Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 889596 (CVE-2022-45143) - <www-servers/tomcat-{8.5.84,9.0.69,10.1.2}: JsonErrorReportValve injection
Summary: <www-servers/tomcat-{8.5.84,9.0.69,10.1.2}: JsonErrorReportValve injection
Status: RESOLVED FIXED
Alias: CVE-2022-45143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.apache.org/thread/yqkd1...
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-03 20:44 UTC by John Helmert III
Modified: 2023-05-31 02:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-03 20:44:26 UTC
CVE-2022-45143:

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-03 20:45:16 UTC
Is 10.0 affected?
Comment 2 Larry the Git Cow gentoo-dev 2023-01-04 08:05:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2451ac41755ade568c777ea96ed6714fdbce8061

commit 2451ac41755ade568c777ea96ed6714fdbce8061
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-01-04 08:05:21 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-01-04 08:05:21 +0000

    www-servers/tomcat: dropped eol'd tomcat 10
    
    https://tomcat.apache.org/tomcat-10.0-eol.html
    
    Bug: https://bugs.gentoo.org/889596
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   1 -
 .../tomcat-10.0.16-build.xml-strip-html5.patch     |  31 --
 .../tomcat/files/tomcat-10.0.26-build.xml.patch    | 347 ---------------------
 www-servers/tomcat/tomcat-10.0.27.ebuild           | 202 ------------
 4 files changed, 581 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2023-01-04 08:06:20 UTC
we're clean now. tomcat 10 has been already eol'd, that's why it's missing from the report i guess.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-04 17:40:33 UTC
Thanks!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:17:51 UTC
GLSA request filed.
Comment 6 Larry the Git Cow gentoo-dev 2023-05-30 03:05:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8b85191c046076a4e4d12c8541d49e1473aaa66

commit a8b85191c046076a4e4d12c8541d49e1473aaa66
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:03:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:04 +0000

    [ GLSA 202305-37 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:06:56 UTC
GLSA released, all done!
Comment 8 Larry the Git Cow gentoo-dev 2023-05-31 02:20:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=023c3018165ffad6f1f6a874561e1c3c555cb505

commit 023c3018165ffad6f1f6a874561e1c3c555cb505
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-05-31 02:20:03 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-31 02:20:25 +0000

    [ GLSA 202305-37 ] fix versions, add other slots
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)