[pkg-java] r11148 - in trunk/jetty/debian: . patches
Niels Thykier
nthykier-guest at alioth.debian.org
Fri Nov 27 23:11:38 UTC 2009
Author: nthykier-guest
Date: 2009-11-27 23:11:38 +0000 (Fri, 27 Nov 2009)
New Revision: 11148
Added:
trunk/jetty/debian/patches/
trunk/jetty/debian/patches/01_CVE_2009_3579.patch
trunk/jetty/debian/patches/02_log_exploit.patch
trunk/jetty/debian/patches/03_jsnoop-vul.patch
trunk/jetty/debian/patches/series
Modified:
trunk/jetty/debian/changelog
trunk/jetty/debian/control
trunk/jetty/debian/jetty-shared-webapps.xml
trunk/jetty/debian/rules
Log:
jetty (6.1.21-2) UNRELEASED; urgency=low
* Imported two patches from Fedora and created one ourselves:
- Fixed problems where jetty could be tricked into writing binary
data to log-files.
- Fixed some javascript injections in the examples.
(Fixes: CVE-2009-3579)
* Corrected path to jetty web-apps. (Closes: #554877)
-- Niels Thykier <niels at thykier.net> Fri, 27 Nov 2009 20:54:58 +0100
Modified: trunk/jetty/debian/changelog
===================================================================
--- trunk/jetty/debian/changelog 2009-11-27 09:58:51 UTC (rev 11147)
+++ trunk/jetty/debian/changelog 2009-11-27 23:11:38 UTC (rev 11148)
@@ -1,3 +1,14 @@
+jetty (6.1.21-2) UNRELEASED; urgency=low
+
+ * Imported two patches from Fedora and created one ourselves:
+ - Fixed problems where jetty could be tricked into writing binary
+ data to log-files.
+ - Fixed some javascript injections in the examples.
+ (Fixes: CVE-2009-3579)
+ * Corrected path to jetty web-apps. (Closes: #554877)
+
+ -- Niels Thykier <niels at thykier.net> Fri, 27 Nov 2009 20:54:58 +0100
+
jetty (6.1.21-1) unstable; urgency=medium
* New upstream release.
Modified: trunk/jetty/debian/control
===================================================================
--- trunk/jetty/debian/control 2009-11-27 09:58:51 UTC (rev 11147)
+++ trunk/jetty/debian/control 2009-11-27 23:11:38 UTC (rev 11148)
@@ -7,7 +7,7 @@
Niels Thykier <niels at thykier.net>
Build-Depends: debhelper (>= 6), cdbs (>> 0.4.5.3), openjdk-6-jdk, ant, maven-repo-helper,
libservlet2.5-java, libslf4j-java, libmx4j-java, libgnumail-java,
- libgnujaf-java, libcommons-daemon-java
+ libgnujaf-java, libcommons-daemon-java, quilt
Standards-Version: 3.8.3
Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/jetty
Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/jetty
Modified: trunk/jetty/debian/jetty-shared-webapps.xml
===================================================================
--- trunk/jetty/debian/jetty-shared-webapps.xml 2009-11-27 09:58:51 UTC (rev 11147)
+++ trunk/jetty/debian/jetty-shared-webapps.xml 2009-11-27 23:11:38 UTC (rev 11148)
@@ -21,7 +21,7 @@
<!-- non standard contexts (see ContextDeployer above). -->
<!-- -->
<!-- This deployer is configured to deploy webapps from the -->
- <!-- /usr/share/java/webapps directory -->
+ <!-- /usr/share/jetty/webapps directory -->
<!-- -->
<!-- Normally only one type of deployer need be used. -->
<!-- -->
@@ -30,7 +30,7 @@
<Arg>
<New class="org.mortbay.jetty.deployer.WebAppDeployer">
<Set name="contexts"><Ref id="Contexts"/></Set>
- <Set name="webAppDir">/usr/share/java/webapps</Set>
+ <Set name="webAppDir">/usr/share/jetty/webapps</Set>
<Set name="parentLoaderPriority">false</Set>
<Set name="extract">true</Set>
<Set name="allowDuplicates">false</Set>
Added: trunk/jetty/debian/patches/01_CVE_2009_3579.patch
===================================================================
--- trunk/jetty/debian/patches/01_CVE_2009_3579.patch (rev 0)
+++ trunk/jetty/debian/patches/01_CVE_2009_3579.patch 2009-11-27 23:11:38 UTC (rev 11148)
@@ -0,0 +1,41 @@
+Description: Fixes CVE-2009-3579.
+Origin: Fedora.
