[Git][java-team/tomcat8][stretch] 2 commits: Add CVE-2020-13934.patch and CVE-2020-13935.patch
Markus Koschany
gitlab at salsa.debian.org
Wed Jul 22 17:41:06 BST 2020
Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8
Commits:
e64edfd6 by Markus Koschany at 2020-07-22T17:22:20+02:00
Add CVE-2020-13934.patch and CVE-2020-13935.patch
- - - - -
98510bdf by Markus Koschany at 2020-07-22T17:23:56+02:00
Update changelog
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2020-13934.patch
- + debian/patches/CVE-2020-13935.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+tomcat8 (8.5.54-0+deb9u3) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2020-13934:
+ An h2c direct connection to Apache Tomcat did not release the HTTP/1.1
+ processor after the upgrade to HTTP/2. If a sufficient number of such
+ requests were made, an OutOfMemoryException could occur leading to a denial
+ of service.
+ * Fix CVE-2020-13935:
+ The payload length in a WebSocket frame was not correctly validated in
+ Apache Tomcat. Invalid payload lengths could trigger an infinite loop.
+ Multiple requests with invalid payload lengths could lead to a denial of
+ service.
+
+ -- Markus Koschany <apo at debian.org> Wed, 22 Jul 2020 17:22:27 +0200
+
tomcat8 (8.5.54-0+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
=====================================
debian/patches/CVE-2020-13934.patch
=====================================
@@ -0,0 +1,52 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 21 Jul 2020 15:18:25 +0200
+Subject: CVE-2020-13934
+
+Origin: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e
+---
+ java/org/apache/coyote/AbstractProtocol.java | 9 ++++++---
+ webapps/docs/changelog.xml | 4 ++++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
+index 39153f1..577ebbf 100644
+--- a/java/org/apache/coyote/AbstractProtocol.java
++++ b/java/org/apache/coyote/AbstractProtocol.java
+@@ -826,8 +826,10 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ // Assume direct HTTP/2 connection
+ UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
+ if (upgradeProtocol != null) {
+- processor = upgradeProtocol.getProcessor(
+- wrapper, getProtocol().getAdapter());
++ // Release the Http11 processor to be re-used
++ release(processor);
++ // Create the upgrade processor
++ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+ wrapper.unRead(leftOverInput);
+ // Associate with the processor with the connection
+ connections.put(socket, processor);
+@@ -837,7 +839,8 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ "abstractConnectionHandler.negotiatedProcessor.fail",
+ "h2c"));
+ }
+- return SocketState.CLOSED;
++ // Exit loop and trigger appropriate clean-up
++ state = SocketState.CLOSED;
+ }
+ } else {
+ HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler();
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index bb17a96..278c497 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -145,6 +145,10 @@
+ system property changing how the sequence <code>%5c</code> is
+ interpretted in a URI. (markt)
+ </fix>
++ <fix>
++ Ensure that the HTTP/1.1 processor is correctly recycled when a direct
++ connection to h2c is made. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Other">
=====================================
debian/patches/CVE-2020-13935.patch
=====================================
@@ -0,0 +1,60 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 21 Jul 2020 15:19:02 +0200
+Subject: CVE-2020-13935
+
+Origin: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5
+---
+ java/org/apache/tomcat/websocket/LocalStrings.properties | 1 +
+ java/org/apache/tomcat/websocket/WsFrameBase.java | 7 +++++++
+ webapps/docs/changelog.xml | 8 ++++++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties b/java/org/apache/tomcat/websocket/LocalStrings.properties
+index 744619a..7f770fa 100644
+--- a/java/org/apache/tomcat/websocket/LocalStrings.properties
++++ b/java/org/apache/tomcat/websocket/LocalStrings.properties
+@@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
+ wsFrame.notMasked=The client frame was not masked but all client frames must be masked
+ wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
+ wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
++wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
+ wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
+ wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
+ wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
+diff --git a/java/org/apache/tomcat/websocket/WsFrameBase.java b/java/org/apache/tomcat/websocket/WsFrameBase.java
+index 28cdc30..4afad67 100644
+--- a/java/org/apache/tomcat/websocket/WsFrameBase.java
++++ b/java/org/apache/tomcat/websocket/WsFrameBase.java
+@@ -261,6 +261,13 @@ public abstract class WsFrameBase {
+ } else if (payloadLength == 127) {
+ payloadLength = byteArrayToLong(inputBuffer.array(),
+ inputBuffer.arrayOffset() + inputBuffer.position(), 8);
++ // The most significant bit of those 8 bytes is required to be zero
++ // (see RFC 6455, section 5.2). If the most significant bit is set,
++ // the resulting payload length will be negative so test for that.
++ if (payloadLength < 0) {
++ throw new WsIOException(
++ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
++ }
+ inputBuffer.position(inputBuffer.position() + 8);
+ }
+ if (Util.isControl(opCode)) {
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 278c497..9533c04 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -188,6 +188,14 @@
+ </fix>
+ </changelog>
+ </subsection>
++ <subsection name="WebSocket">
++ <changelog>
++ <fix>
++ <bug>64563</bug>: Add additional validation of payload length for
++ WebSocket messages. (markt)
++ </fix>
++ </changelog>
++ </subsection>
+ <subsection name="Other">
+ <changelog>
+ <fix>
=====================================
debian/patches/series
=====================================
@@ -9,3 +9,5 @@
0018-fix-manager-webapp.patch
CVE-2020-11996.patch
CVE-2020-9484.patch
+CVE-2020-13934.patch
+CVE-2020-13935.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e...98510bdf09ffc0fa6beb9a2383e70a4d5b032e95
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e...98510bdf09ffc0fa6beb9a2383e70a4d5b032e95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200722/57905430/attachment.html>
More information about the pkg-java-commits
mailing list