[tomcat8] 01/01: Fixed CVE-2016-8745: Information Disclosure

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit d866c5f0d7863aa0b46ba544c18b0fdf6fa62d91
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Thu Jan 5 17:14:46 2017 +0100

    Fixed CVE-2016-8745: Information Disclosure
---
 debian/changelog                   | 11 +++++++++++
 debian/patches/CVE-2016-8745.patch | 30 ++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 42 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a7b38c2..34fb2d6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high
+
+  * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
+    the NIO HTTP connector resulted in the current Processor object being added
+    to the Processor cache multiple times. This in turn meant that the same
+    Processor could be used for concurrent requests. Sharing a Processor can
+    result in information leakage between requests including, not not limited
+    to, session ID and the response body.
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Thu, 05 Jan 2017 17:10:29 +0100
+
 tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high
 
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8
diff --git a/debian/patches/CVE-2016-8745.patch b/debian/patches/CVE-2016-8745.patch
new file mode 100644
index 0000000..a970cbb
--- /dev/null
+++ b/debian/patches/CVE-2016-8745.patch
@@ -0,0 +1,30 @@
+Description: Fixes: CVE-2016-8745: When unable to complete sendfile request,
+ ensure the Processor will be added to the cache only once.
+ This bug in the error handling of the send file code for the NIO HTTP connector
+ resulted in the current Processor object being added to the Processor cache
+ multiple times. This in turn meant that the same Processor could be used for
+ concurrent requests. Sharing a Processor can result in information leakage
+ between requests including, not not limited to, session ID and the response
+ body.
+Origin: backport, https://svn.apache.org/r1777469 13f79535-47bb-0310-9956-ffa450edef68
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -1251,11 +1251,15 @@
+                 }
+             }catch ( IOException x ) {
+                 if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x);
+-                cancelledKey(sk,SocketStatus.ERROR);
++                if (!event) {
++                    cancelledKey(sk,SocketStatus.ERROR);
++                }
+                 return false;
+             }catch ( Throwable t ) {
+                 log.error("",t);
+-                cancelledKey(sk, SocketStatus.ERROR);
++                if (!event) {
++                    cancelledKey(sk, SocketStatus.ERROR);
++                }
+                 return false;
+             }finally {
+                 if (sc!=null) sc.setSendFile(false);
diff --git a/debian/patches/series b/debian/patches/series
index 9b4eacd..45f2d8f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ CVE-2016-6797.patch
 CVE-2016-6816.patch
 BZ-57377.patch
 CVE-2016-8735.patch
+CVE-2016-8745.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git