Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat for openSUSE:Factory checked in at 2021-12-12 21:27:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat (Old) and /work/SRC/openSUSE:Factory/.tomcat.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat" Sun Dec 12 21:27:48 2021 rev:79 rq:940058 version:9.0.43 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2021-11-10 21:47:20.695834900 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat.new.2520/tomcat.changes 2021-12-12 21:28:34.160375656 +0100 @@ -1,0 +2,7 @@ +Fri Dec 10 11:20:54 UTC 2021 - Michele Bussolotto <michele.bussolo...@suse.com> + +- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569) +- Added patch: + * tomcat-9.0-NPE-JNDIRealm.patch + +------------------------------------------------------------------- New: ---- tomcat-9.0-NPE-JNDIRealm.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ --- /var/tmp/diff_new_pack.dbjeYU/_old 2021-12-12 21:28:35.276376317 +0100 +++ /var/tmp/diff_new_pack.dbjeYU/_new 2021-12-12 21:28:35.280376319 +0100 @@ -86,6 +86,7 @@ Patch7: tomcat-9.0-CVE-2021-41079.patch Patch8: tomcat-9.0-CVE-2021-33037.patch Patch9: tomcat-9.0-CVE-2021-30640.patch +Patch10: tomcat-9.0-NPE-JNDIRealm.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -263,6 +264,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl ++++++ tomcat-9.0-NPE-JNDIRealm.patch ++++++ Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java =================================================================== --- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/realm/JNDIRealm.java +++ apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java @@ -2805,6 +2805,9 @@ public class JNDIRealm extends RealmBase * @return String the escaped/encoded result */ protected String doFilterEscaping(String inString) { + if (inString == null) { + return null; + } StringBuilder buf = new StringBuilder(inString.length()); for (int i = 0; i < inString.length(); i++) { char c = inString.charAt(i); @@ -2897,6 +2900,9 @@ public class JNDIRealm extends RealmBase * @return The string representation of the attribute value */ protected String doAttributeValueEscaping(String input) { + if (input == null) { + return null; + } int len = input.length(); StringBuilder result = new StringBuilder(); Index: apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java =================================================================== --- apache-tomcat-9.0.43-src.orig/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -56,26 +56,33 @@ public class TestJNDIRealmIntegration { @Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]") public static Collection<Object[]> parameters() { List<Object[]> parameterSets = new ArrayList<>(); - for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { - addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); - addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); + for (String userRoleAttribute : new String[] { "cn", null }) { + for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { + if (userRoleAttribute != null) { + addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, userRoleAttribute, parameterSets); + addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, userRoleAttribute, parameterSets); + } + } + parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, + "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] { "TestGroup4" }, + userRoleAttribute }); } - parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, - "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, - String roleBase, List<Object[]> parameterSets) { + String roleBase, String userRoleAttribute, List<Object[]> parameterSets) { parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, - "test", "test", new String[] {"TestGroup"} }); + "test", "test", new String[] {"TestGroup"}, userRoleAttribute }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, - "t;", "test", new String[] {"TestGroup"} }); + "t;", "test", new String[] {"TestGroup"}, userRoleAttribute }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, - "t*", "test", new String[] {"TestGroup"} }); + "t*", "test", new String[] {"TestGroup"}, userRoleAttribute }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, - "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"} }); + "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"}, userRoleAttribute }); + parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, + "norole", "test", new String[0], userRoleAttribute }); } @@ -95,6 +102,8 @@ public class TestJNDIRealmIntegration { public String credentials; @Parameter(7) public String[] groups; + @Parameter(8) + public String realmConfigUserRoleAttribute; @Test public void testAuthenication() throws Exception { @@ -105,7 +114,7 @@ public class TestJNDIRealmIntegration { realm.setUserPattern(realmConfigUserPattern); realm.setUserSearch(realmConfigUserSearch); realm.setUserBase(realmConfigUserBase); - realm.setUserRoleAttribute("cn"); + realm.setUserRoleAttribute(realmConfigUserRoleAttribute); realm.setRoleName("cn"); realm.setRoleBase(realmConfigRoleBase); realm.setRoleSearch(realmConfigRoleSearch); @@ -197,6 +206,17 @@ public class TestJNDIRealmIntegration { result = conn.processOperation(addUserTestEquals); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + AddRequest addUserNoRole = new AddRequest( + "dn: cn=norole,ou=people,dc=example,dc=com", + "objectClass: top", + "objectClass: person", + "objectClass: organizationalPerson", + "cn: norole", + "sn: No Role", + "userPassword: test"); + result = conn.processOperation(addUserNoRole); + Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + AddRequest addGroupTest = new AddRequest( "dn: cn=TestGroup,ou=people,dc=example,dc=com", "objectClass: top", Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml @@ -107,6 +107,10 @@ <subsection name="Catalina"> <changelog> <fix> + <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code> + is given. (fschumacher) + </fix> + <fix> <bug>65106</bug>: Fix the ConfigFileLoader handling of file URIs when running under a security manager on some JREs. (markt) </fix>