+
+diff -up ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix ./examples/test-webapp/src/main/java/com/acme/CookieDump.java
+--- a/examples/test-webapp/src/main/java/com/acme/CookieDump.java 2009-11-03 12:32:01.000000000 -0500
++++ b/examples/test-webapp/src/main/java/com/acme/CookieDump.java 2009-11-03 12:33:52.000000000 -0500
+@@ -26,6 +26,8 @@ import javax.servlet.http.HttpServletReq
+ import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.http.HttpSession;
+
++import org.mortbay.util.StringUtil;
++
+
+ /* ------------------------------------------------------------ */
+ /** Test Servlet Cookies.
+@@ -89,7 +91,7 @@ public class CookieDump extends HttpServ
+
+ for (int i=0;cookies!=null && i<cookies.length;i++)
+ {
+- out.println("<b>"+cookies[i].getName()+"</b>="+cookies[i].getValue()+"<br/>");
++ out.println("<b>"+deScript(cookies[i].getName())+"</b>="+deScript(cookies[i].getValue())+"<br/>");
+ }
+
+ out.println("<form action=\""+response.encodeURL(getURI(request))+"\" method=\"post\">");
+@@ -114,5 +116,15 @@ public class CookieDump extends HttpServ
+ uri=request.getRequestURI();
+ return uri;
+ }
+-
++
++ /* ------------------------------------------------------------ */
++ protected String deScript(String string)
++ {
++ if (string==null)
++ return null;
++ string=StringUtil.replace(string, "&", "&");
++ string=StringUtil.replace(string, "<", "<");
++ string=StringUtil.replace(string, ">", ">");
++ return string;
++ }
+ }
Added: trunk/jetty/debian/patches/02_log_exploit.patch
===================================================================
--- trunk/jetty/debian/patches/02_log_exploit.patch (rev 0)
+++ trunk/jetty/debian/patches/02_log_exploit.patch 2009-11-27 23:11:38 UTC (rev 11148)
@@ -0,0 +1,324 @@
+Description: Prevents jetty from writing binary characters to log-files.
+Origin: Fedora
+
+diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
+--- a/modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java 2009-11-03 12:45:36.000000000 -0500
++++ b/modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java 2009-11-03 12:47:35.000000000 -0500
+@@ -91,8 +91,7 @@ public class ErrorHandler extends Abstra
+ writer.write("<title>Error ");
+ writer.write(Integer.toString(code));
+ writer.write(' ');
+- if (message!=null)
+- writer.write(deScript(message));
++ write(writer,message);
+ writer.write("</title>\n");
+ }
+
+@@ -117,9 +116,9 @@ public class ErrorHandler extends Abstra
+ writer.write("<h2>HTTP ERROR ");
+ writer.write(Integer.toString(code));
+ writer.write("</h2>\n<p>Problem accessing ");
+- writer.write(deScript(uri));
++ write(writer,uri);
+ writer.write(". Reason:\n<pre> ");
+- writer.write(deScript(message));
++ write(writer,message);
+ writer.write("</pre></p>");
+ }
+
+@@ -135,7 +134,7 @@ public class ErrorHandler extends Abstra
+ PrintWriter pw = new PrintWriter(sw);
+ th.printStackTrace(pw);
+ pw.flush();
+- writer.write(deScript(sw.getBuffer().toString()));
++ write(writer,sw.getBuffer().toString());
+ writer.write("</pre>\n");
+
+ th =th.getCause();
+@@ -162,13 +161,34 @@ public class ErrorHandler extends Abstra
+ }
+
+ /* ------------------------------------------------------------ */
+- protected String deScript(String string)
++ protected void write(Writer writer,String string)
++ throws IOException
+ {
+ if (string==null)
+- return null;
+- string=StringUtil.replace(string, "&", "&");
+- string=StringUtil.replace(string, "<", "<");
+- string=StringUtil.replace(string, ">", ">");
+- return string;
++ return;
++
++ for (int i=0;i<string.length();i++)
++ {
++ char c=string.charAt(i);
++
++ switch(c)
++ {
++ case '&' :
++ writer.write("&");
++ break;
++ case '<' :
++ writer.write("<");
++ break;
++ case '>' :
++ writer.write(">");
++ break;
++
++ default:
++ if (Character.isISOControl(c) && !Character.isWhitespace(c))
++ writer.write('?');
++ else
++ writer.write(c);
++ }
++ }
+ }
+ }
+diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
+--- a/modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java 2009-11-03 12:46:07.000000000 -0500
++++ b/modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java 2009-11-03 12:47:35.000000000 -0500
+@@ -465,7 +465,15 @@ public class HttpParser implements Parse
+ case HttpHeaders.CONTENT_LENGTH_ORDINAL:
