[tomcat7] 01/01: Import Debian changes 7.0.28-4+deb7u16
Markus Koschany
apo at moszumanska.debian.org
Wed Nov 8 00:24:18 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 0f87a8759c321cf6301ec508c09d60688a2662ae
Author: Roberto C. Sanchez <roberto at debian.org>
Date: Tue Nov 7 12:36:51 2017 -0500
Import Debian changes 7.0.28-4+deb7u16
tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* Fix CVE-2017-12617.
When HTTP PUT was enabled (e.g., via setting the readonly initialization
parameter of the Default servlet to false) it was possible to upload a JSP
file to the server via a specially crafted request. This JSP could then be
requested and any code it contained would be executed by the server.
---
debian/changelog | 12 ++
debian/patches/CVE-2017-12617_1.patch | 165 +++++++++++++++++++++++++++
debian/patches/CVE-2017-12617_2.patch | 54 +++++++++
debian/patches/CVE-2017-12617_3.patch | 207 ++++++++++++++++++++++++++++++++++
debian/patches/CVE-2017-12617_4.patch | 45 ++++++++
debian/patches/CVE-2017-12617_5.patch | 41 +++++++
debian/patches/CVE-2017-12617_6.patch | 30 +++++
debian/patches/series | 6 +
8 files changed, 560 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8e8522b..26f16eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+
+ * Fix CVE-2017-12617.
+ When HTTP PUT was enabled (e.g., via setting the readonly initialization
+ parameter of the Default servlet to false) it was possible to upload a JSP
+ file to the server via a specially crafted request. This JSP could then be
+ requested and any code it contained would be executed by the server.
+
+ -- Roberto C. Sanchez <roberto at debian.org> Tue, 07 Nov 2017 12:36:51 -0500
+
tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2017-12617_1.patch b/debian/patches/CVE-2017-12617_1.patch
new file mode 100644
index 0000000..b34d879
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_1.patch
@@ -0,0 +1,165 @@
+From 512a3c3aecdb52de092c6bacddd71b85c4feda06 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Fri, 22 Sep 2017 09:46:02 +0000
+Subject: [PATCH] Partial fix for CVE-2017-12617 This moves a check from the
+ Default servlet where it applied to GET, POST, HEAD and OPTIONS to the
+ resources implementation where it applies to any method that expects the
+ resource to exist (e.g.DELETE) Still need to address the case where the
+ resource does not exist (e.g. PUT)
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809288 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06
+
+(cherry picked from commit 512a3c3aecdb52de092c6bacddd71b85c4feda06)
+[rcs: Backported to wheezy]
+---
+ .../apache/catalina/servlets/DefaultServlet.java | 17 --------
+ .../apache/naming/resources/FileDirContext.java | 11 +++++-
+ .../apache/naming/resources/VirtualDirContext.java | 18 ++++-----
+ .../naming/resources/TestFileDirContext.java | 46 ++++++++++++++++++++++
+ 4 files changed, 64 insertions(+), 28 deletions(-)
+ create mode 100644 test/org/apache/naming/resources/TestFileDirContext.java
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -817,11 +817,18 @@
+ */
+ protected File file(String name, boolean mustExist) {
+ File file = new File(base, name);
+- return validate(file, mustExist, absoluteBase);
++ return validate(file, name, mustExist, absoluteBase);
+ }
+
+
+- protected File validate(File file, boolean mustExist, String absoluteBase) {
++ protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
++
++ // If the requested names ends in '/', the Java File API will return a
++ // matching file if one exists. This isn't what we want as it is not
++ // consistent with the Servlet spec rules for request mapping.
