File tomcat-9.0.36-CVE-2024-52316.patch of Package tomcat.37354

From 7532f9dc4a8c37ec958f79dc82c4924a6c539223 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Thu, 19 Sep 2024 13:25:24 +0100
Subject: [PATCH] If the Jakarta Authentication fails with an exception, set a
 500 status

Depending on what fails where, the status may not be set or may be set
incorrectly.

Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -906,6 +906,8 @@ public abstract class AuthenticatorBase
             authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
         } catch (AuthException e) {
             log.debug(sm.getString("authenticator.loginFail"), e);
+            // Need to explicitly set the return code as the ServerAuthContext may not have done.
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             return false;
         }
 
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -129,6 +129,11 @@
         Simplify the closing on an HTTP/2 stream when an error condition is
         present. (markt)
       </scode>
+      <fix>
+        If the Jakarta Authentication process fails with an Exception,
+        explicitly set the HTTP response status to 500 as the
+        <code>ServerAuthContext</code> may not have set it. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">