!65 Refix CVE-2021-41079

From: @wk333 Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-04-27 03:47:13 +00:00 · 2022-04-27 03:47:13 +00:00 · 8f2d6efbdf
commit 8f2d6efbdf
parent 30bc121f90 8f55dc4d12
2 changed files with 26 additions and 5 deletions
--- a/CVE-2021-41079.patch
+++ b/CVE-2021-41079.patch
@ -4,8 +4,9 @@ Date: Wed, 3 Mar 2021 12:00:46 +0000
 Subject: [PATCH] Improve robustness

 ---
- java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
- 1 file changed, 1 insertion(+)
+ .../apache/tomcat/util/net/openssl/LocalStrings.properties  | 1 +
+ java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java  | 6 ++++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)

 diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
 index 1919159..1ab5f43 100644
@ -19,6 +20,23 @@ index 1919159..1ab5f43 100644
 engine.unsupportedProtocol=Protocol [{0}] is not supported
 engine.unverifiedPeer=Peer unverified
 engine.noSession=SSL session ID not available
+diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+index 15c6f56..b837fd6 100644
+--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+@@ -593,8 +593,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
+                     throw new SSLException(e);
+                 }
+ 
+-                if (bytesRead == 0) {
+-                    break;
+                if (bytesRead <= 0) {
+                    // This should not be possible. pendingApp is positive
+                    // therefore the read should have read at least one byte.
+                    throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
+                 }
+ 
+                 bytesProduced += bytesRead;
 -- 
-2.23.0
+2.27.0

--- a/tomcat.spec
+++ b/tomcat.spec
@ -13,12 +13,12 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       25
+Release:       26
 Summary:       Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
 License:       ASL 2.0
 URL:           http://tomcat.apache.org/

-Source0:       https://github.com/apache/tomcat/archive/%{version}.tar.gz 
+Source0:       https://github.com/apache/tomcat/archive/%{version}.tar.gz
 Source1:       %{name}-%{major_version}.%{minor_version}.conf
 Source3:       %{name}-%{major_version}.%{minor_version}.sysconfig
 Source4:       %{name}-%{major_version}.%{minor_version}.wrapper
@ -502,6 +502,9 @@ fi
 %{_javadocdir}/%{name}

 %changelog
+* Mon Apr 25 2022 wangkai <wangkai@h-partners.com - 1:9.0.10-26
+- Refix CVE-2021-41079
+
 * Fri Feb 18 2022 wangkai <wangkai385@huawei.com> - 1:9.0.10-25
 - Fix CVE-2022-23181