Fix CVE-2022-23181

(cherry picked from commit 002e53906d56d1be5c33056a57c3bdc7af994e32)
2022-02-18 10:47:30 +08:00 · 2022-02-18 10:47:30 +08:00 · c0cba87395
commit c0cba87395
parent 940ae4303b
2 changed files with 35 additions and 1 deletions
--- a/CVE-2022-23181.patch
+++ b/CVE-2022-23181.patch
@ -0,0 +1,30 @@
+From 1385c624b4a1e994426e810075c850edc38a700e Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Wed, 12 Jan 2022 11:11:29 +0000
+Subject: [PATCH] Make calculation of session storage location more robust
+
+---
+ java/org/apache/catalina/session/FileStore.java | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
+index cac6027abdc..e42a72a4c87 100644
+--- a/java/org/apache/catalina/session/FileStore.java
+++ b/java/org/apache/catalina/session/FileStore.java
+@@ -349,13 +349,14 @@ private File file(String id) throws IOException {
+ 
+         String filename = id + FILE_EXT;
+         File file = new File(storageDir, filename);
+        File canonicalFile = file.getCanonicalFile();
+ 
+         // Check the file is within the storage directory
+-        if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+        if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+             log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+             return null;
+         }
+ 
+-        return file;
+        return canonicalFile;
+     }
+ }
--- a/tomcat.spec
+++ b/tomcat.spec
@ -13,7 +13,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       24
+Release:       25
 Summary:       Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
 License:       ASL 2.0
 URL:           http://tomcat.apache.org/
@ -100,6 +100,7 @@ Patch6055: CVE-2021-30640-7.patch
 Patch6056: CVE-2021-30640-8.patch
 Patch6057: CVE-2021-41079.patch
 Patch6058: CVE-2021-42340.patch
+Patch6069: CVE-2022-23181.patch

 BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon
 BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant
@ -501,6 +502,9 @@ fi
 %{_javadocdir}/%{name}

 %changelog
+* Fri Feb 18 2022 wangkai <wangkai385@huawei.com> - 1:9.0.10-25
+- Fix CVE-2022-23181
+
 * Wed Nov 10 2021 caodongxia <caodongxia@huawei.com> - 1:9.0.10-24
 - Replace recommends libtcnative-1-0 with requires libtcnative-1-0