Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat for openSUSE:Factory checked
in at 2023-03-03 22:28:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
and /work/SRC/openSUSE:Factory/.tomcat.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat"
Fri Mar 3 22:28:14 2023 rev:90 rq:1069054 version:9.0.43
Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2023-01-17
17:35:56.885399790 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.31432/tomcat.changes 2023-03-03
22:31:15.087991396 +0100
@@ -1,0 +2,8 @@
+Tue Feb 28 11:14:24 UTC 2023 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fixed CVEs:
+ * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts
(bsc#1208513)
+- Added patches:
+ * tomcat-9.0.43-CVE-2023-24998.patch
+
+-------------------------------------------------------------------
New:
----
tomcat-9.0.43-CVE-2023-24998.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.aK4z6Q/_old 2023-03-03 22:31:16.107995745 +0100
+++ /var/tmp/diff_new_pack.aK4z6Q/_new 2023-03-03 22:31:16.111995763 +0100
@@ -1,7 +1,7 @@
#
# spec file for package tomcat
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2000-2009, JPackage Project
#
# All modifications and additions to the file contributed by third parties
@@ -91,6 +91,7 @@
Patch14: tomcat-9.0.43-CVE-2022-42252.patch
Patch15: tomcat-9.0-fix_catalina.patch
Patch16: tomcat-9.0-logrotate_everything.patch
+Patch17: tomcat-9.0.43-CVE-2023-24998.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@@ -273,6 +274,7 @@
%patch14 -p1
%patch15 -p1
%patch16 -p1
+%patch17 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -693,7 +695,6 @@
%{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/host-manager
path=/host-manager contextXml=%{tomcatappdir}/host-manager/META-INF/context.xml
%{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/manager
path=/manager contextXml=%{tomcatappdir}/manager/META-INF/context.xml
-
%postun admin-webapps
if [ $1 -eq 0 ]; then # uninstall only
%{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/host-manager
path=/host-manager
++++++ tomcat-9.0.43-CVE-2023-24998.patch ++++++
>From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Tue, 13 Dec 2022 17:55:34 +0000
Subject: [PATCH] Update packaged renamed fork of Commons File Upload
---
MERGE.txt | 2 +-
.../apache/catalina/connector/Request.java | 10 +++-
.../apache/tomcat/util/http/Parameters.java | 5 ++
.../util/http/fileupload/FileUploadBase.java | 29 +++++++++++
.../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++
webapps/docs/changelog.xml | 8 +++
webapps/docs/config/ajp.xml | 15 +++---
webapps/docs/config/http.xml | 15 +++---
8 files changed, 120 insertions(+), 14 deletions(-)
create mode 100644
java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
Index: apache-tomcat-9.0.43-src/MERGE.txt
===================================================================
--- apache-tomcat-9.0.43-src.orig/MERGE.txt
+++ apache-tomcat-9.0.43-src/MERGE.txt
@@ -51,7 +51,7 @@ FileUpload
Sub-tree:
src/main/java/org/apache/commons/fileupload2
The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-ee0a7131b6b87586b28542de354951414dedac3f (2021-01-15)
+34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d (2023-01-03)
Note: Tomcat's copy of fileupload also includes classes copied manually from
Commons IO.
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
===================================================================
---
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
@@ -2862,8 +2862,9 @@ public class Request implements HttpServ
}
}
+ int maxParameterCount = getConnector().getMaxParameterCount();
Parameters parameters = coyoteRequest.getParameters();
- parameters.setLimit(getConnector().getMaxParameterCount());
+ parameters.setLimit(maxParameterCount);
boolean success = false;
try {
@@ -2915,6 +2916,13 @@ public class Request implements HttpServ
upload.setFileItemFactory(factory);
upload.setFileSizeMax(mce.getMaxFileSize());
upload.setSizeMax(mce.getMaxRequestSize());
+ if (maxParameterCount > -1) {
+ // There is a limit. The limit for parts needs to be reduced by
+ // the number of parameters we have already parsed.
