From f6da21ee4a0a0605f41c9c798d211fbae42d4215 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Tue, 19 Nov 2024 16:31:30 +0800
Subject: [PATCH] Fix CVE-2024-52318

---
 CVE-2024-52318.patch | 164 +++++++++++++++++++++++++++++++++++++++++++
 tomcat.spec          |   6 +-
 2 files changed, 169 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-52318.patch

diff --git a/CVE-2024-52318.patch b/CVE-2024-52318.patch
new file mode 100644
index 0000000..14e24fb
--- /dev/null
+++ b/CVE-2024-52318.patch
@@ -0,0 +1,164 @@
+From 9813c5dd3259183f659bbb83312a5cf673cc1ebf Mon Sep 17 00:00:00 2001
+From: remm <remm@apache.org>
+Date: Tue, 15 Oct 2024 21:51:33 +0200
+Subject: [PATCH] Fix JSP tag release
+
+Origin: https://github.com/apache/tomcat/commit/9813c5dd3259183f659bbb83312a5cf673cc1ebf
+
+BZ 69399: Fix regression caused by the improvement 69333 which caused
+the tag release() to be called  when using tag pooling, and to be
+skipped when not using it.
+Patch submitted by Michal Sobkiewicz.
+---
+ .../org/apache/jasper/compiler/Generator.java |  2 +-
+ .../apache/jasper/compiler/TestGenerator.java | 51 +++++++++++++++++++
+ test/webapp/WEB-INF/bugs.tld                  |  5 ++
+ test/webapp/jsp/generator/release.jsp         | 18 +++++++
+ webapps/docs/changelog.xml                    | 10 ++++
+ 5 files changed, 85 insertions(+), 1 deletion(-)
+ create mode 100644 test/webapp/jsp/generator/release.jsp
+
+diff --git a/java/org/apache/jasper/compiler/Generator.java b/java/org/apache/jasper/compiler/Generator.java
+index 814c8bb9fe50..5df52c3d7adc 100644
+--- a/java/org/apache/jasper/compiler/Generator.java
++++ b/java/org/apache/jasper/compiler/Generator.java
+@@ -2603,7 +2603,7 @@ private void generateCustomEnd(Node.CustomTag n, String tagHandlerVar,
+                 out.print(".reuse(");
+                 out.print(tagHandlerVar);
+                 out.println(");");
+-
++            } else {
+                 // Clean-up
+                 out.printin("org.apache.jasper.runtime.JspRuntimeLibrary.releaseTag(");
+                 out.print(tagHandlerVar);
+diff --git a/test/org/apache/jasper/compiler/TestGenerator.java b/test/org/apache/jasper/compiler/TestGenerator.java
+index f7e3223e331a..087936cd6eb2 100644
+--- a/test/org/apache/jasper/compiler/TestGenerator.java
++++ b/test/org/apache/jasper/compiler/TestGenerator.java
+@@ -526,6 +526,25 @@ public void setData(String data) {
+         }
+     }
+ 
++    private static boolean tagTesterTagReleaseReleased = false;
++
++    public static class TesterTagRelease extends TesterTag {
++        private String data;
++
++        public String getData() {
++            return data;
++        }
++
++        public void setData(String data) {
++            this.data = data;
++        }
++
++        @Override
++        public void release() {
++            tagTesterTagReleaseReleased = true;
++        }
++    }
++
+     public static class DataPropertyEditor extends PropertyEditorSupport {
+     }
+ 
+@@ -947,6 +966,38 @@ public void testBug65390() throws Exception {
+         Assert.assertEquals(body.toString(), HttpServletResponse.SC_OK, rc);
+     }
+ 
++    @Test
++    public void testTagReleaseWithPooling() throws Exception {
++        doTestTagRelease(true);
++    }
++
++    @Test
++    public void testTagReleaseWithoutPooling() throws Exception {
++        doTestTagRelease(false);
++    }
++
++    public void doTestTagRelease(boolean enablePooling) throws Exception {
++        tagTesterTagReleaseReleased = false;
++        Tomcat tomcat = getTomcatInstance();
++
++        File appDir = new File("test/webapp");
++        Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
++        ctxt.addServletContainerInitializer(new JasperInitializer(), null);
++
++        Tomcat.initWebappDefaults(ctxt);
