Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-11-22 16:10:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and      /work/SRC/openSUSE:Factory/.tomcat.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tomcat"

Tue Nov 22 16:10:22 2022 rev:87 rq:1037218 version:9.0.43

Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes    2022-07-14 
16:34:48.076658751 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1597/tomcat.changes  2022-11-22 
16:10:28.226117504 +0100
@@ -1,0 +2,16 @@
+Mon Nov 21 07:42:34 UTC 2022 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fixed CVEs:
+  * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
+- Added patches:
+  * tomcat-9.0.43-CVE-2022-42252.patch
+
+-------------------------------------------------------------------
+Thu Oct 20 15:58:40 UTC 2022 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fixed CVEs:
+  * CVE-2021-43980: Improve the recycling of Processor objects to make it more 
robust. (bsc#1203868)
+- Added patches:
+  * tomcat-9.0.43-CVE-2021-43980.patch
+
+-------------------------------------------------------------------

New:
----
  tomcat-9.0.43-CVE-2021-43980.patch
  tomcat-9.0.43-CVE-2022-42252.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.9ZJBEh/_old  2022-11-22 16:10:29.174122314 +0100
+++ /var/tmp/diff_new_pack.9ZJBEh/_new  2022-11-22 16:10:29.182122354 +0100
@@ -88,6 +88,8 @@
 Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:        tomcat-9.0-CVE-2022-23181.patch
 Patch12:        tomcat-9.0-hardening_getResources.patch
+Patch13:        tomcat-9.0.43-CVE-2021-43980.patch
+Patch14:        tomcat-9.0.43-CVE-2022-42252.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -266,6 +268,8 @@
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++++++ tomcat-9.0.43-CVE-2021-43980.patch ++++++
>From 170e0f792bd18ff031677890ba2fe50eb7a376c1 Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Tue, 29 Mar 2022 19:15:37 +0100
Subject: [PATCH] Improve the recycling of Processor objects to make it more
 robust.

---
 java/org/apache/coyote/AbstractProtocol.java  | 32 ++++++++++---------
 .../tomcat/util/net/SocketWrapperBase.java    | 17 +++++++---
 webapps/docs/changelog.xml                    |  4 +++
 3 files changed, 33 insertions(+), 20 deletions(-)

Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
@@ -794,7 +794,11 @@ public abstract class AbstractProtocol<S
 
             S socket = wrapper.getSocket();
 
-            Processor processor = (Processor) wrapper.getCurrentProcessor();
+            // We take complete ownership of the Processor inside of this 
method to ensure
+            // no other thread can release it while we're using it. Whatever 
processor is
+            // held by this variable will be associated with the SocketWrapper 
before this
+            // method returns.
+            Processor processor = (Processor) wrapper.takeCurrentProcessor();
             if (getLog().isDebugEnabled()) {
                 
getLog().debug(sm.getString("abstractConnectionHandler.connectionsGet",
                         processor, socket));
@@ -879,9 +883,6 @@ public abstract class AbstractProtocol<S
                 processor.setSslSupport(
                         
wrapper.getSslSupport(getProtocol().getClientCertProvider()));
 
-                // Associate the processor with the connection
-                wrapper.setCurrentProcessor(processor);
-
                 SocketState state = SocketState.CLOSED;
                 do {
                     state = processor.process(wrapper, status);
@@ -901,8 +902,6 @@ public abstract class AbstractProtocol<S
                                 release(processor);
                                 // Create the upgrade processor
                                 processor = 
upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
-                                // Associate with the processor with the 
connection
-                                wrapper.setCurrentProcessor(processor);
                             } else {
                                 if (getLog().isDebugEnabled()) {
                                     getLog().debug(sm.getString(
@@ -922,8 +921,6 @@ public abstract class AbstractProtocol<S
                                 
getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
                                         processor, wrapper));
                             }
-                            // Associate with the processor with the connection
-                            wrapper.setCurrentProcessor(processor);
                             // Initialise the upgrade handler (which may 
trigger
                             // some IO using the new protocol which is why the 
lines
                             // above are necessary)
@@ -961,8 +958,8 @@ public abstract class AbstractProtocol<S
                 } else if (state == SocketState.OPEN) {
                     // In keep-alive but between requests. OK to recycle
                     // processor. Continue to poll for the next request.
-                    wrapper.setCurrentProcessor(null);
                     release(processor);
+                    processor = null;
                     wrapper.registerReadInterest();
                 } else if (state == SocketState.SENDFILE) {
                     // Sendfile in progress. If it fails, the socket will be
@@ -987,8 +984,7 @@ public abstract class AbstractProtocol<S
                     // Connection closed. OK to recycle the processor.
                     // Processors handling upgrades require additional clean-up
                     // before release.
-                    wrapper.setCurrentProcessor(null);
-                    if (processor.isUpgrade()) {
+                    if (processor != null && processor.isUpgrade()) {
                         UpgradeToken upgradeToken = 
processor.getUpgradeToken();
                         HttpUpgradeHandler httpUpgradeHandler = 
upgradeToken.getHttpUpgradeHandler();
                         InstanceManager instanceManager = 
upgradeToken.getInstanceManager();
@@ -1009,7 +1005,13 @@ public abstract class AbstractProtocol<S
                             }
                         }
                     }
+
                     release(processor);
+                    processor = null;
+                }
+
+                if (processor != null) {
+                    wrapper.setCurrentProcessor(processor);
                 }
                 return state;
             } catch(java.net.SocketException e) {
@@ -1047,7 +1049,6 @@ public abstract class AbstractProtocol<S
 
             // Make sure socket/processor is removed from the list of current
             // connections
-            wrapper.setCurrentProcessor(null);
             release(processor);
             return SocketState.CLOSED;
         }
@@ -1081,7 +1082,9 @@ public abstract class AbstractProtocol<S
 
         /**
          * Expected to be used by the handler once the processor is no longer
-         * required.
+         * required. Care must be taken to ensure that this method is only
+         * called once per processor, after the request processing has
+         * completed.
          *
          * @param processor Processor being released (that was associated with
          *                  the socket)
@@ -1119,8 +1122,7 @@ public abstract class AbstractProtocol<S
          */
         @Override
         public void release(SocketWrapperBase<S> socketWrapper) {
-            Processor processor = (Processor) 
socketWrapper.getCurrentProcessor();
-            socketWrapper.setCurrentProcessor(null);
+            Processor processor = (Processor) 
socketWrapper.takeCurrentProcessor();
             release(processor);
         }
 
Index: 
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
===================================================================
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
@@ -29,6 +29,7 @@ import java.util.concurrent.RejectedExec
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -104,10 +105,12 @@ public abstract class SocketWrapperBase<
     protected volatile OperationState<?> writeOperation = null;
 
     /**
-     * The org.apache.coyote.Processor instance currently associated
-     * with the wrapper.
+     * The org.apache.coyote.Processor instance currently associated with the
+     * wrapper. Only populated when required to maintain wrapper<->Processor
+     * mapping between calls to
+     * {@link AbstractEndpoint.Handler#process(SocketWrapperBase, 
SocketEvent)}.
      */
-    protected Object currentProcessor = null;
+    private final AtomicReference<Object> currentProcessor = new 
AtomicReference<>();
 
     public SocketWrapperBase(E socket, AbstractEndpoint<E,?> endpoint) {
         this.socket = socket;
@@ -134,11 +137,15 @@ public abstract class SocketWrapperBase<
     }
 
     public Object getCurrentProcessor() {
-        return currentProcessor;
+        return currentProcessor.get();
     }
 
     public void setCurrentProcessor(Object currentProcessor) {
-        this.currentProcessor = currentProcessor;
+        this.currentProcessor.set(currentProcessor);
+    }
+
+    public Object takeCurrentProcessor() {
+        return currentProcessor.getAndSet(null);
     }
 
     /**
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -485,6 +485,10 @@
         Fix a concurrency issue in the NIO connector that could cause newly
         created connections to be removed from the poller. (markt)
       </fix>
+      <fix>
+        Improve the recycling of Processor objects to make it more robust.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

