[tomcat7] 01/02: Fixed CVE-2016-9774: Privilege escalation when the package is upgraded

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Dec 5 09:23:16 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit d949d2d983a0fdbf5c49d78473a874a34e1cef7d
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Dec 5 10:14:38 2016 +0100

    Fixed CVE-2016-9774: Privilege escalation when the package is upgraded
---
 debian/changelog        | 2 ++
 debian/rules            | 6 ++++++
 debian/tomcat7.postinst | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 9fcd08e..3f55ca0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
 tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium
 
+  * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
+    package is upgraded. Thanks to Paul Szabo for the report (see #845393)
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Refreshed the expired SSL certificates used by the tests
diff --git a/debian/rules b/debian/rules
index c22c855..8ca85b4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -197,6 +197,12 @@ binary-indep: build install
 	jh_manifest
 	dh_compress
 	dh_fixperms
+
+	# Make the /etc/tomcat7/Catalina/localhost directory writable by the tomcat user
+	for PACKAGE in tomcat7 tomcat7-admin tomcat7-docs tomcat7-examples; do \
+	  chmod 775 --verbose debian/$$PACKAGE/etc/tomcat7/Catalina/localhost; \
+	done
+
 	dh_installdeb
 	dh_gencontrol
 	dh_md5sums
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index bedfba9..a8919dd 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -69,7 +69,7 @@ case "$1" in
 
 	chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
 	chmod 775 /var/lib/tomcat7/webapps
-	chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
+	chmod 775 /etc/tomcat7/Catalina
 
 	# Authorize user tomcat7 to open privileged ports via authbind.
 	TOMCAT_UID="`id -u $TOMCAT7_USER`"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list