On 18/12/2023 17:00, Mark Thomas wrote:
On 17/12/2023 16:32, Sean Whitton wrote:
Hello,
I am working to backport the fix for CVE-2023-46589 to Tomcat version
8.0.14, which is what we have in Debian "jessie". This is under the
Extended LTS project for older Debian releases, run by Freexian SARL.
<https://www.freexian.com/lts/extended/>
Sean,
Am I understanding this request correctly?
Freexian has sold at least one customer - probably multiple customers -
long term support for Tomcat 8.0.x and has now found that it is unable
to provide that support.
Feexian's solution to this dilemma is to ask the Tomcat community - who
stopped supporting Tomcat 8.0.x over five years ago in June 2018 - to
provide free support to fill this gap in Freexian's capability to
support Tomcat.
There are several things that don't seem right about the above so I am
looking forward to you correcting my understanding of the circumstances
of this request.
I haven't seen a response to my previous post so for the benefit of any
Freexian customers that are watching this thread.
The setError() call is important.
I have back-ported the fix for CVE-2023-46589 to Tomcat 7.0.x at $dayjob
and it required 9 changes to be back-ported.
Community support for 8.0.x ended 2.75 years earlier than 7.0.x
therefore I would expect back-porting of the CVE-2023-46589 fix to 8.0.x
to require additional patches to be back-ported in addition to the 9
required for 7.0.x.
Mark
Mark
I am having a problem backporting this hunk of the fix:
--8<---------------cut here---------------start------------->8---
--- a/java/org/apache/catalina/connector/InputBuffer.java
+++ b/java/org/apache/catalina/connector/InputBuffer.java
@@ -346,11 +348,23 @@ public class InputBuffer extends Reader
try {
return coyoteRequest.doRead(bb);
} catch (BadRequestException bre) {
+ // Set flag used by asynchronous processing to detect
errors on non-container threads
coyoteRequest.setErrorException(bre);
+ // In synchronous processing, this exception may be
swallowed by the application so set error flags here.
+
coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.setError();
+ // Make the exception visible to the application
throw bre;
} catch (IOException ioe) {
+ // Set flag used by asynchronous processing to detect
errors on non-container threads
coyoteRequest.setErrorException(ioe);
+ // In synchronous processing, this exception may be
swallowed by the application so set error flags here.
+
coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.setError();
// Any other IOException on a read is almost always due
to the remote client aborting the request.
+ // Make the exception visible to the application
throw new ClientAbortException(ioe);
}
}
--8<---------------cut here---------------end--------------->8---
The problem is that coyoteRequest does not have a setError method.
I believe that this is because Tomcat 8.0.14 is earlier than commit
662f9f4f0f. I have not been able to determine whether this is
important. Can I skip the setError() call, or do I need to call it some
other way?
Many thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
