[tomcat7] 01/01: Fix CVE-2016-1240 and Debian bug #821391.
Markus Koschany
apo at moszumanska.debian.org
Thu Sep 15 14:33:25 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 4e7bd11fd88ff594aaeeb81bb2e3f9128fd58fa4
Author: Markus Koschany <apo at debian.org>
Date: Thu Sep 15 15:21:55 2016 +0200
Fix CVE-2016-1240 and Debian bug #821391.
tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
attacks and a possible root privilege escalation.
Do not unconditionally override files in /etc/tomcat7.
Change file permissions to 640 for Debian files in /etc/tomcat7/*
---
debian/changelog | 12 ++++++++++++
debian/tomcat7.init | 6 ++++--
debian/tomcat7.postinst | 21 +++++++++++++++++++--
3 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 8368244..4f8b5df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2016-1240:
+ tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
+ attacks and a possible root privilege escalation.
+ * Do not unconditionally override files in /etc/tomcat7.
+ Change file permissions to 640 for Debian files in /etc/tomcat7/*
+ (Closes: #821391)
+
+ -- Markus Koschany <apo at debian.org> Thu, 15 Sep 2016 15:20:36 +0200
+
tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high
* Team upload.
diff --git a/debian/tomcat7.init b/debian/tomcat7.init
index fb11566..2821a3d 100644
--- a/debian/tomcat7.init
+++ b/debian/tomcat7.init
@@ -171,8 +171,10 @@ catalina_sh() {
# Run the catalina.sh script as a daemon
set +e
- touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
- chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+ if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+ install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+ fi
+ install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index ef339db..bedfba9 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -48,8 +48,25 @@ case "$1" in
# configuration files should not be modifiable by tomcat7 user, as this can be a security issue
# (an attacker may insert code in a webapp and have access to all tomcat configuration)
# but those files should be readable by tomcat7, so we set the group to tomcat7
- chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
- chmod 640 /etc/tomcat7/tomcat-users.xml
+ for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties;
+ do
+ if [ -f "/etc/tomcat7/$i" ]; then
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/$i
+ chmod 640 /etc/tomcat7/$i
+ fi
+ done
+ # configuration policy files should not be modifiable by the tomcat7 user. Only
+ # diverge from default permissions for known Debian files
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d
+ for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy;
+ do
+ if [ -f "/etc/tomcat7/policy.d/$i" ]; then
+ chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i
+ chmod 640 /etc/tomcat7/policy.d/$i
+ fi
+ done
+ chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina
+
chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
chmod 775 /var/lib/tomcat7/webapps
chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list