++ if (file.isFile() && name.endsWith("/")) {
++ return null;
++ }
+
+ if (!mustExist || file.exists() && file.canRead()) {
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java
+@@ -153,7 +153,7 @@
+ String resourcesDir = dirList.get(0);
+ if (name.equals(path)) {
+ File f = new File(resourcesDir);
+- f = validate(f, true, resourcesDir);
++ f = validate(f, name, true, resourcesDir);
+ if (f != null) {
+ return new FileResourceAttributes(f);
+ }
+@@ -161,8 +161,8 @@
+ path += "/";
+ if (name.startsWith(path)) {
+ String res = name.substring(path.length());
+- File f = new File(resourcesDir + "/" + res);
+- f = validate(f, true, resourcesDir);
++ File f = new File(resourcesDir, res);
++ f = validate(f, res, true, resourcesDir);
+ if (f != null) {
+ return new FileResourceAttributes(f);
+ }
+@@ -196,7 +196,7 @@
+ if (name.equals(path)) {
+ for (String resourcesDir : dirList) {
+ file = new File(resourcesDir);
+- file = validate(file, true, resourcesDir);
++ file = validate(file, name, true, resourcesDir);
+ if (file != null) {
+ return file;
+ }
+@@ -206,7 +206,7 @@
+ String res = name.substring(path.length());
+ for (String resourcesDir : dirList) {
+ file = new File(resourcesDir, res);
+- file = validate(file, true, resourcesDir);
++ file = validate(file, res, true, resourcesDir);
+ if (file != null) {
+ return file;
+ }
+@@ -242,7 +242,7 @@
+ if (res != null) {
+ for (String resourcesDir : dirList) {
+ File f = new File(resourcesDir, res);
+- f = validate(f, true, resourcesDir);
++ f = validate(f, res, true, resourcesDir);
+ if (f != null && f.isDirectory()) {
+ List<NamingEntry> virtEntries = super.list(f);
+ for (NamingEntry entry : virtEntries) {
+@@ -278,7 +278,7 @@
+ if (name.equals(path)) {
+ for (String resourcesDir : dirList) {
+ File f = new File(resourcesDir);
+- f = validate(f, true, resourcesDir);
++ f = validate(f, name, true, resourcesDir);
+ if (f != null) {
+ if (f.isFile()) {
+ return new FileResource(f);
+@@ -294,8 +294,8 @@
+ if (name.startsWith(path)) {
+ String res = name.substring(path.length());
+ for (String resourcesDir : dirList) {
+- File f = new File(resourcesDir + "/" + res);
+- f = validate(f, true, resourcesDir);
++ File f = new File(resourcesDir, res);
++ f = validate(f, res, true, resourcesDir);
+ if (f != null) {
+ if (f.isFile()) {
+ return new FileResource(f);
+--- /dev/null
++++ tomcat-7.0.x/test/org/apache/naming/resources/TestFileDirContext.java
+@@ -0,0 +1,46 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.naming.resources;
++
++import java.io.File;
++
++import javax.servlet.http.HttpServletResponse;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++import org.apache.catalina.startup.Tomcat;
++import org.apache.catalina.startup.TomcatBaseTest;
++import org.apache.tomcat.util.buf.ByteChunk;
++
++public class TestFileDirContext extends TomcatBaseTest {
++
++ @Test
++ public void testLookupResourceWithTrailingSlash() throws Exception {
++ Tomcat tomcat = getTomcatInstance();
++
++ File appDir = new File("test/webapp-3.0");
++ // app dir is relative to server home
++ tomcat.addWebapp(null, "/test", appDir.getAbsolutePath());
++
++ tomcat.start();
++
++ int sc = getUrl("http://localhost:" + getPort() +
++ "/test/index.html/", new ByteChunk(), null);
++ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc);
++ }
++}
diff --git a/debian/patches/CVE-2017-12617_2.patch b/debian/patches/CVE-2017-12617_2.patch
new file mode 100644
index 0000000..c4f467e
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_2.patch
@@ -0,0 +1,54 @@
+From 327e8a6644e188764325a013aa2725a60f1b37e5 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Fri, 22 Sep 2017 10:18:29 +0000
+Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+ Remainder of fix for CVE-2017-12617 This ensures that a path specified for
+ creation of a file does not end in '/' since that is dropped by the File API.
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809293 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/327e8a6644e188764325a013aa2725a60f1b37e5
+
+(cherry picked from commit 327e8a6644e188764325a013aa2725a60f1b37e5)
+[rcs: Backported to wheezy]
+---
+ java/org/apache/naming/resources/FileDirContext.java | 9 +++++++--
+ webapps/docs/changelog.xml | 5 +++++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -498,11 +498,16 @@
+ * @exception NamingException if a naming exception is encountered
+ */
+ @Override
+- public void bind(String name, Object obj, Attributes attrs)
+- throws NamingException {
++ public void bind(String name, Object obj, Attributes attrs) throws NamingException {
+
+ // Note: No custom attributes allowed
+
++ // bind() is meant to create a file so ensure that the path doesn't end
++ // in '/'
++ if (name.endsWith("/")) {
++ throw new NamingException(sm.getString("resources.bindFailed", name));
++ }
++
+ File file = file(name, false);
+ if (file.exists())
+ throw new NameAlreadyBoundException
+--- tomcat-7.0.x.orig/webapps/docs/changelog.xml
++++ tomcat-7.0.x/webapps/docs/changelog.xml
+@@ -378,6 +378,11 @@
+ Protect initialization of <code>ResourceLinkFactory</code> when
+ running with a SecurityManager. (kkolinko)
+ </fix>
++ <fix>
++ <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
++ uploaded via a specially crafted request when HTTP PUT was enabled.
