[Git][java-team/tomcat9][buster] Import Debian changes 9.0.31-1~deb10u14

Markus Koschany (@apo) gitlab at salsa.debian.org
Mon Apr 7 08:28:51 BST 2025 


Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9


Commits:
300c7cdc by Markus Koschany at 2025-04-07T09:28:42+02:00
Import Debian changes 9.0.31-1~deb10u14

tomcat9 (9.0.31-1~deb10u14) buster-security; urgency=high
.
  * Team upload.
  * Fix CVE-2025-24813:
    It was found that a malicious user was able to view security sensitive
    files and/or inject content into those files when writes were enabled for
    the default servlet (disabled by default) and support for partial PUT was
    enabled (default). Under certain circumstances, depending on the
    application in use, remote code execution may have been possible.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-24813.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+tomcat9 (9.0.31-1~deb10u14) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2025-24813:
+    It was found that a malicious user was able to view security sensitive
+    files and/or inject content into those files when writes were enabled for
+    the default servlet (disabled by default) and support for partial PUT was
+    enabled (default). Under certain circumstances, depending on the
+    application in use, remote code execution may have been possible.
+
+ -- Markus Koschany <apo at debian.org>  Tue, 01 Apr 2025 23:08:35 +0200
+
 tomcat9 (9.0.31-1~deb10u13) buster-security; urgency=high
 
   * Non-maintainer upload by the ELTS team.


=====================================
debian/patches/CVE-2025-24813.patch
=====================================
@@ -0,0 +1,59 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 29 Mar 2025 11:47:08 +0100
+Subject: CVE-2025-24813
+
+Origin: https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
+---
+ java/org/apache/catalina/servlets/DefaultServlet.java | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index efc1d67..48ff073 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -621,7 +621,7 @@ public class DefaultServlet extends HttpServlet {
+         }
+ 
+         InputStream resourceInputStream = null;
+-
++        File tempContentFile = null;
+         try {
+             // Append data specified in ranges to existing content for this
+             // resource - create a temp. file on the local filesystem to
+@@ -630,8 +630,8 @@ public class DefaultServlet extends HttpServlet {
+             if (range == IGNORE) {
+                 resourceInputStream = req.getInputStream();
+             } else {
+-                File contentFile = executePartialPut(req, range, path);
+-                resourceInputStream = new FileInputStream(contentFile);
++                tempContentFile = executePartialPut(req, range, path);
++                resourceInputStream = new FileInputStream(tempContentFile);
+             }
+ 
+             if (resources.write(path, resourceInputStream, true)) {
+@@ -651,6 +651,9 @@ public class DefaultServlet extends HttpServlet {
+                     // Ignore
+                 }
+             }
++            if (tempContentFile != null) {
++                tempContentFile.delete();
++            }
+         }
+     }
+ 
+@@ -674,13 +677,8 @@ public class DefaultServlet extends HttpServlet {
+         // perform this operation
+         File tempDir = (File) getServletContext().getAttribute
+             (ServletContext.TEMPDIR);
+-        // Convert all '/' characters to '.' in resourcePath
+-        String convertedResourcePath = path.replace('/', '.');
+-        File contentFile = new File(tempDir, convertedResourcePath);
+-        if (contentFile.createNewFile()) {
+-            // Clean up contentFile when Tomcat is terminated
+-            contentFile.deleteOnExit();
+-        }
++
++        File contentFile = File.createTempFile("put-part-", null, tempDir);
+ 
+         try (RandomAccessFile randAccessContentFile =
+             new RandomAccessFile(contentFile, "rw")) {


=====================================
debian/patches/series
=====================================
@@ -45,3 +45,4 @@ CVE-2024-38286.patch
 CVE-2024-50379-part1.patch
 CVE-2024-50379-part2.patch
 CVE-2024-52316.patch
+CVE-2025-24813.patch



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/300c7cdce3524a243bc75b112a1ff5dd488d4ee0

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/300c7cdce3524a243bc75b112a1ff5dd488d4ee0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250407/4a61c457/attachment.htm>

More information about the pkg-java-commits mailing list