From 5e41705fc08ca4a15f8665e9609ebf4c2c04b72d Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Tue, 15 Dec 2020 11:36:15 +0800
Subject: [PATCH]  fix CVE-2020-17527

---
 CVE-2020-17527.patch | 47 ++++++++++++++++++++++++++++++++++++++++++++
 tomcat.spec          |  9 ++++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-17527.patch

diff --git a/CVE-2020-17527.patch b/CVE-2020-17527.patch
new file mode 100644
index 0000000..f1fafa3
--- /dev/null
+++ b/CVE-2020-17527.patch
@@ -0,0 +1,47 @@
+From d56293f816d6dc9e2b47107f208fa9e95db58c65 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Mon, 9 Nov 2020 19:23:12 +0000
+Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
+---
+ java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++--------
+ 1 files changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/java/org/apache/coyote/http2/HpackDecoder.java b/java/org/apache/coyote/http2/HpackDecoder.java
+index 551101b33a..517dc0b4ae 100644
+--- a/java/org/apache/coyote/http2/HpackDecoder.java
++++ b/java/org/apache/coyote/http2/HpackDecoder.java
+@@ -72,8 +72,6 @@
+     private volatile boolean countedCookie;
+     private volatile int headerSize = 0;
+ 
+-    private final StringBuilder stringBuilder = new StringBuilder();
+-
+     HpackDecoder(int maxMemorySize) {
+         this.maxMemorySizeHard = maxMemorySize;
+         this.maxMemorySizeSoft = maxMemorySize;
+@@ -222,19 +220,17 @@ private String readHpackString(ByteBuffer buffer) throws HpackException {
+         if (huffman) {
+             return readHuffmanString(length, buffer);
+         }
++        StringBuilder stringBuilder = new StringBuilder(length);
+         for (int i = 0; i < length; ++i) {
+             stringBuilder.append((char) buffer.get());
+         }
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
++        StringBuilder stringBuilder = new StringBuilder(length);
+         HPackHuffman.decode(buffer, length, stringBuilder);
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String handleIndexedHeaderName(int index) throws HpackException {
diff --git a/tomcat.spec b/tomcat.spec
index 7764221..6d41933 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -13,7 +13,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       15
+Release:       16
 Summary:       Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
 License:       ASL 2.0
 URL:           http://tomcat.apache.org/
@@ -74,6 +74,7 @@ Patch6028: CVE-2020-13943-1.patch
 Patch6029: CVE-2020-13943-2.patch
 Patch6030: CVE-2020-13943-3.patch
 Patch6031: CVE-2020-13943-4.patch
+Patch6032: CVE-2020-17527.patch
 
 BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon
 BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant
@@ -475,6 +476,12 @@ fi
 %{_javadocdir}/%{name}
 
 %changelog
+* Sat Dec 12 2020 zhanghua <zhanghua40@huawei.com> - 1:9.0.10-16
+- Type:cve
+- ID: CVE-2020-17527
+- SUG:restart
+- DESC: fix CVE-2020-17527
+
 * Wed Dec 2 2020 jialei <jialei17@huawei.com> - 1:9.0.10-15
 - Type:cves
 - ID: CVE-2020-13943
-- 
Gitee