++ (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
diff --git a/debian/patches/CVE-2017-12617_3.patch b/debian/patches/CVE-2017-12617_3.patch
new file mode 100644
index 0000000..5fec2e8
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_3.patch
@@ -0,0 +1,207 @@
+From bbcbb749c75056a2781f37038d63e646fe972104 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 28 Sep 2017 11:54:25 +0000
+Subject: [PATCH] First pass at aligning 7.0.x checks with 8.0.x
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809978 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e646fe972104
+
+(cherry picked from commit bbcbb749c75056a2781f37038d63e646fe972104)
+[rcs: Backported to wheezy]
+---
+ .../apache/naming/resources/FileDirContext.java | 68 ++++++++++++++++------
+ java/org/apache/naming/resources/JrePlatform.java | 59 +++++++++++++++++++
+ 2 files changed, 110 insertions(+), 17 deletions(-)
+ create mode 100644 java/org/apache/naming/resources/JrePlatform.java
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -14,8 +14,6 @@
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-
+-
+ package org.apache.naming.resources;
+
+ import java.io.File;
+@@ -99,6 +97,8 @@
+ */
+ protected String absoluteBase = null;
+
++ private String canonicalBase = null;
++
+
+ /**
+ * Allow linking.
+@@ -108,7 +108,6 @@
+
+ // ------------------------------------------------------------- Properties
+
+-
+ /**
+ * Set the document root.
+ *
+@@ -139,12 +138,20 @@
+ if (!base.exists() || !base.isDirectory() || !base.canRead())
+ throw new IllegalArgumentException
+ (sm.getString("fileResources.base", docBase));
+- this.absoluteBase = base.getAbsolutePath();
++
++ this.absoluteBase = normalize(base.getAbsolutePath());
++
++ // absoluteBase also needs to be normalized. Using the canonical path is
++ // the simplest way of doing this.
++ try {
++ this.canonicalBase = base.getCanonicalPath();
++ } catch (IOException e) {
++ throw new IllegalArgumentException(e);
++ }
+ super.setDocBase(docBase);
+
+ }
+
+-
+ /**
+ * Set allow linking.
+ */
+@@ -837,8 +844,15 @@
+
+ if (!mustExist || file.exists() && file.canRead()) {
+
+- if (allowLinking)
++ if (allowLinking) {
+ return file;
++ }
++
++ // Additional Windows specific checks to handle known problems with
++ // File.getCanonicalPath()
++ if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
++ return null;
++ }
+
+ // Check that this file belongs to our root path
+ String canPath = null;
+@@ -847,7 +861,7 @@
+ } catch (IOException e) {
+ // Ignore
+ }
+- if (canPath == null)
++ if (canPath == null || !canPath.startsWith(canonicalBase))
+ return null;
+
+ // Check to see if going outside of the web application root
+@@ -868,9 +882,9 @@
+ return null;
+ if (absPath.equals(""))
+ absPath = "/";
+- canPath = canPath.substring(absoluteBase.length() + 1);
+- if (canPath.equals(""))
+- canPath = "/";
++ canPath = canPath.substring(canonicalBase.length() + 1);
++ if (canPath.length() > 0)
++ canPath = normalize(canPath);
+ if (!canPath.equals(absPath))
+ return null;
+ }
+@@ -883,6 +897,36 @@
+ }
+
+
++ private boolean isInvalidWindowsFilename(String name) {
++ final int len = name.length();
++ if (len == 0) {
++ return false;
++ }
++ // This consistently ~10 times faster than the equivalent regular
++ // expression irrespective of input length.
++ for (int i = 0; i < len; i++) {
++ char c = name.charAt(i);
++ if (c == '\"' || c == '<' || c == '>') {
++ // These characters are disallowed in Windows file names and
++ // there are known problems for file names with these characters
++ // when using File#getCanonicalPath().
++ // Note: There are additional characters that are disallowed in
++ // Windows file names but these are not known to cause
++ // problems when using File#getCanonicalPath().
++ return true;
++ }
++ }
++ // Windows does not allow file names to end in ' ' unless specific low
++ // level APIs are used to create the files that bypass various checks.
++ // File names that end in ' ' are known to cause problems when using
++ // File#getCanonicalPath().
++ if (name.charAt(len -1) == ' ') {
++ return true;
++ }
++ return false;
++ }
++
++
+ /**
+ * List the resources which are members of a collection.
+ *
+--- /dev/null
++++ tomcat-7.0.x/java/org/apache/naming/resources/JrePlatform.java
+@@ -0,0 +1,59 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.naming.resources;
++
++import java.security.AccessController;
++import java.security.PrivilegedAction;
++
++public class JrePlatform {
++
++ private static final String OS_NAME_PROPERTY = "os.name";
++ private static final String OS_NAME_WINDOWS_PREFIX = "Windows";
++
++ static {
++ /*
++ * There are a few places where a) the behaviour of the Java API depends
++ * on the underlying platform and b) those behavioural differences have
++ * an impact on Tomcat.
++ *
++ * Tomcat therefore needs to be able to determine the platform it is
++ * running on to account for those differences.
