From b6d8c8687646e53a58923514c5b2b415f86c4403 Mon Sep 17 00:00:00 2001 From: yangjinlin01 Date: Sat, 10 May 2025 21:07:31 +0800 Subject: [PATCH] [CVE] FIX CVE-2025-31650 to #20803 add patch to fix CVE-2025-31650 Project: TC2024080204 Signed-off-by: yangjinlin01 --- bugfix-for-cve-2025-31650.patch | 67 +++++++++++++++++++++++++++++++++ tomcat.spec | 7 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 bugfix-for-cve-2025-31650.patch diff --git a/bugfix-for-cve-2025-31650.patch b/bugfix-for-cve-2025-31650.patch new file mode 100644 index 0000000..81a11b5 --- /dev/null +++ b/bugfix-for-cve-2025-31650.patch @@ -0,0 +1,67 @@ +From 91b39b33d725e82f7a9c9bcdf2ac1d6fda761ef3 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Wed, 19 Mar 2025 03:47:11 +0000 +Subject: [PATCH] Improve handling of unexpected errors during HTTP/2 + processing + +--- + java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++++++++ + java/org/apache/coyote/http2/LocalStrings.properties | 1 + + webapps/docs/changelog.xml | 3 +++ + 3 files changed, 12 insertions(+) + +diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +index a45a354..2c4880a 100644 +--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -47,6 +47,7 @@ import org.apache.coyote.http2.Http2Parser.Input; + import org.apache.coyote.http2.Http2Parser.Output; + import org.apache.juli.logging.Log; + import org.apache.juli.logging.LogFactory; ++import org.apache.tomcat.util.ExceptionUtils; + import org.apache.tomcat.util.http.MimeHeaders; + import org.apache.tomcat.util.http.parser.Priority; + import org.apache.tomcat.util.log.UserDataHelper; +@@ -439,6 +440,13 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + log.debug(sm.getString("upgradeHandler.ioerror", connectionId), ioe); + } + close(); ++ } catch (Throwable t) { ++ ExceptionUtils.handleThrowable(t); ++ if (log.isDebugEnabled()) { ++ log.debug(sm.getString("upgradeHandler.throwable", connectionId), t); ++ } ++ // Unexpected errors close the connection. ++ close(); + } + + if (log.isTraceEnabled()) { +diff --git a/java/org/apache/coyote/http2/LocalStrings.properties b/java/org/apache/coyote/http2/LocalStrings.properties +index 6ab82e8..82251c9 100644 +--- a/java/org/apache/coyote/http2/LocalStrings.properties ++++ b/java/org/apache/coyote/http2/LocalStrings.properties +@@ -159,6 +159,7 @@ upgradeHandler.stream.error=Connection [{0}], Stream [{1}] Closed due to error + upgradeHandler.stream.even=A new remote stream ID of [{0}] was requested but all remote streams must use odd identifiers + upgradeHandler.stream.notWritable=Connection [{0}], Stream [{1}], This stream is in state [{2}] and is not writable + upgradeHandler.stream.old=A new remote stream ID of [{0}] was requested but the most recent stream was [{1}] ++upgradeHandler.throwable=Connection [{0}] + upgradeHandler.tooManyRemoteStreams=The client attempted to use more than [{0}] active streams + upgradeHandler.tooMuchOverhead=Connection [{0}], Too much overhead so the connection will be closed + upgradeHandler.unexpectedAck=Connection [{0}], Stream [{1}], A settings acknowledgement was received when not expected +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 1b9bc9e..cf70b67 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -225,6 +225,9 @@ + + Enhance lifecycle of temporary files used by partial PUT. (remm) + ++ ++ Improve handling of unexpected errors during HTTP/2 processing. (markt) ++ + + + +-- +2.39.3 + diff --git a/tomcat.spec b/tomcat.spec index 190f79c..61c19f6 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global jspspec 2.3 %global major_version 9 @@ -56,6 +56,8 @@ Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch # https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72 Patch7: bugfix-for-cve-2025-24813.patch +#https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9 +Patch8: bugfix-for-cve-2025-31650.patch BuildArch: noarch @@ -523,6 +525,9 @@ fi %doc {NOTICE,RELEASE*} %changelog +* Sat May 10 2025 yangjinglin01 - 1:9.0.98-3 +- Fix CVE-2025-31650 + * Tue Apr 15 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 1:9.0.98-2 - Fix CVE-2025-24813 -- Gitee