!97 修复 CVE-2023-41080 和解决软连接指向为空

From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-09-07 07:46:24 +00:00 · 2023-09-07 07:46:24 +00:00 · a4aaf5674d
commit a4aaf5674d
parent e01b79affd f97d0f9c3c
2 changed files with 37 additions and 4 deletions
--- a/CVE-2023-41080.patch
+++ b/CVE-2023-41080.patch
@ -0,0 +1,29 @@
+From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 22 Aug 2023 11:31:23 -0700
+Subject: [PATCH] Avoid protocol relative redirects
+
+Origin: https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b
+
+---
+ .../apache/catalina/authenticator/FormAuthenticator.java    | 6 ++++++
+ webapps/docs/changelog.xml                                  | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+index a57db51776b..d54cc62182e 100644
+--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
+             sb.append('?');
+             sb.append(saved.getQueryString());
+         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
+         return sb.toString();
+     }
+ }
--- a/tomcat.spec
+++ b/tomcat.spec
@ -13,7 +13,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       30
+Release:       31
 Summary:       Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
 License:       ASL 2.0
 URL:           http://tomcat.apache.org/
@ -104,6 +104,7 @@ Patch6069: CVE-2022-23181.patch
 Patch6070: CVE-2022-42252.patch
 Patch6071: CVE-2023-28708-pre.patch
 Patch6072: CVE-2023-28708.patch
+Patch6073: CVE-2023-41080.patch

 BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon
 BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant
@ -111,9 +112,8 @@ BuildRequires: jpackage-utils >= 0:1.7.0 java-devel >= 1:1.8.0 junit javapackage
 BuildRequires: geronimo-saaj aqute-bndlib aqute-bnd systemd-units wsdl4j geronimo-jaxrpc

 Requires:      procps jpackage-utils java-headless >= 1:1.8.0 apache-commons-daemon
-Requires:      tomcat-taglibs-standard >= 0:1.1 ecj
-
-Requires:      libtcnative-1-0 >= 1.2.14
+Requires:      tomcat-taglibs-standard >= 0:1.1 ecj libtcnative-1-0 >= 1.2.14
+Requires:      apache-commons-dbcp apache-commons-pool apache-commons-collections

 Requires(pre):    shadow-utils
 Requires(post):   chkconfig
@ -505,6 +505,10 @@ fi
 %{_javadocdir}/%{name}

 %changelog
+* Thu Sep 07 2023 wangkai <13474090681@163.com> - 1:9.0.10-31
+- Fix CVE-2023-41080
+- Add requires apache-commons-dbcp,pool,collections for fix path error
+
 * Mon Apr 17 2023 wangkai <13474090681@163.com> - 1:9.0.10-30
 - Fix CVE-2023-28708