++++++ tomcat-9.0.43-CVE-2022-42252.patch ++++++
>From 4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Mon, 3 Oct 2022 11:59:01 +0100
Subject: [PATCH] Requests with invalid content-length should always be
 rejected
---

Index: 
apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
===================================================================
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -886,7 +886,7 @@ public class Http11InputBuffer implement
                 headerData.lastSignificantChar = pos;
                 byteBuffer.position(byteBuffer.position() - 1);
                 // skipLine() will handle the error
-                return skipLine();
+                return skipLine(false);
             }
 
             // chr is next byte of header name. Convert to lowercase.
@@ -897,7 +897,7 @@ public class Http11InputBuffer implement
 
         // Skip the line and ignore the header
         if (headerParsePos == HeaderParsePosition.HEADER_SKIPLINE) {
-            return skipLine();
+            return skipLine(false);
         }
 
         //
@@ -948,15 +948,11 @@ public class Http11InputBuffer implement
                     } else if (prevChr == Constants.CR && chr == Constants.LF) 
{
                         eol = true;
                     } else if (prevChr == Constants.CR) {
-                        // Invalid value
-                        // Delete the header (it will be the most recent one)
-                        headers.removeHeader(headers.size() - 1);
-                        return skipLine();
+                        // Invalid value - also need to delete header
+                        return skipLine(true);
                     } else if (chr != Constants.HT && 
HttpParser.isControl(chr)) {
-                        // Invalid value
-                        // Delete the header (it will be the most recent one)
-                        headers.removeHeader(headers.size() - 1);
-                        return skipLine();
+                        // Invalid value - also need to delete header
+                        return skipLine(true);
                     } else if (chr == Constants.SP || chr == Constants.HT) {
                         byteBuffer.put(headerData.realPos, chr);
                         headerData.realPos++;
@@ -1004,7 +1000,27 @@ public class Http11InputBuffer implement
     }
 
 
-    private HeaderParseStatus skipLine() throws IOException {
+    private HeaderParseStatus skipLine(boolean deleteHeader) throws 
IOException {
+        boolean rejectThisHeader = rejectIllegalHeader;
+        // Check if rejectIllegalHeader is disabled and needs to be overridden
+        // for this header. The header name is required to determine if this
+        // override is required. The header name is only available once the
+        // header has been created. If the header has been created then
+        // deleteHeader will be true.
+        if (!rejectThisHeader && deleteHeader) {
+            if (headers.getName(headers.size() - 
1).equalsIgnoreCase("content-length")) {
+                // Malformed content-length headers must always be rejected
+                // RFC 9112, section 6.3, bullet 5.
+                rejectThisHeader = true;
+            } else {
+                // Only need to delete the header if the request isn't going to
+                // be rejected (it will be the most recent one)
+                headers.removeHeader(headers.size() - 1);
+            }
+        }
+
+        // Parse the rest of the invalid header so we can construct a useful
+        // exception and/or debug message.
         headerParsePos = HeaderParsePosition.HEADER_SKIPLINE;
         boolean eol = false;
 
@@ -1029,11 +1045,11 @@ public class Http11InputBuffer implement
                 headerData.lastSignificantChar = pos;
             }
         }
-        if (rejectIllegalHeader || log.isDebugEnabled()) {
+        if (rejectThisHeader || log.isDebugEnabled()) {
             String message = sm.getString("iib.invalidheader",
                     HeaderUtil.toPrintableString(byteBuffer.array(), 
headerData.lineStart,
                             headerData.lastSignificantChar - 
headerData.lineStart + 1));
-            if (rejectIllegalHeader) {
+            if (rejectThisHeader) {
                 throw new IllegalArgumentException(message);
             }
             log.debug(message);
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -223,6 +223,11 @@
         Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
         when the destination buffers state is changed concurrently. (remm)
       </fix>
+      <fix>
+        Enforce the requirement of RFC 7230 onwards that a request with a
+        malformed <code>content-length</code> header should always be rejected
+        with a 400 response. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Reply via email to