[pkg-java] r5232 - in trunk/tomcat5.5/debian: . policy

Sat Dec 29 19:12:33 UTC 2007

Author: mkoch
Date: 2007-12-29 19:12:33 +0000 (Sat, 29 Dec 2007)
New Revision: 5232

Modified:
   trunk/tomcat5.5/debian/changelog
   trunk/tomcat5.5/debian/policy/03catalina.policy
Log:
* CVE-2007-5342: Fix unauthorized modification of data because of
  too open permissions. Closes: #458237.


Modified: trunk/tomcat5.5/debian/changelog
===================================================================

--- trunk/tomcat5.5/debian/changelog	2007-12-29 17:48:31 UTC (rev 5231)
+++ trunk/tomcat5.5/debian/changelog	2007-12-29 19:12:33 UTC (rev 5232)
@@ -1,8 +1,10 @@
-tomcat5.5 (5.5.25-4) UNRELEASED; urgency=low
+tomcat5.5 (5.5.25-4) UNRELEASED; urgency=high
 
+  * CVE-2007-5342: Fix unauthorized modification of data because of
+    too open permissions. Closes: #458237.
   * Always clean temporary directory on startup. Closes: #456608.
 
- -- Michael Koch <konqueror at gmx.de>  Sat, 29 Dec 2007 18:52:06 +0100
+ -- Michael Koch <konqueror at gmx.de>  Sat, 29 Dec 2007 20:15:40 +0100
 
 tomcat5.5 (5.5.25-3) unstable; urgency=low
 

Modified: trunk/tomcat5.5/debian/policy/03catalina.policy
===================================================================
--- trunk/tomcat5.5/debian/policy/03catalina.policy	2007-12-29 17:48:31 UTC (rev 5231)
+++ trunk/tomcat5.5/debian/policy/03catalina.policy	2007-12-29 19:12:33 UTC (rev 5232)
@@ -27,7 +27,19 @@
 
 // These permissions apply to JULI
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.security.AllPermission;
+	permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+	permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+	permission java.lang.RuntimePermission "shutdownHooks";
+	permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+	permission java.util.PropertyPermission "catalina.base", "read";
+	permission java.util.logging.LoggingPermission "control";
+	permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+	permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+	permission java.lang.RuntimePermission "getClassLoader";
+	// To enable per context logging configuration, permit read access to the appropriate file.
+	// Be sure that the logging configuration is secure before enabling such access
+	// eg for the examples web application:
+	// permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
 };
 
 // These permissions apply to the servlet API classes


