Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat for openSUSE:Factory checked
in at 2023-04-07 18:17:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
and /work/SRC/openSUSE:Factory/.tomcat.new.19717 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat"
Fri Apr 7 18:17:06 2023 rev:92 rq:1077842 version:9.0.43
Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2023-03-28
17:51:25.043568922 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.19717/tomcat.changes 2023-04-07
18:17:14.940864332 +0200
@@ -1,0 +2,8 @@
+Fri Apr 7 07:56:31 UTC 2023 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fixed CVEs:
+ * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or
description (bsc#1206840)
+- Added patches:
+ * tomcat-9.0.43-CVE-2022-45143.patch
+
+-------------------------------------------------------------------
New:
----
tomcat-9.0.43-CVE-2022-45143.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.pCA4uS/_old 2023-04-07 18:17:15.756869033 +0200
+++ /var/tmp/diff_new_pack.pCA4uS/_new 2023-04-07 18:17:15.756869033 +0200
@@ -93,6 +93,7 @@
Patch16: tomcat-9.0-logrotate_everything.patch
Patch17: tomcat-9.0.43-CVE-2023-24998.patch
Patch18: tomcat-9.0.43-CVE-2023-28708.patch
+Patch19: tomcat-9.0.43-CVE-2022-45143.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@@ -277,6 +278,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
++++++ tomcat-9.0.43-CVE-2022-45143.patch ++++++
>From b336f4e58893ea35114f1e4a415657f723b1298e Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Wed, 9 Nov 2022 12:39:15 +0000
Subject: [PATCH] Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
.../apache/tomcat/util/json/JSONFilter.java | 61 ++++++++++++++
.../tomcat/util/json/TestJSONFilter.java | 82 +++++++++++++++++++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
create mode 100644 java/org/apache/tomcat/util/json/JSONFilter.java
create mode 100644 test/org/apache/tomcat/util/json/TestJSONFilter.java
Index:
apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
===================================================================
---
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++
apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Req
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extend
}
}
String jsonReport = "{\n" +
- " \"type\": \"" + type + "\",\n" +
- " \"message\": \"" + message + "\"\n" +
- " \"description\": \"" + description + "\"\n" +
+ " \"type\": \"" + JSONFilter.escape(type) +
"\",\n" +
+ " \"message\": \"" + JSONFilter.escape(message) +
"\",\n" +
+ " \"description\": \"" +
JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
===================================================================
--- /dev/null
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * <a href="https://www.rfc-editor.org/rfc/rfc8259.html";>RFC 8259</a>.
+ */
+public class JSONFilter {
+
+ private JSONFilter() {
+ // Utility class. Hide the default constructor.
+ }
+
+ public static String escape(String input) {
+ /*
+ * While any character MAY be escaped, only U+0000 to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+ char[] chars = input.toCharArray();
+ StringBuffer escaped = null;
+ int lastUnescapedStart = 0;
+ for (int i = 0; i < chars.length; i++) {
+ if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+ if (escaped == null) {
+ escaped = new StringBuffer(chars.length + 20);
+ }
+ if (lastUnescapedStart < i) {
+ escaped.append(input.subSequence(lastUnescapedStart, i));
+ }
+ lastUnescapedStart = i + 1;
+ escaped.append("\\u");
+ escaped.append(String.format("%04X",
Integer.valueOf(chars[i])));
+ }
+ }
+ if (escaped == null) {
+ return input;
+ } else {
+ if (lastUnescapedStart < chars.length) {
+ escaped.append(input.subSequence(lastUnescapedStart,
chars.length));
+ }
+ return escaped.toString();
+ }
+ }
+}
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -133,6 +133,11 @@
<code>RemoteIpFilter</code> determines that this request was submitted
via a secure channel. (lihan)
</fix>
+ <fix>
+ Escape values used to construct output for the
+ <code>JsonErrorReportValve</code> to ensure that it always outputs
valid
+ JSON. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Index:
apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java
===================================================================
--- /dev/null
+++
apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+
+@RunWith(Parameterized.class)
+public class TestJSONFilter {
+
+ @Parameterized.Parameters(name = "{index}: input[{0}], output[{1}]")
+ public static Collection<Object[]> parameters() {
+ Collection<Object[]> parameterSets = new ArrayList<>();
+
+ // Empty
+ parameterSets.add(new String[] { "", "" });
+
+ // Must escape
+ parameterSets.add(new String[] { "\"", "\\u0022" });
+ parameterSets.add(new String[] { "\\", "\\u005C" });
+ // Sample of controls
+ parameterSets.add(new String[] { "\t", "\\u0009" });
+ parameterSets.add(new String[] { "\n", "\\u000A" });
+ parameterSets.add(new String[] { "\r", "\\u000D" });
+
+ // No escape
+ parameterSets.add(new String[] { "aaa", "aaa" });
+
+ // Start
+ parameterSets.add(new String[] { "\naaa", "\\u000Aaaa" });
+ parameterSets.add(new String[] { "\n\naaa", "\\u000A\\u000Aaaa" });
+
+ // Middle
+ parameterSets.add(new String[] { "aaa\naaa", "aaa\\u000Aaaa" });
+ parameterSets.add(new String[] { "aaa\n\naaa", "aaa\\u000A\\u000Aaaa"
});
+
+ // End
+ parameterSets.add(new String[] { "aaa\n", "aaa\\u000A" });
+ parameterSets.add(new String[] { "aaa\n\n", "aaa\\u000A\\u000A" });
+
+ // Start, middle and end
+ parameterSets.add(new String[] { "\naaa\naaa\n",
"\\u000Aaaa\\u000Aaaa\\u000A" });
+ parameterSets.add(new String[] { "\n\naaa\n\naaa\n\n",
"\\u000A\\u000Aaaa\\u000A\\u000Aaaa\\u000A\\u000A" });
+
+ // Multiple
+ parameterSets.add(new String[] { "\n\n", "\\u000A\\u000A" });
+
+ return parameterSets;
+ }
+
+ @Parameter(0)
+ public String input;
+
+ @Parameter(1)
+ public String output;
+
+ @Test
+ public void testStringEscaping() {
+ Assert.assertEquals(output, JSONFilter.escape(input));;
+ }
+}
