[Git][java-team/tomcat9][buster] Buster security release 9.0.31-1~deb10u4
Markus Koschany
gitlab at salsa.debian.org
Wed Apr 14 11:30:12 BST 2021
Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9
Commits:
a6542f11 by Markus Koschany at 2021-04-14T12:20:18+02:00
Buster security release 9.0.31-1~deb10u4
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2021-25122.patch
- + debian/patches/CVE-2021-25329.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+tomcat9 (9.0.31-1~deb10u4) buster-security; urgency=medium
+
+ * CVE-2021-25122
+ * CVE-2021-25329
+
+ -- Moritz Mhlenhoff <jmm at debian.org> Mon, 12 Apr 2021 16:45:06 +0200
+
tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium
* Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded
=====================================
debian/patches/CVE-2021-25122.patch
=====================================
@@ -0,0 +1,37 @@
+Backport of
+
+From d47c20a776e8919eaca8da9390a32bc8bf8210b1 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 14 Jan 2021 16:59:43 +0000
+Subject: [PATCH] Simplify the code and fix an edge case for BZ 64830
+
+--- tomcat9-9.0.31.orig/java/org/apache/coyote/AbstractProtocol.java
++++ tomcat9-9.0.31/java/org/apache/coyote/AbstractProtocol.java
+@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
+ if (state == SocketState.UPGRADING) {
+ // Get the HTTP upgrade handler
+ UpgradeToken upgradeToken = processor.getUpgradeToken();
+- // Retrieve leftover input
++ // Restore leftover input to the wrapper so the upgrade
++ // processor can process it.
+ ByteBuffer leftOverInput = processor.getLeftoverInput();
++ wrapper.unRead(leftOverInput);
+ if (upgradeToken == null) {
+ // Assume direct HTTP/2 connection
+ UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
+@@ -880,7 +882,6 @@ public abstract class AbstractProtocol<S
+ release(processor);
+ // Create the upgrade processor
+ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+- wrapper.unRead(leftOverInput);
+ // Associate with the processor with the connection
+ wrapper.setCurrentProcessor(processor);
+ } else {
+@@ -902,7 +903,6 @@ public abstract class AbstractProtocol<S
+ getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
+ processor, wrapper));
+ }
+- wrapper.unRead(leftOverInput);
+ // Mark the connection as upgraded
+ wrapper.setUpgraded(true);
+ // Associate with the processor with the connection
=====================================
debian/patches/CVE-2021-25329.patch
=====================================
@@ -0,0 +1,119 @@
+From 4785433a226a20df6acbea49296e1ce7e23de453 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Wed, 20 Jan 2021 13:28:57 +0000
+Subject: [PATCH] Use java.nio.file.Path for consistent sub-directory checking
+
+--- tomcat9-9.0.31.orig/java/org/apache/catalina/servlets/DefaultServlet.java
++++ tomcat9-9.0.31/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -2130,7 +2130,7 @@ public class DefaultServlet extends Http
+
+ // First check that the resulting path is under the provided base
+ try {
+- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
++ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
+ return null;
+ }
+ } catch (IOException ioe) {
+--- tomcat9-9.0.31.orig/java/org/apache/catalina/session/FileStore.java
++++ tomcat9-9.0.31/java/org/apache/catalina/session/FileStore.java
+@@ -351,7 +351,7 @@ public final class FileStore extends Sto
+ File file = new File(storageDir, filename);
+
+ // Check the file is within the storage directory
+- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+ return null;
+ }
+--- tomcat9-9.0.31.orig/java/org/apache/catalina/startup/ContextConfig.java
++++ tomcat9-9.0.31/java/org/apache/catalina/startup/ContextConfig.java
+@@ -653,7 +653,8 @@ public class ContextConfig implements Li
+ String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
+
+ // Re-calculate now docBase is a canonical path
+- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
++ boolean docBaseCanonicalInAppBase =
++ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
+ String docBase;
+ if (docBaseCanonicalInAppBase) {
+ docBase = docBaseCanonical.substring(appBase.getPath().length());
+--- tomcat9-9.0.31.orig/java/org/apache/catalina/startup/ExpandWar.java
++++ tomcat9-9.0.31/java/org/apache/catalina/startup/ExpandWar.java
+@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
+ import java.net.URL;
+ import java.net.URLConnection;
+ import java.nio.channels.FileChannel;
++import java.nio.file.Path;
+ import java.util.Enumeration;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+@@ -116,10 +117,7 @@ public class ExpandWar {
+ }
+
+ // Expand the WAR into the new document base directory
+- String canonicalDocBasePrefix = docBase.getCanonicalPath();
+- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+- canonicalDocBasePrefix += File.separator;
+- }
++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+
+ // Creating war tracker parent (normally META-INF)
+ File warTrackerParent = warTracker.getParentFile();
+@@ -134,14 +132,13 @@ public class ExpandWar {
+ JarEntry jarEntry = jarEntries.nextElement();
+ String name = jarEntry.getName();
+ File expandedFile = new File(docBase, name);
+- if (!expandedFile.getCanonicalPath().startsWith(
+- canonicalDocBasePrefix)) {
++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+ // Trying to expand outside the docBase
+ // Throw an exception to stop the deployment
+ throw new IllegalArgumentException(
+ sm.getString("expandWar.illegalPath",war, name,
+ expandedFile.getCanonicalPath(),
+- canonicalDocBasePrefix));
++ canonicalDocBasePath));
+ }
+ int last = name.lastIndexOf('/');
+ if (last >= 0) {
+@@ -217,10 +214,7 @@ public class ExpandWar {
+ File docBase = new File(host.getAppBaseFile(), pathname);
+
+ // Calculate the document base directory
+- String canonicalDocBasePrefix = docBase.getCanonicalPath();
+- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+- canonicalDocBasePrefix += File.separator;
+- }
++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+ JarURLConnection juc = (JarURLConnection) war.openConnection();
+ juc.setUseCaches(false);
+ try (JarFile jarFile = juc.getJarFile()) {
+@@ -229,14 +223,13 @@ public class ExpandWar {
+ JarEntry jarEntry = jarEntries.nextElement();
+ String name = jarEntry.getName();
+ File expandedFile = new File(docBase, name);
+- if (!expandedFile.getCanonicalPath().startsWith(
+- canonicalDocBasePrefix)) {
++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+ // Entry located outside the docBase
+ // Throw an exception to stop the deployment
+ throw new IllegalArgumentException(
+ sm.getString("expandWar.illegalPath",war, name,
+ expandedFile.getCanonicalPath(),
+- canonicalDocBasePrefix));
++ canonicalDocBasePath));
+ }
+ }
+ } catch (IOException e) {
+--- tomcat9-9.0.31.orig/java/org/apache/catalina/startup/HostConfig.java
++++ tomcat9-9.0.31/java/org/apache/catalina/startup/HostConfig.java
+@@ -598,8 +598,7 @@ public class HostConfig implements Lifec
+ docBase = new File(host.getAppBaseFile(), context.getDocBase());
+ }
+ // If external docBase, register .xml as redeploy first
+- if (!docBase.getCanonicalPath().startsWith(
+- host.getAppBaseFile().getAbsolutePath() + File.separator)) {
++ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
+ isExternal = true;
+ deployedApp.redeployResources.put(
+ contextXml.getAbsolutePath(),
=====================================
debian/patches/series
=====================================
@@ -19,3 +19,5 @@ CVE-2020-9484.patch
debian-bug-959937.patch
CVE-2020-13943.patch
CVE-2020-17527.patch
+CVE-2021-25122.patch
+CVE-2021-25329.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/a6542f113d1e72b96f2e24a8f47c31f66c5bd0c8
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/a6542f113d1e72b96f2e24a8f47c31f66c5bd0c8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210414/e437256c/attachment.htm>
More information about the pkg-java-commits
mailing list