[Git][java-team/tomcat9][buster] Fix CVE-2020-11996, CVE-2020-9484 and Debian bug 959937 in Buster.
Markus Koschany
gitlab at salsa.debian.org
Tue Jul 14 23:47:53 BST 2020
Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9
Commits:
eea43410 by Markus Koschany at 2020-07-15T00:38:00+02:00
Fix CVE-2020-11996, CVE-2020-9484 and Debian bug 959937 in Buster.
- - - - -
4 changed files:
- + debian/patches/CVE-2020-11996.patch
- + debian/patches/CVE-2020-9484.patch
- + debian/patches/debian-bug-959937.patch
- debian/patches/series
Changes:
=====================================
debian/patches/CVE-2020-11996.patch
=====================================
@@ -0,0 +1,101 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 13 Jul 2020 17:28:40 +0200
+Subject: CVE-2020-11996
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961209
+Origin: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222
+---
+ .../apache/coyote/http2/Http2UpgradeHandler.java | 10 +++----
+ .../apache/coyote/http2/TestHttp2Section_5_1.java | 31 +++++++++++++++++++---
+ webapps/docs/changelog.xml | 4 +++
+ 3 files changed, 36 insertions(+), 9 deletions(-)
+
+diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+index e0f3dde..b1d7624 100644
+--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+@@ -1474,11 +1474,11 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+ }
+
+
+- private void closeIdleStreams(int newMaxActiveRemoteStreamId) throws Http2Exception {
+- for (int i = maxActiveRemoteStreamId + 2; i < newMaxActiveRemoteStreamId; i += 2) {
+- Stream stream = getStream(i, false);
+- if (stream != null) {
+- stream.closeIfIdle();
++ private void closeIdleStreams(int newMaxActiveRemoteStreamId) {
++ for (Entry<Integer,Stream> entry : streams.entrySet()) {
++ if (entry.getKey().intValue() > maxActiveRemoteStreamId &&
++ entry.getKey().intValue() < newMaxActiveRemoteStreamId) {
++ entry.getValue().closeIfIdle();
+ }
+ }
+ maxActiveRemoteStreamId = newMaxActiveRemoteStreamId;
+diff --git a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+index 2a46681..f878653 100644
+--- a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
++++ b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+@@ -147,21 +147,44 @@ public class TestHttp2Section_5_1 extends Http2TestBase {
+
+ @Test
+ public void testImplicitClose() throws Exception {
++ doTestImplicitClose(5);
++ }
++
++
++ // https://bz.apache.org/bugzilla/show_bug.cgi?id=64467
++ @Test
++ public void testImplicitCloseLargeId() throws Exception {
++ doTestImplicitClose(Integer.MAX_VALUE - 8);
++ }
++
++
++ private void doTestImplicitClose(int lastStreamId) throws Exception {
++
++ long startFirst = System.nanoTime();
+ http2Connect();
++ long durationFirst = System.nanoTime() - startFirst;
+
+ sendPriority(3, 0, 16);
+- sendPriority(5, 0, 16);
++ sendPriority(lastStreamId, 0, 16);
+
+- sendSimpleGetRequest(5);
++ long startSecond = System.nanoTime();
++ sendSimpleGetRequest(lastStreamId);
+ readSimpleGetResponse();
+- Assert.assertEquals(getSimpleResponseTrace(5), output.getTrace());
++ long durationSecond = System.nanoTime() - startSecond;
++
++ Assert.assertEquals(getSimpleResponseTrace(lastStreamId), output.getTrace());
+ output.clearTrace();
+
++ // Allow second request to take up to 5 times first request or up to 1 second - whichever is the larger - mainly
++ // to allow for CI systems under load that can exhibit significant timing variation.
++ Assert.assertTrue("First request took [" + durationFirst/1000000 + "ms], second request took [" +
++ durationSecond/1000000 + "ms]", durationSecond < 1000000000 || durationSecond < durationFirst * 3);
++
+ // Should trigger an error since stream 3 should have been implicitly
+ // closed.
+ sendSimpleGetRequest(3);
+
+- handleGoAwayResponse(5);
++ handleGoAwayResponse(lastStreamId);
+ }
+
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index c196f7b..9128471 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -786,6 +786,10 @@
+ Service to crash on start when running on an operating system that had
+ not been fully updated. (markt)
+ </update>
++ <fix>
++ <bug>64467</bug>: Improve performance of closing idle HTTP/2 streams.