++        Wrapper w = (Wrapper) ctxt.findChild("jsp");
++        w.addInitParameter("enablePooling", String.valueOf(enablePooling));
++
++        tomcat.start();
++
++        getUrl("http://localhost:" + getPort() + "/jsp/generator/release.jsp");
++        if (enablePooling) {
++            Assert.assertFalse(tagTesterTagReleaseReleased);
++        } else {
++            Assert.assertTrue(tagTesterTagReleaseReleased);
++        }
++    }
++
+     private void doTestJsp(String jspName) throws Exception {
+         doTestJsp(jspName, HttpServletResponse.SC_OK);
+     }
+diff --git a/test/webapp/WEB-INF/bugs.tld b/test/webapp/WEB-INF/bugs.tld
+index 81d050e284fa..a4e496a83357 100644
+--- a/test/webapp/WEB-INF/bugs.tld
++++ b/test/webapp/WEB-INF/bugs.tld
+@@ -108,6 +108,11 @@
+     <tag-class>org.apache.jasper.compiler.TestGenerator$TesterTagA</tag-class>
+     <body-content>JSP</body-content>
+   </tag>
++  <tag>
++    <name>TesterTagRelease</name>
++    <tag-class>org.apache.jasper.compiler.TestGenerator$TesterTagRelease</tag-class>
++    <body-content>JSP</body-content>
++  </tag>
+   <tag>
+     <name>TesterScriptingTag</name>
+     <tag-class>org.apache.jasper.compiler.TestGenerator$TesterScriptingTag</tag-class>
+diff --git a/test/webapp/jsp/generator/release.jsp b/test/webapp/jsp/generator/release.jsp
+new file mode 100644
+index 000000000000..ae2d1d19f09a
+--- /dev/null
++++ b/test/webapp/jsp/generator/release.jsp
+@@ -0,0 +1,18 @@
++<%--
++ Licensed to the Apache Software Foundation (ASF) under one or more
++  contributor license agreements.  See the NOTICE file distributed with
++  this work for additional information regarding copyright ownership.
++  The ASF licenses this file to You under the Apache License, Version 2.0
++  (the "License"); you may not use this file except in compliance with
++  the License.  You may obtain a copy of the License at
++
++      http://www.apache.org/licenses/LICENSE-2.0
++
++  Unless required by applicable law or agreed to in writing, software
++  distributed under the License is distributed on an "AS IS" BASIS,
++  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++  See the License for the specific language governing permissions and
++  limitations under the License.
++--%>
++<%@ taglib uri="http://tomcat.apache.org/bugs" prefix="bugs" %>
++<bugs:TesterTagRelease/>
+\ No newline at end of file
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 72932e81a5c2..4d34ec5008b5 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -173,6 +173,16 @@
+       </fix>
+     </changelog>
+   </subsection>
++  <subsection name="Jasper">
++    <changelog>
++      <fix>
++        <bug>69399</bug>: Fix regression caused by the improvement
++        <bug>69333</bug> which caused the tag <code>release</code> to be called
++        when using tag pooling, and to be skipped when not using it.
++        Patch submitted by Michal Sobkiewicz. (remm)
++      </fix>
++    </changelog>
++  </subsection>
+   <subsection name="Other">
+     <changelog>
+       <update>
diff --git a/tomcat.spec b/tomcat.spec
index c5d4914..265eaf3 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -23,7 +23,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1
+Release:       2
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -51,6 +51,7 @@ Patch4:        rhbz-1857043.patch
 # remove bnd dependency which version is too low on rhel8
 Patch6:        remove-bnd-annotation.patch
 Patch7:        build-with-jdk-1.8.patch
+Patch8:        CVE-2024-52318.patch
 
 BuildArch:     noarch
 
@@ -417,6 +418,9 @@ fi
 %{appdir}/docs
 
 %changelog
+* Tue Nov 19 2024 wangkai <13474090681@163.com> - 1:9.0.96-2
+- Fix CVE-2024-52318
+
 * Thu Nov 07 2024 chenyaqiang <chengyaqiang@huawei.com> - 1:9.0.96-1
 - Update to 9.0.96
 - Fix CVE-2021-43980 CVE-2022-25762 CVE-2023-44487 CVE-2023-46589
-- 
Gitee