[tomcat7] 01/01: Fix CVE-2016-1240 and Debian bug #821391.

[Markus Koschany]

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat7.

commit 4e7bd11fd88ff594aaeeb81bb2e3f9128fd58fa4
Author: Markus Koschany <apo at debian.org>
Date:   Thu Sep 15 15:21:55 2016 +0200

    Fix CVE-2016-1240 and Debian bug #821391.
    
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.
    
    Do not unconditionally override files in /etc/tomcat7.
    Change file permissions to 640 for Debian files in /etc/tomcat7/*
---
 debian/changelog        | 12 ++++++++++++
 debian/tomcat7.init     |  6 ++++--
 debian/tomcat7.postinst | 21 +++++++++++++++++++--
 3 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8368244..4f8b5df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2016-1240:
+    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
+    attacks and a possible root privilege escalation.
+  * Do not unconditionally override files in /etc/tomcat7.
+    Change file permissions to 640 for Debian files in /etc/tomcat7/*
+    (Closes: #821391)
+
+ -- Markus Koschany <apo at debian.org>  Thu, 15 Sep 2016 15:20:36 +0200
+
 tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high
 
   * Team upload.
diff --git a/debian/tomcat7.init b/debian/tomcat7.init
index fb11566..2821a3d 100644
--- a/debian/tomcat7.init
+++ b/debian/tomcat7.init
@@ -171,8 +171,10 @@ catalina_sh() {
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
 		-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index ef339db..bedfba9 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -48,8 +48,25 @@ case "$1" in
 	# configuration files should not be modifiable by tomcat7 user, as this can be a security issue
 	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
 	# but those files should be readable by tomcat7, so we set the group to tomcat7
-	chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
-	chmod 640 /etc/tomcat7/tomcat-users.xml
+	for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+	do
+		if [ -f "/etc/tomcat7/$i" ]; then
+			chown root:$TOMCAT7_GROUP /etc/tomcat7/$i
+			chmod 640 /etc/tomcat7/$i
+		fi
+	done
+	# configuration policy files should not be modifiable by the tomcat7 user. Only
+	# diverge from default permissions for known Debian files
+	chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d
+	for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+	do
+		if [ -f "/etc/tomcat7/policy.d/$i" ]; then
+			chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i
+			chmod 640 /etc/tomcat7/policy.d/$i
+		fi
+	done
+	chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina
+
 	chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
 	chmod 775 /var/lib/tomcat7/webapps
 	chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git