Version in base suite: 10.1.34-0+deb12u1

Base version: tomcat10_10.1.34-0+deb12u1
Target version: tomcat10_10.1.34-0+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tomcat10/tomcat10_10.1.34-0+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tomcat10/tomcat10_10.1.34-0+deb12u2.dsc

 changelog                    |   12 ++++++++
 patches/CVE-2025-24813.patch |   58 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 71 insertions(+)

diff -Nru tomcat10-10.1.34/debian/changelog tomcat10-10.1.34/debian/changelog
--- tomcat10-10.1.34/debian/changelog	2025-01-16 21:40:13.000000000 +0000
+++ tomcat10-10.1.34/debian/changelog	2025-04-01 21:03:17.000000000 +0000
@@ -1,3 +1,15 @@
+tomcat10 (10.1.34-0+deb12u2) bookworm-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2025-24813:
+    It was found that a malicious user was able to view security sensitive
+    files and/or inject content into those files when writes were enabled for
+    the default servlet (disabled by default) and support for partial PUT was
+    enabled (default). Under certain circumstances, depending on the
+    application in use, remote code execution may have been possible.
+
+ -- Markus Koschany <apo@debian.org>  Wed, 01 Apr 2025 23:03:17 +0200
+
 tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high
 
   * Team upload.
diff -Nru tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch
--- tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch	1970-01-01 00:00:00.000000000 +0000
+++ tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch	2025-04-01 21:03:17.000000000 +0000
@@ -0,0 +1,58 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 29 Mar 2025 11:47:08 +0100
+Subject: CVE-2025-24813
+
+Origin: https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
+---
+ java/org/apache/catalina/servlets/DefaultServlet.java | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 2accac4..3186135 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -611,7 +611,7 @@ public class DefaultServlet extends HttpServlet {
+         }
+ 
+         InputStream resourceInputStream = null;
+-
++        File tempContentFile = null;
+         try {
+             // Append data specified in ranges to existing content for this
+             // resource - create a temp. file on the local filesystem to
+@@ -620,8 +620,8 @@ public class DefaultServlet extends HttpServlet {
+             if (range == IGNORE) {
+                 resourceInputStream = req.getInputStream();
+             } else {
+-                File contentFile = executePartialPut(req, range, path);
+-                resourceInputStream = new FileInputStream(contentFile);
++                tempContentFile = executePartialPut(req, range, path);
++                resourceInputStream = new FileInputStream(tempContentFile);
+             }
+ 
+             if (resources.write(path, resourceInputStream, true)) {
+@@ -645,6 +645,9 @@ public class DefaultServlet extends HttpServlet {
+                     // Ignore
+                 }
+             }
++            if (tempContentFile != null) {
++                tempContentFile.delete();
++            }
+         }
+     }
+ 
+@@ -667,13 +670,7 @@ public class DefaultServlet extends HttpServlet {
+         // resource - create a temp. file on the local filesystem to
+         // perform this operation
+         File tempDir = (File) getServletContext().getAttribute(ServletContext.TEMPDIR);
+-        // Convert all '/' characters to '.' in resourcePath
+-        String convertedResourcePath = path.replace('/', '.');
+-        File contentFile = new File(tempDir, convertedResourcePath);
+-        if (contentFile.createNewFile()) {
+-            // Clean up contentFile when Tomcat is terminated
+-            contentFile.deleteOnExit();
+-        }
++        File contentFile = File.createTempFile("put-part-", null, tempDir);
+ 
+         try (RandomAccessFile randAccessContentFile = new RandomAccessFile(contentFile, "rw")) {
+ 
diff -Nru tomcat10-10.1.34/debian/patches/series tomcat10-10.1.34/debian/patches/series
--- tomcat10-10.1.34/debian/patches/series	2025-01-16 21:40:13.000000000 +0000
+++ tomcat10-10.1.34/debian/patches/series	2025-04-01 21:03:17.000000000 +0000
@@ -12,3 +12,4 @@
 0021-dont-test-unsupported-ciphers.patch
 exclude-TestJNDIRealmIntegration.patch
 disable-jacoco.patch
+CVE-2025-24813.patch