Bug 889596 (CVE-2022-45143)

Summary:	<www-servers/tomcat-{8.5.84,9.0.69,10.1.2}: JsonErrorReportValve injection
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Whiteboard:	B4 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2023-01-03 20:44:26 UTC

CVE-2022-45143:

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Comment 1 John Helmert III archtester

2023-01-03 20:45:16 UTC

Is 10.0 affected?

Comment 2 Larry the Git Cow gentoo-dev

2023-01-04 08:05:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2451ac41755ade568c777ea96ed6714fdbce8061

commit 2451ac41755ade568c777ea96ed6714fdbce8061
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-01-04 08:05:21 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-01-04 08:05:21 +0000

    www-servers/tomcat: dropped eol'd tomcat 10
    
    https://tomcat.apache.org/tomcat-10.0-eol.html
    
    Bug: https://bugs.gentoo.org/889596
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   1 -
 .../tomcat-10.0.16-build.xml-strip-html5.patch     |  31 --
 .../tomcat/files/tomcat-10.0.26-build.xml.patch    | 347 ---------------------
 www-servers/tomcat/tomcat-10.0.27.ebuild           | 202 ------------
 4 files changed, 581 deletions(-)

Comment 3 Miroslav Šulc gentoo-dev

2023-01-04 08:06:20 UTC

we're clean now. tomcat 10 has been already eol'd, that's why it's missing from the report i guess.

Comment 4 John Helmert III archtester

2023-01-04 17:40:33 UTC

Thanks!

Comment 5 John Helmert III archtester

2023-05-29 23:17:51 UTC

GLSA request filed.

Comment 6 Larry the Git Cow gentoo-dev

2023-05-30 03:05:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8b85191c046076a4e4d12c8541d49e1473aaa66

commit a8b85191c046076a4e4d12c8541d49e1473aaa66
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:03:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:04 +0000

    [ GLSA 202305-37 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

Comment 7 John Helmert III archtester

2023-05-30 03:06:56 UTC

GLSA released, all done!

Comment 8 Larry the Git Cow gentoo-dev

2023-05-31 02:20:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=023c3018165ffad6f1f6a874561e1c3c555cb505

commit 023c3018165ffad6f1f6a874561e1c3c555cb505
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-05-31 02:20:03 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-31 02:20:25 +0000

    [ GLSA 202305-37 ] fix versions, add other slots
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)