Version in base suite: 10.1.34-0+deb12u1 Base version: tomcat10_10.1.34-0+deb12u1 Target version: tomcat10_10.1.34-0+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tomcat10/tomcat10_10.1.34-0+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tomcat10/tomcat10_10.1.34-0+deb12u2.dsc changelog | 12 ++++++++ patches/CVE-2025-24813.patch | 58 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 71 insertions(+) diff -Nru tomcat10-10.1.34/debian/changelog tomcat10-10.1.34/debian/changelog --- tomcat10-10.1.34/debian/changelog 2025-01-16 21:40:13.000000000 +0000 +++ tomcat10-10.1.34/debian/changelog 2025-04-01 21:03:17.000000000 +0000 @@ -1,3 +1,15 @@ +tomcat10 (10.1.34-0+deb12u2) bookworm-security; urgency=high + + * Team upload. + * Fix CVE-2025-24813: + It was found that a malicious user was able to view security sensitive + files and/or inject content into those files when writes were enabled for + the default servlet (disabled by default) and support for partial PUT was + enabled (default). Under certain circumstances, depending on the + application in use, remote code execution may have been possible. + + -- Markus Koschany Wed, 01 Apr 2025 23:03:17 +0200 + tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high * Team upload. diff -Nru tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch --- tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat10-10.1.34/debian/patches/CVE-2025-24813.patch 2025-04-01 21:03:17.000000000 +0000 @@ -0,0 +1,58 @@ +From: Markus Koschany +Date: Sat, 29 Mar 2025 11:47:08 +0100 +Subject: CVE-2025-24813 + +Origin: https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72 +--- + java/org/apache/catalina/servlets/DefaultServlet.java | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java +index 2accac4..3186135 100644 +--- a/java/org/apache/catalina/servlets/DefaultServlet.java ++++ b/java/org/apache/catalina/servlets/DefaultServlet.java +@@ -611,7 +611,7 @@ public class DefaultServlet extends HttpServlet { + } + + InputStream resourceInputStream = null; +- ++ File tempContentFile = null; + try { + // Append data specified in ranges to existing content for this + // resource - create a temp. file on the local filesystem to +@@ -620,8 +620,8 @@ public class DefaultServlet extends HttpServlet { + if (range == IGNORE) { + resourceInputStream = req.getInputStream(); + } else { +- File contentFile = executePartialPut(req, range, path); +- resourceInputStream = new FileInputStream(contentFile); ++ tempContentFile = executePartialPut(req, range, path); ++ resourceInputStream = new FileInputStream(tempContentFile); + } + + if (resources.write(path, resourceInputStream, true)) { +@@ -645,6 +645,9 @@ public class DefaultServlet extends HttpServlet { + // Ignore + } + } ++ if (tempContentFile != null) { ++ tempContentFile.delete(); ++ } + } + } + +@@ -667,13 +670,7 @@ public class DefaultServlet extends HttpServlet { + // resource - create a temp. file on the local filesystem to + // perform this operation + File tempDir = (File) getServletContext().getAttribute(ServletContext.TEMPDIR); +- // Convert all '/' characters to '.' in resourcePath +- String convertedResourcePath = path.replace('/', '.'); +- File contentFile = new File(tempDir, convertedResourcePath); +- if (contentFile.createNewFile()) { +- // Clean up contentFile when Tomcat is terminated +- contentFile.deleteOnExit(); +- } ++ File contentFile = File.createTempFile("put-part-", null, tempDir); + + try (RandomAccessFile randAccessContentFile = new RandomAccessFile(contentFile, "rw")) { + diff -Nru tomcat10-10.1.34/debian/patches/series tomcat10-10.1.34/debian/patches/series --- tomcat10-10.1.34/debian/patches/series 2025-01-16 21:40:13.000000000 +0000 +++ tomcat10-10.1.34/debian/patches/series 2025-04-01 21:03:17.000000000 +0000 @@ -12,3 +12,4 @@ 0021-dont-test-unsupported-ciphers.patch exclude-TestJNDIRealmIntegration.patch disable-jacoco.patch +CVE-2025-24813.patch