From f7b7ed6a66e64962181e1de1b84540efa8bdc32c Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Tue, 14 Oct 2025 20:45:08 +0800
Subject: [PATCH] fix CVE-2025-61795

---
 CVE-2025-61795.patch | 88 ++++++++++++++++++++++++++++++++++++++++++++
 tomcat.spec          |  6 ++-
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-61795.patch

diff --git a/CVE-2025-61795.patch b/CVE-2025-61795.patch
new file mode 100644
index 0000000..25b2208
--- /dev/null
+++ b/CVE-2025-61795.patch
@@ -0,0 +1,88 @@
+From 1cdf5f730ede75a0759492f179ac21ca4ff68e06 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Mon, 29 Sep 2025 17:50:43 +0100
+Subject: [PATCH] Explicitly clean up after failed multi-part upload
+
+---
+ .../connector/LocalStrings.properties         |  1 +
+ .../apache/catalina/connector/Request.java    | 28 +++++++++++++------
+ webapps/docs/changelog.xml                    |  4 +++
+ 3 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/java/org/apache/catalina/connector/LocalStrings.properties b/java/org/apache/catalina/connector/LocalStrings.properties
+index c4951cf..92a1c61 100644
+--- a/java/org/apache/catalina/connector/LocalStrings.properties
++++ b/java/org/apache/catalina/connector/LocalStrings.properties
+@@ -93,6 +93,7 @@ request.asyncNotSupported=A filter or servlet of the current chain does not supp
+ request.fragmentInDispatchPath=The fragment in dispatch path [{0}] has been removed
+ request.illegalWrap=The request wrapper must wrap the request obtained from getRequest()
+ request.notAsync=It is illegal to call this method if the current request is not in asynchronous mode (i.e. isAsyncStarted() returns false)
++request.partCleanup.failed=Unable to delete temporary file for uploaded part after multi-part processing failed
+ request.session.failed=Failed to load session [{0}] due to [{1}]
+ 
+ requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
+diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
+index e6168bb..0a30618 100644
+--- a/java/org/apache/catalina/connector/Request.java
++++ b/java/org/apache/catalina/connector/Request.java
+@@ -2637,9 +2637,11 @@ public class Request implements HttpServletRequest {
+             upload.setFileCountMax(partLimit);
+ 
+             parts = new ArrayList<>();
++	    List<FileItem> items = null;
++            boolean success = false;
+             try {
+-                List<FileItem> items = upload.parseRequest(new ServletRequestContext(this));
+-                int maxPostSize = getConnector().getMaxPostSize();
++                items = upload.parseRequest(new ServletRequestContext(this));
++		int maxPostSize = getConnector().getMaxPostSize();
+                 long postSize = 0;
+                 Charset charset = getCharset();
+                 for (FileItem item : items) {
+@@ -2690,12 +2692,22 @@ public class Request implements HttpServletRequest {
+                 partsParseException = e;
+             }
+         } finally {
+-            // This might look odd but is correct. setParseFailedReason() only
+-            // sets the failure reason if none is currently set. This code could
+-            // be more efficient but it is written this way to be robust with
+-            // respect to changes in the remainder of the method.
+-            if (partsParseException != null || !success) {
+-                parameters.setParseFailedReason(FailReason.UNKNOWN);
++            /*
++             * GC will delete any temporary copies of uploaded files left in the work directory but if we know that the
++             * upload has failed then explicitly clean up now.
++             */
++            if (!success) {
++                parts.clear();
++                if (items != null) {
++                    for (FileItem item : items) {
++                        try {
++                            item.delete();
++                        } catch (Throwable t) {
++                            ExceptionUtils.handleThrowable(t);
++                            log.warn(sm.getString("request.partCleanup.failed"), t);
++                        }
++                    }
++                }
+             }
+         }
+     }
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 23d4d07..229b392 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -131,6 +131,10 @@
+         and clarify that a stream reset always triggers an overhead increase.
+         (markt)
+       </fix>
++      <fix>
++        Be proactive in cleaning up temporary files after a failed multi-part
++        upload rather than waiting for GC to do it. (markt)
++      </fix>
+     </changelog>
+   </subsection>
+ </section>
+-- 
+2.46.0
+
diff --git a/tomcat.spec b/tomcat.spec
index 84c54e5..b09d76f 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -23,7 +23,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       8
+Release:       9
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -66,6 +66,7 @@ Patch19:       CVE-2025-52520.patch
 Patch20:       CVE-2025-53506.patch
 Patch21:       CVE-2025-55668.patch
 Patch22:       CVE-2025-48989.patch
+Patch23:       CVE-2025-61795.patch
 
 BuildArch:     noarch
 
@@ -432,6 +433,9 @@ fi
 %{appdir}/docs
 
 %changelog
+* Tue Oct 28 2025 changtao <changtao@kylinos.cn> - 1:9.0.100-9
+- Fix CVE-2025-61795
+
 * Fri Aug 15 2025 Yu Peng <yupeng@kylinos.cn> - 1:9.0.100-8
 - Fix CVE-2025-48989
 
-- 
Gitee