+ // Must be under the limit else parsing parameters would have
+ // triggered an exception.
+ upload.setFileCountMax(maxParameterCount - parameters.size());
+ }
parts = new ArrayList<>();
try {
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java
===================================================================
---
apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/Parameters.java
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/Parameters.java
@@ -125,6 +125,11 @@ public final class Parameters {
}
+ public int size() {
+ return parameterCount;
+ }
+
+
public void recycle() {
parameterCount = 0;
paramHashValues.clear();
Index:
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
===================================================================
---
apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+++
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
@@ -25,6 +25,7 @@ import java.util.Locale;
import java.util.Map;
import java.util.Objects;
+import
org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl;
import org.apache.tomcat.util.http.fileupload.impl.FileItemStreamImpl;
import org.apache.tomcat.util.http.fileupload.impl.FileUploadIOException;
@@ -133,6 +134,12 @@ public abstract class FileUploadBase {
private long fileSizeMax = -1;
/**
+ * The maximum permitted number of files that may be uploaded in a single
+ * request. A value of -1 indicates no maximum.
+ */
+ private long fileCountMax = -1;
+
+ /**
* The content encoding to use when reading part headers.
*/
private String headerEncoding;
@@ -209,6 +216,24 @@ public abstract class FileUploadBase {
}
/**
+ * Returns the maximum number of files allowed in a single request.
+ *
+ * @return The maximum number of files allowed in a single request.
+ */
+ public long getFileCountMax() {
+ return fileCountMax;
+ }
+
+ /**
+ * Sets the maximum number of files allowed per request/
+ *
+ * @param fileCountMax The new limit. {@code -1} means no limit.
+ */
+ public void setFileCountMax(long fileCountMax) {
+ this.fileCountMax = fileCountMax;
+ }
+
+ /**
* Retrieves the character encoding used when reading the headers of an
* individual part. When not specified, or {@code null}, the request
* encoding is used. If that is also not specified, or {@code null},
@@ -281,6 +306,10 @@ public abstract class FileUploadBase {
final FileItemFactory fileItemFactory =
Objects.requireNonNull(getFileItemFactory(), "No FileItemFactory has been
set.");
final byte[] buffer = new byte[Streams.DEFAULT_BUFFER_SIZE];
while (iter.hasNext()) {
+ if (items.size() == fileCountMax) {
+ // The next item will exceed the limit.
+ throw new FileCountLimitExceededException(ATTACHMENT,
getFileCountMax());
+ }
final FileItemStream item = iter.next();
// Don't use getName() here to prevent an
InvalidFileNameException.
final String fileName = ((FileItemStreamImpl) item).getName();
Index:
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
===================================================================
--- /dev/null
+++
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.http.fileupload.impl;
+
+import org.apache.tomcat.util.http.fileupload.FileUploadException;
+
+/**
+ * This exception is thrown if a request contains more files than the specified
+ * limit.
+ */
+public class FileCountLimitExceededException extends FileUploadException {
+
+ private static final long serialVersionUID = 2408766352570556046L;
+
+ private final long limit;
+
+ /**
+ * Creates a new instance.
+ *
+ * @param message The detail message
+ * @param limit The limit that was exceeded
+ */
+ public FileCountLimitExceededException(final String message, final long
limit) {
+ super(message);
+ this.limit = limit;
+ }
+
+ /**
+ * Retrieves the limit that was exceeded.
+ *
+ * @return The limit that was exceeded by the request
+ */
+ public long getLimit() {
+ return limit;
+ }
+}
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -142,6 +142,14 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Other">
+ <changelog>
+ <update>
+ Update the internal fork of Apache Commons FileUpload to 34eb241
+ (2023-01-03, 2.0-SNAPSHOT). (markt)
+ </update>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.42 (markt)" rtext="not released">
<subsection name="Catalina">
Index: apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/ajp.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/config/ajp.xml
@@ -136,12 +136,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
Index: apache-tomcat-9.0.43-src/webapps/docs/config/http.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/config/http.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/config/http.xml
@@ -153,12 +153,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
