Fix CVE-2024-52318

(cherry picked from commit f6da21ee4a0a0605f41c9c798d211fbae42d4215)
2024-11-19 16:31:30 +08:00 · 2024-11-19 16:31:30 +08:00 · 6aaef1d760
commit 6aaef1d760
parent f9c2bffc02
2 changed files with 169 additions and 1 deletions
--- a/CVE-2024-52318.patch
+++ b/CVE-2024-52318.patch
@ -0,0 +1,164 @@
+From 9813c5dd3259183f659bbb83312a5cf673cc1ebf Mon Sep 17 00:00:00 2001
+From: remm <remm@apache.org>
+Date: Tue, 15 Oct 2024 21:51:33 +0200
+Subject: [PATCH] Fix JSP tag release
+
+Origin: https://github.com/apache/tomcat/commit/9813c5dd3259183f659bbb83312a5cf673cc1ebf
+
+BZ 69399: Fix regression caused by the improvement 69333 which caused
+the tag release() to be called  when using tag pooling, and to be
+skipped when not using it.
+Patch submitted by Michal Sobkiewicz.
+---
+ .../org/apache/jasper/compiler/Generator.java |  2 +-
+ .../apache/jasper/compiler/TestGenerator.java | 51 +++++++++++++++++++
+ test/webapp/WEB-INF/bugs.tld                  |  5 ++
+ test/webapp/jsp/generator/release.jsp         | 18 +++++++
+ webapps/docs/changelog.xml                    | 10 ++++
+ 5 files changed, 85 insertions(+), 1 deletion(-)
+ create mode 100644 test/webapp/jsp/generator/release.jsp
+
+diff --git a/java/org/apache/jasper/compiler/Generator.java b/java/org/apache/jasper/compiler/Generator.java
+index 814c8bb9fe50..5df52c3d7adc 100644
+--- a/java/org/apache/jasper/compiler/Generator.java
+++ b/java/org/apache/jasper/compiler/Generator.java
+@@ -2603,7 +2603,7 @@ private void generateCustomEnd(Node.CustomTag n, String tagHandlerVar,
+                 out.print(".reuse(");
+                 out.print(tagHandlerVar);
+                 out.println(");");
+-
+            } else {
+                 // Clean-up
+                 out.printin("org.apache.jasper.runtime.JspRuntimeLibrary.releaseTag(");
+                 out.print(tagHandlerVar);
+diff --git a/test/org/apache/jasper/compiler/TestGenerator.java b/test/org/apache/jasper/compiler/TestGenerator.java
+index f7e3223e331a..087936cd6eb2 100644
+--- a/test/org/apache/jasper/compiler/TestGenerator.java
+++ b/test/org/apache/jasper/compiler/TestGenerator.java
+@@ -526,6 +526,25 @@ public void setData(String data) {
+         }
+     }
+ 
+    private static boolean tagTesterTagReleaseReleased = false;
+
+    public static class TesterTagRelease extends TesterTag {
+        private String data;
+
+        public String getData() {
+            return data;
+        }
+
+        public void setData(String data) {
+            this.data = data;
+        }
+
+        @Override
+        public void release() {
+            tagTesterTagReleaseReleased = true;
+        }
+    }
+
+     public static class DataPropertyEditor extends PropertyEditorSupport {
+     }
+ 
+@@ -947,6 +966,38 @@ public void testBug65390() throws Exception {
+         Assert.assertEquals(body.toString(), HttpServletResponse.SC_OK, rc);
+     }
+ 
+    @Test
+    public void testTagReleaseWithPooling() throws Exception {
+        doTestTagRelease(true);
+    }
+
+    @Test
+    public void testTagReleaseWithoutPooling() throws Exception {
+        doTestTagRelease(false);
+    }
+
+    public void doTestTagRelease(boolean enablePooling) throws Exception {
+        tagTesterTagReleaseReleased = false;
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File("test/webapp");
+        Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+        ctxt.addServletContainerInitializer(new JasperInitializer(), null);
+
+        Tomcat.initWebappDefaults(ctxt);
+        Wrapper w = (Wrapper) ctxt.findChild("jsp");
+        w.addInitParameter("enablePooling", String.valueOf(enablePooling));
+
+        tomcat.start();
+
+        getUrl("http://localhost:" + getPort() + "/jsp/generator/release.jsp");
+        if (enablePooling) {
+            Assert.assertFalse(tagTesterTagReleaseReleased);
+        } else {
+            Assert.assertTrue(tagTesterTagReleaseReleased);
+        }
+    }
+
+     private void doTestJsp(String jspName) throws Exception {
+         doTestJsp(jspName, HttpServletResponse.SC_OK);
+     }
+diff --git a/test/webapp/WEB-INF/bugs.tld b/test/webapp/WEB-INF/bugs.tld
+index 81d050e284fa..a4e496a83357 100644
+--- a/test/webapp/WEB-INF/bugs.tld
+++ b/test/webapp/WEB-INF/bugs.tld
+@@ -108,6 +108,11 @@
+     <tag-class>org.apache.jasper.compiler.TestGenerator$TesterTagA</tag-class>
+     <body-content>JSP</body-content>
+   </tag>
+  <tag>
+    <name>TesterTagRelease</name>
+    <tag-class>org.apache.jasper.compiler.TestGenerator$TesterTagRelease</tag-class>
+    <body-content>JSP</body-content>
+  </tag>
+   <tag>
+     <name>TesterScriptingTag</name>
+     <tag-class>org.apache.jasper.compiler.TestGenerator$TesterScriptingTag</tag-class>
+diff --git a/test/webapp/jsp/generator/release.jsp b/test/webapp/jsp/generator/release.jsp
+new file mode 100644
+index 000000000000..ae2d1d19f09a
+--- /dev/null
+++ b/test/webapp/jsp/generator/release.jsp
+@@ -0,0 +1,18 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%@ taglib uri="http://tomcat.apache.org/bugs" prefix="bugs" %>
+<bugs:TesterTagRelease/>
+\ No newline at end of file
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 72932e81a5c2..4d34ec5008b5 100644
+--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
+@@ -173,6 +173,16 @@
+       </fix>
+     </changelog>
+   </subsection>
+  <subsection name="Jasper">
+    <changelog>
+      <fix>
+        <bug>69399</bug>: Fix regression caused by the improvement
+        <bug>69333</bug> which caused the tag <code>release</code> to be called
+        when using tag pooling, and to be skipped when not using it.
+        Patch submitted by Michal Sobkiewicz. (remm)
+      </fix>
+    </changelog>
+  </subsection>
+   <subsection name="Other">
+     <changelog>
+       <update>
--- a/tomcat.spec
+++ b/tomcat.spec
@ -23,7 +23,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1
+Release:       2
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       Apache-2.0
@ -51,6 +51,7 @@ Patch4:        rhbz-1857043.patch
 # remove bnd dependency which version is too low on rhel8
 Patch6:        remove-bnd-annotation.patch
 Patch7:        build-with-jdk-1.8.patch
+Patch8:        CVE-2024-52318.patch

 BuildArch:     noarch

@ -417,6 +418,9 @@ fi
 %{appdir}/docs

 %changelog
+* Tue Nov 19 2024 wangkai <13474090681@163.com> - 1:9.0.96-2
+- Fix CVE-2024-52318
+
 * Thu Nov 07 2024 chenyaqiang <chengyaqiang@huawei.com> - 1:9.0.96-1
 - Update to 9.0.96
 - Fix CVE-2021-43980 CVE-2022-25762 CVE-2023-44487 CVE-2023-46589