Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat for openSUSE:Factory checked in at 2021-03-19 16:42:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat (Old) and /work/SRC/openSUSE:Factory/.tomcat.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat" Fri Mar 19 16:42:50 2021 rev:75 rq:880011 version:9.0.36 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2021-01-13 18:35:25.834434783 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat.new.2401/tomcat.changes 2021-03-19 16:43:04.574107523 +0100 @@ -1,0 +2,7 @@ +Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <[email protected]> + +- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) +- Added patch: + * tomcat-9.0-CVE-2021-24122.patch + +------------------------------------------------------------------- New: ---- tomcat-9.0-CVE-2021-24122.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ --- /var/tmp/diff_new_pack.3jvFrg/_old 2021-03-19 16:43:05.558108851 +0100 +++ /var/tmp/diff_new_pack.3jvFrg/_new 2021-03-19 16:43:05.562108857 +0100 @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -85,6 +85,7 @@ Patch6: tomcat-9.0.31-secretRequired-default.patch Patch7: tomcat-9.0-CVE-2020-13943.patch Patch8: tomcat-9.0-CVE-2020-17527.patch +Patch9: tomcat-9.0-CVE-2021-24122.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -162,7 +163,7 @@ Summary: Expression Language v3.0 API Group: Development/Libraries/Java Requires(post): update-alternatives -Requires(preun): update-alternatives +Requires(preun):update-alternatives Provides: %{name}-el-%{elspec}-api = %{version}-%{release} Provides: el_3_0_api = %{version}-%{release} Provides: el_api = %{elspec} @@ -186,7 +187,7 @@ Requires: mvn(org.apache.tomcat:tomcat-el-api) Requires: mvn(org.apache.tomcat:tomcat-servlet-api) Requires(post): update-alternatives -Requires(postun): update-alternatives +Requires(postun):update-alternatives Provides: %{name}-jsp-%{jspspec}-api Provides: jsp = %{jspspec} Provides: jsp23 @@ -214,7 +215,7 @@ Requires: %{name}-jsp-%{jspspec}-api = %{version}-%{release} Requires: %{name}-servlet-%{servletspec}-api = %{version}-%{release} Requires(post): ecj >= 4.4 -Requires(preun): coreutils +Requires(preun):coreutils Provides: jakarta-commons-dbcp-tomcat5 = 1.4 Obsoletes: jakarta-commons-dbcp-tomcat5 < 1.4 @@ -225,7 +226,7 @@ Summary: Apache Tomcat Servlet API implementation classes Group: Productivity/Networking/Web/Servers Requires(post): update-alternatives -Requires(postun): update-alternatives +Requires(postun):update-alternatives Provides: %{name}-servlet-%{servletspec}-api = %{version}-%{release} Provides: servlet = %{servletspec} Provides: servlet31 @@ -261,6 +262,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl ++++++ tomcat-9.0-CVE-2021-24122.patch ++++++ Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java +++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java @@ -22,11 +22,15 @@ import java.net.MalformedURLException; import java.net.URL; import org.apache.catalina.LifecycleException; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.compat.JrePlatform; import org.apache.tomcat.util.http.RequestUtil; public abstract class AbstractFileResourceSet extends AbstractResourceSet { + private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class); + protected static final String[] EMPTY_STRING_ARRAY = new String[0]; private File fileBase; @@ -128,6 +132,19 @@ public abstract class AbstractFileResour canPath = normalize(canPath); } if (!canPath.equals(absPath)) { + if (!canPath.equalsIgnoreCase(absPath)) { + // Typically means symlinks are in use but being ignored. Given + // the symlink was likely created for a reason, log a warning + // that it was ignored. + String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed", + getRoot().getContext().getName(), absPath, canPath); + // Log issues with configuration files at a higher level + if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) { + log.error(msg); + } else { + log.warn(msg); + } + } return null; } @@ -144,7 +161,7 @@ public abstract class AbstractFileResour // expression irrespective of input length. for (int i = 0; i < len; i++) { char c = name.charAt(i); - if (c == '\"' || c == '<' || c == '>') { + if (c == '\"' || c == '<' || c == '>' || c == ':') { // These characters are disallowed in Windows file names and // there are known problems for file names with these characters // when using File#getCanonicalPath(). Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties +++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties @@ -15,6 +15,8 @@ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write +abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause. + abstractResource.getContentFail=Unable to return [{0}] as a byte array abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml @@ -81,6 +81,10 @@ <bug>64493</bug>: Revert possible change of returned protocol attribute value on the <code>Connector</code>. (remm) </fix> + <add> + <bug>64871</bug>: Log a warning if Tomcat blocks access to a file + because it uses symlinks. (markt) + </add> </changelog> </subsection> <subsection name="Coyote">