++ (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
=====================================
debian/patches/CVE-2020-9484.patch
=====================================
@@ -0,0 +1,84 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 13 Jul 2020 17:27:45 +0200
+Subject: CVE-2020-9484
+
+Origin: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222
+---
+ java/org/apache/catalina/session/FileStore.java | 19 +++++++++++++++++--
+ .../apache/catalina/session/LocalStrings.properties | 1 +
+ webapps/docs/changelog.xml | 3 +++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
+index 73016ff..2e2c6c6 100644
+--- a/java/org/apache/catalina/session/FileStore.java
++++ b/java/org/apache/catalina/session/FileStore.java
+@@ -33,6 +33,8 @@ import org.apache.catalina.Context;
+ import org.apache.catalina.Globals;
+ import org.apache.catalina.Session;
+ import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
++import org.apache.tomcat.util.res.StringManager;
+
+ /**
+ * Concrete implementation of the <b>Store</b> interface that utilizes
+@@ -43,6 +45,10 @@ import org.apache.juli.logging.Log;
+ */
+ public final class FileStore extends StoreBase {
+
++ private static final Log log = LogFactory.getLog(FileStore.class);
++ private static final StringManager sm = StringManager.getManager(FileStore.class);
++
++
+ // ----------------------------------------------------- Constants
+
+ /**
+@@ -336,11 +342,20 @@ public final class FileStore extends StoreBase {
+ * used in the file naming.
+ */
+ private File file(String id) throws IOException {
+- if (this.directory == null) {
++ File storageDir = directory();
++ if (storageDir == null) {
+ return null;
+ }
++
+ String filename = id + FILE_EXT;
+- File file = new File(directory(), filename);
++ File file = new File(storageDir, filename);
++
++ // Check the file is within the storage directory
++ if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
++ return null;
++ }
++
+ return file;
+ }
+ }
+diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
+index e0a5487..9781362 100644
+--- a/java/org/apache/catalina/session/LocalStrings.properties
++++ b/java/org/apache/catalina/session/LocalStrings.properties
+@@ -29,6 +29,7 @@ JDBCStore.wrongDataSource=Cannot open JNDI DataSource [{0}]
+ fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
+ fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
+ fileStore.deleteSessionFailed=Unable to delete file [{0}] which is no longer required
++fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
+ fileStore.loading=Loading Session [{0}] from file [{1}]
+ fileStore.removing=Removing Session [{0}] at file [{1}]
+ fileStore.saving=Saving Session [{0}] to file [{1}]
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 25ccd44..c196f7b 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -135,6 +135,9 @@
+ could be missing in the access log for an HTTP/2 request where the
+ connection was closed unexpectely.
+ </fix>
++ <add>
++ Improve validation of storage location when using FileStore. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
=====================================
debian/patches/debian-bug-959937.patch
=====================================
@@ -0,0 +1,35 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 13 Jul 2020 17:31:50 +0200
+Subject: debian bug 959937
+
+Bug-Debian: https://bugs.debian.org/959937
+
+Improve backwards compatibility and work around upstream bug
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64097
+---
+ .../jasper-el.jar/services/javax.el.ExpressionFactory | 17 +----------------
+ 1 file changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/res/META-INF/jasper-el.jar/services/javax.el.ExpressionFactory b/res/META-INF/jasper-el.jar/services/javax.el.ExpressionFactory
+index 8076bd2..fa01048 100644
+--- a/res/META-INF/jasper-el.jar/services/javax.el.ExpressionFactory
++++ b/res/META-INF/jasper-el.jar/services/javax.el.ExpressionFactory
+@@ -1,16 +1 @@
+-# Licensed to the Apache Software Foundation (ASF) under one or more
+-# contributor license agreements. See the NOTICE file distributed with
+-# this work for additional information regarding copyright ownership.
+-# The ASF licenses this file to You under the Apache License, Version 2.0
+-# (the "License"); you may not use this file except in compliance with
+-# the License. You may obtain a copy of the License at
+-#
+-# http://www.apache.org/licenses/LICENSE-2.0
+-#
+-# Unless required by applicable law or agreed to in writing, software
+-# distributed under the License is distributed on an "AS IS" BASIS,
+-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-# See the License for the specific language governing permissions and
+-# limitations under the License.
+-
+-org.apache.el.ExpressionFactoryImpl
+\ No newline at end of file
++org.apache.el.ExpressionFactoryImpl
=====================================
debian/patches/series
=====================================
@@ -14,3 +14,6 @@
JDTCompiler.patch
CVE-2020-13934.patch
CVE-2020-13935.patch
+CVE-2020-11996.patch
+CVE-2020-9484.patch
+debian-bug-959937.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/eea4341083035cb9dac725adda759982fc2eb354
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/eea4341083035cb9dac725adda759982fc2eb354
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200714/ad395428/attachment.html>
More information about the pkg-java-commits
mailing list