/attachment.html>
More information about the pkg-java-commits
mailing list