[tomcat8] 01/01: Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Dec 18 14:41:20 UTC 2015 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy-backports
in repository tomcat8.

commit 0140867ccb31866f2f2a3e24fa737fb9a35a3a65
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Dec 18 13:08:36 2015 +0100

    Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
---
 debian/changelog                   |   8 +++
 debian/patches/CVE-2014-7810.patch | 110 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 119 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a4bf210..f2a45c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat8 (8.0.14-1~bpo70+2) wheezy-backports; urgency=medium
+
+  * Fixed CVE-2014-7810: Malicious web applications could use expression
+    language to bypass the protections of a Security Manager as expressions
+    were evaluated within a privileged code section.
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Fri, 18 Dec 2015 10:20:56 +0100
+
 tomcat8 (8.0.14-1~bpo70+1) wheezy-backports; urgency=low
 
   * Rebuild for wheezy-backports
diff --git a/debian/patches/CVE-2014-7810.patch b/debian/patches/CVE-2014-7810.patch
new file mode 100644
index 0000000..dfbd540
--- /dev/null
+++ b/debian/patches/CVE-2014-7810.patch
@@ -0,0 +1,110 @@
+Description: CVE-2014-7810: Fix potential issue with BeanELresolver when running under a security manager.
+ Some classes may not be accessible but may have accessible interfaces.
+Origin: backport, http://svn.apache.org/r1644018
+                  http://svn.apache.org/r1645642
+diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java
+index 3b40e8c..032662a 100644
+--- a/java/javax/el/BeanELResolver.java
++++ b/java/javax/el/BeanELResolver.java
+@@ -229,15 +229,39 @@ public class BeanELResolver extends ELResolver {
+             try {
+                 BeanInfo info = Introspector.getBeanInfo(this.type);
+                 PropertyDescriptor[] pds = info.getPropertyDescriptors();
+-                for (int i = 0; i < pds.length; i++) {
+-                    this.properties.put(pds[i].getName(), new BeanProperty(
+-                            type, pds[i]));
++                for (PropertyDescriptor pd: pds) {
++                    this.properties.put(pd.getName(), new BeanProperty(type, pd));
++                }
++                if (System.getSecurityManager() != null) {
++                    // When running with SecurityManager, some classes may be
++                    // not accessible, but have accessible interfaces.
++                    populateFromInterfaces(type);
+                 }
+             } catch (IntrospectionException ie) {
+                 throw new ELException(ie);
+             }
+         }
+ 
++        private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException {
++            Class<?> interfaces[] = aClass.getInterfaces();
++            if (interfaces.length > 0) {
++                for (Class<?> ifs : interfaces) {
++                    BeanInfo info = Introspector.getBeanInfo(ifs);
++                    PropertyDescriptor[] pds = info.getPropertyDescriptors();
++                    for (PropertyDescriptor pd : pds) {
++                        if (!this.properties.containsKey(pd.getName())) {
++                            this.properties.put(pd.getName(), new BeanProperty(
++                                    this.type, pd));
++                        }
++                    }
++                }
++            }
++            Class<?> superclass = aClass.getSuperclass();
++            if (superclass != null) {
++                populateFromInterfaces(superclass);
++            }
++        }
++
+         private BeanProperty get(ELContext ctx, String name) {
+             BeanProperty property = this.properties.get(name);
+             if (property == null) {
+diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java b/java/org/apache/jasper/runtime/PageContextImpl.java
+index 280a822..a4f04e0 100644
+--- a/java/org/apache/jasper/runtime/PageContextImpl.java
++++ b/java/org/apache/jasper/runtime/PageContextImpl.java
+@@ -926,37 +926,11 @@ public class PageContextImpl extends PageContext {
+             final Class<?> expectedType, final PageContext pageContext,
+             final ProtectedFunctionMapper functionMap)
+             throws ELException {
+-        Object retValue;
+         final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
+-        if (SecurityUtil.isPackageProtectionEnabled()) {
+-            try {
+-                retValue = AccessController
+-                        .doPrivileged(new PrivilegedExceptionAction<Object>() {
+-
+-                            @Override
+-                            public Object run() throws Exception {
+-                                ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+-                                ctx.setFunctionMapper(functionMap);
+-                                ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+-                                return ve.getValue(ctx);
+-                            }
+-                        });
+-            } catch (PrivilegedActionException ex) {
+-                Exception realEx = ex.getException();
+-                if (realEx instanceof ELException) {
+-                    throw (ELException) realEx;
+-                } else {
+-                    throw new ELException(realEx);
+-                }
+-            }
+-        } else {
+-            ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+-            ctx.setFunctionMapper(functionMap);
+-            ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+-            retValue = ve.getValue(ctx);
+-        }
+-
+-        return retValue;
++        ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
++        ctx.setFunctionMapper(functionMap);
++        ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
++        return ve.getValue(ctx);
+     }
+ 
+     @Override
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index fc020b3..109a700 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -91,8 +91,6 @@ public final class SecurityClassLoad {
+                 "runtime.PageContextImpl$11");
+             loader.loadClass( basePackage +
+                 "runtime.PageContextImpl$12");
+-            loader.loadClass( basePackage +
+-                "runtime.PageContextImpl$13");
+ 
+             loader.loadClass( basePackage +
+                 "runtime.JspContextWrapper");
diff --git a/debian/patches/series b/debian/patches/series
index 323c857..e2dc6c3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@
 0019-add-distribution-to-error-page.patch
 #0020-disable-java8-support-with-jdtcompiler.patch
 0100-test-compat.patch
+CVE-2014-7810.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list