++ *
++ * In an ideal world this code would not exist.
++ */
++
++ // This check is derived from the check in Apache Commons Lang
++ String osName;
++ if (System.getSecurityManager() == null) {
++ osName = System.getProperty(OS_NAME_PROPERTY);
++ } else {
++ osName = AccessController.doPrivileged(
++ new PrivilegedAction<String>() {
++
++ @Override
++ public String run() {
++ return System.getProperty(OS_NAME_PROPERTY);
++ }
++ });
++ }
++
++ IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX);
++ }
++
++
++ public static final boolean IS_WINDOWS;
++}
diff --git a/debian/patches/CVE-2017-12617_4.patch b/debian/patches/CVE-2017-12617_4.patch
new file mode 100644
index 0000000..8c6da55
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_4.patch
@@ -0,0 +1,45 @@
+From cf0b37beb0622abdf24acc7110daf883f3fe4f95 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 28 Sep 2017 13:30:46 +0000
+Subject: [PATCH] Fix failing tests on Windows
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809992 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95
+
+(cherry picked from commit cf0b37beb0622abdf24acc7110daf883f3fe4f95)
+[rcs: Backported to wheezy]
+---
+ java/org/apache/naming/resources/FileDirContext.java | 9 +++++----
+ java/org/apache/naming/resources/VirtualDirContext.java | 5 +++++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -829,11 +829,12 @@
+ */
+ protected File file(String name, boolean mustExist) {
+ File file = new File(base, name);
+- return validate(file, name, mustExist, absoluteBase);
++ return validate(file, name, mustExist, absoluteBase, canonicalBase);
+ }
+
+
+- protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
++ protected File validate(File file, String name, boolean mustExist, String absoluteBase,
++ String canonicalBase) {
+
+ // If the requested names ends in '/', the Java File API will return a
+ // matching file if one exists. This isn't what we want as it is not
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java
+@@ -311,4 +311,8 @@
+ return retSuper;
+ }
+
++
++ protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
++ return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
++ }
+ }
diff --git a/debian/patches/CVE-2017-12617_5.patch b/debian/patches/CVE-2017-12617_5.patch
new file mode 100644
index 0000000..25b70b5
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_5.patch
@@ -0,0 +1,41 @@
+From fd52f8601170b91f9d7162510e54563e5bf6bdfe Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 28 Sep 2017 17:20:38 +0000
+Subject: [PATCH] Tab police
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1810014 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe
+
+(cherry picked from commit fd52f8601170b91f9d7162510e54563e5bf6bdfe)
+[rcs: Backported to wheezy]
+---
+ java/org/apache/naming/resources/FileDirContext.java | 2 +-
+ java/org/apache/naming/resources/VirtualDirContext.java | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -834,7 +834,7 @@
+
+
+ protected File validate(File file, String name, boolean mustExist, String absoluteBase,
+- String canonicalBase) {
++ String canonicalBase) {
+
+ // If the requested names ends in '/', the Java File API will return a
+ // matching file if one exists. This isn't what we want as it is not
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java
+@@ -311,8 +311,8 @@
+ return retSuper;
+ }
+
+-
++
+ protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
+- return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
++ return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
+ }
+ }
diff --git a/debian/patches/CVE-2017-12617_6.patch b/debian/patches/CVE-2017-12617_6.patch
new file mode 100644
index 0000000..982c40d
--- /dev/null
+++ b/debian/patches/CVE-2017-12617_6.patch
@@ -0,0 +1,30 @@
+From 24aea94807f940ee44aa550378dc903289039ddd Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 28 Sep 2017 18:40:58 +0000
+Subject: [PATCH] Further alignment with 8.0.x and later. Fixes Linux test
+ failures.
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1810026 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
+origin: https://github.com/apache/tomcat70/commit/24aea94807f940ee44aa550378dc903289039ddd
+
+(cherry picked from commit 24aea94807f940ee44aa550378dc903289039ddd)
+[rcs: Backported to wheezy]
+---
+ java/org/apache/naming/resources/FileDirContext.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+@@ -828,6 +828,10 @@
+ * @param mustExist Must the specified resource exist?
+ */
+ protected File file(String name, boolean mustExist) {
++ if (name.equals("/")) {
++ name = "";
++ }
++
+ File file = new File(base, name);
+ return validate(file, name, mustExist, absoluteBase, canonicalBase);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index d959268..ef0c723 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,3 +53,9 @@ CVE-2017-5647.patch
CVE-2017-5648.patch
CVE-2017-5664.patch
CVE-2017-12616.patch
+CVE-2017-12617_1.patch
+CVE-2017-12617_2.patch
+CVE-2017-12617_3.patch
+CVE-2017-12617_4.patch
+CVE-2017-12617_5.patch
+CVE-2017-12617_6.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list