[Git][java-team/tomcat9][sysvinit] 3 commits: CVE-2021-30640: Fix NullPointerException

mirabilos (@tg) gitlab at salsa.debian.org
Tue Aug 10 20:51:59 BST 2021 


mirabilos pushed to branch sysvinit at Debian Java Maintainers / tomcat9


Commits:
78576fd0 by Markus Koschany at 2021-08-10T17:15:47+02:00
CVE-2021-30640: Fix NullPointerException

If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug

https://bz.apache.org/bugzilla/show_bug.cgi?id=65308

- - - - -
d9ccdf7c by Markus Koschany at 2021-08-10T17:18:34+02:00
Update changelog

- - - - -
25f754d6 by mirabilos at 2021-08-10T19:10:35+02:00
Merge tag 'debian/9.0.43-3' into sysvinit

Debian release 9.0.43-3

- - - - -


2 changed files:

- debian/changelog
- debian/patches/CVE-2021-30640.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -1,10 +1,28 @@
-tomcat9 (9.0.43-2tarent1) wtf; urgency=medium
+tomcat9 (9.0.43-3tarent1) wtf-lts; urgency=medium
 
   * Team upload.
   * Sponsored by: ⮡ tarent
-  * Merge sysvinit fixes with latest security upload
+  * Merge sysvinit fixes with latest security uploads:
+    - debian/logging.properties: Add commented-out non-systemd configuration
+    - Make tomcat9 installable without systemd:
+      + Readd logic to create the system user via adduser
+      + Add sysvinit script, for init independence (Closes: #925473)
+    - debian/README.Debian: Document non-systemd risks; note nōn-systemd
+      logging.properties change
+    - Don’t read /etc/default/tomcat9 twice
+
+ -- Thorsten Glaser <t.glaser at tarent.de>  Tue, 10 Aug 2021 19:09:04 +0200
+
+tomcat9 (9.0.43-3) unstable; urgency=medium
+
+  * Team upload.
+  * CVE-2021-30640: Fix NullPointerException.
+    If no userRoleAttribute is specified in the user's Realm configuration its
+    default value will be null. This will cause a NPE in the methods
+    doFilterEscaping and doAttributeValueEscaping. This is upstream bug
+    https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Sun, 08 Aug 2021 06:12:52 +0200
+ -- Markus Koschany <apo at debian.org>  Tue, 10 Aug 2021 17:17:56 +0200
 
 tomcat9 (9.0.43-2) unstable; urgency=medium
 


=====================================
debian/patches/CVE-2021-30640.patch
=====================================
@@ -12,13 +12,13 @@ Origin: https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899f
 Origin: https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0
 Origin: https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945
 ---
- java/org/apache/catalina/realm/JNDIRealm.java      | 137 +++++++++++++++++++--
+ java/org/apache/catalina/realm/JNDIRealm.java      | 143 +++++++++++++++++++--
  .../realm/TestJNDIRealmAttributeValueEscape.java   |  86 +++++++++++++
- 2 files changed, 213 insertions(+), 10 deletions(-)
+ 2 files changed, 219 insertions(+), 10 deletions(-)
  create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java
 
 diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
-index 7e2d578..358d008 100644
+index 7e2d578..2a03307 100644
 --- a/java/org/apache/catalina/realm/JNDIRealm.java
 +++ b/java/org/apache/catalina/realm/JNDIRealm.java
 @@ -1633,8 +1633,11 @@ public class JNDIRealm extends RealmBase {
@@ -114,7 +114,7 @@ index 7e2d578..358d008 100644
                              isRoleSearchAsUser());
  
                      try {
-@@ -2823,10 +2842,36 @@ public class JNDIRealm extends RealmBase {
+@@ -2823,10 +2842,39 @@ public class JNDIRealm extends RealmBase {
       *     )  -> \29
       *     \  -> \5c
       *     \0 -> \00
@@ -148,10 +148,13 @@ index 7e2d578..358d008 100644
 +     * @return String the escaped/encoded result
 +     */
 +    protected String doFilterEscaping(String inString) {
++        if (inString == null) {
++            return null;
++        }
          StringBuilder buf = new StringBuilder(inString.length());
          for (int i = 0; i < inString.length(); i++) {
              char c = inString.charAt(i);
-@@ -2916,6 +2961,78 @@ public class JNDIRealm extends RealmBase {
+@@ -2916,6 +2964,81 @@ public class JNDIRealm extends RealmBase {
      }
  
  
@@ -163,6 +166,9 @@ index 7e2d578..358d008 100644
 +     * @return      The string representation of the attribute value
 +     */
 +    protected String doAttributeValueEscaping(String input) {
++        if (input == null) {
++            return null;
++        }
 +        int len = input.length();
 +        StringBuilder result = new StringBuilder();
 +



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/d83b493c7c8a13f0d6a3decee46720ccc3481c20...25f754d600a7d149ea1cccc84a1020b208f59fb3

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/d83b493c7c8a13f0d6a3decee46720ccc3481c20...25f754d600a7d149ea1cccc84a1020b208f59fb3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210810/c7f9a2df/attachment.htm>

More information about the pkg-java-commits mailing list