+ if (_contentLength != HttpTokens.CHUNKED_CONTENT)
+ {
+- _contentLength=BufferUtil.toLong(value);
++ try
++ {
++ _contentLength=BufferUtil.toLong(value);
++ }
++ catch(NumberFormatException e)
++ {
++ Log.ignore(e);
++ throw new HttpException(HttpServletResponse.SC_BAD_REQUEST);
++ }
+ if (_contentLength <= 0)
+ _contentLength=HttpTokens.NO_CONTENT;
+ }
+diff -up ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2 ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java
+--- a/modules/util/src/main/java/org/mortbay/log/StdErrLog.java 2009-11-03 12:47:02.000000000 -0500
++++ b/modules/util/src/main/java/org/mortbay/log/StdErrLog.java 2009-11-03 12:48:00.000000000 -0500
+@@ -26,8 +26,10 @@ import org.mortbay.util.DateCache;
+ public class StdErrLog implements Logger
+ {
+ private static DateCache _dateCache;
+- private static boolean debug = System.getProperty("DEBUG",null)!=null;
+- private String name;
++ private static boolean __debug = System.getProperty("DEBUG",null)!=null;
++ private String _name;
++
++ StringBuffer _buffer = new StringBuffer();
+
+ static
+ {
+@@ -49,44 +51,59 @@ public class StdErrLog implements Logger
+
+ public StdErrLog(String name)
+ {
+- this.name=name==null?"":name;
++ this._name=name==null?"":name;
+ }
+
+ public boolean isDebugEnabled()
+ {
+- return debug;
++ return __debug;
+ }
+
+ public void setDebugEnabled(boolean enabled)
+ {
+- debug=enabled;
++ __debug=enabled;
+ }
+
+ public void info(String msg,Object arg0, Object arg1)
+ {
+ String d=_dateCache.now();
+ int ms=_dateCache.lastMs();
+- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":INFO: "+format(msg,arg0,arg1));
++ synchronized(_buffer)
++ {
++ tag(d,ms,":INFO:");
++ format(msg,arg0,arg1);
++ System.err.println(_buffer.toString());
++ }
+ }
+
+ public void debug(String msg,Throwable th)
+ {
+- if (debug)
++ if (__debug)
+ {
+ String d=_dateCache.now();
+ int ms=_dateCache.lastMs();
+- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+msg);
+- if (th!=null) th.printStackTrace();
++ synchronized(_buffer)
++ {
++ tag(d,ms,":DBUG:");
++ format(msg);
++ format(th);
++ System.err.println(_buffer.toString());
++ }
+ }
+ }
+
+ public void debug(String msg,Object arg0, Object arg1)
+ {
+- if (debug)
++ if (__debug)
+ {
+ String d=_dateCache.now();
+ int ms=_dateCache.lastMs();
+- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+format(msg,arg0,arg1));
++ synchronized(_buffer)
++ {
++ tag(d,ms,":DBUG:");
++ format(msg,arg0,arg1);
++ System.err.println(_buffer.toString());
++ }
+ }
+ }
+
+@@ -94,42 +111,126 @@ public class StdErrLog implements Logger
+ {
+ String d=_dateCache.now();
+ int ms=_dateCache.lastMs();
+- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN: "+format(msg,arg0,arg1));
++ synchronized(_buffer)
++ {
++ tag(d,ms,":WARN:");
++ format(msg,arg0,arg1);
++ System.err.println(_buffer.toString());
++ }
+ }
+
+ public void warn(String msg, Throwable th)
+ {
+ String d=_dateCache.now();
+ int ms=_dateCache.lastMs();
+- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN: "+msg);
+- if (th!=null)
+- th.printStackTrace();
++ synchronized(_buffer)
++ {
++ tag(d,ms,":WARN:");
++ format(msg);
++ format(th);
++ System.err.println(_buffer.toString());
++ }
+ }
+-
+- private String format(String msg, Object arg0, Object arg1)
++
++ private void tag(String d,int ms,String tag)
++ {
++ _buffer.setLength(0);
++ _buffer.append(d);
++ if (ms>99)
++ _buffer.append('.');
++ else if (ms>9)
++ _buffer.append(".0");
++ else
++ _buffer.append(".00");
++ _buffer.append(ms).append(tag).append(_name).append(':');
++ }
++
++ private void format(String msg, Object arg0, Object arg1)
+ {
+ int i0=msg.indexOf("{}");
+ int i1=i0<0?-1:msg.indexOf("{}",i0+2);
+
+- if (arg1!=null && i1>=0)
+- msg=msg.substring(0,i1)+arg1+msg.substring(i1+2);
+- if (arg0!=null && i0>=0)
+- msg=msg.substring(0,i0)+arg0+msg.substring(i0+2);
+- return msg;
++ if (i0>=0)
++ {
++ format(msg.substring(0,i0));
++ format(String.valueOf(arg0));
++
++ if (i1>=0)
++ {
++ format(msg.substring(i0+2,i1));
++ format(String.valueOf(arg1));
++ format(msg.substring(i1+2));
++ }
++ else
++ {
++ format(msg.substring(i0+2));
++ if (arg1!=null)
++ {
++ _buffer.append(' ');
++ format(String.valueOf(arg1));
++ }
++ }
++ }
++ else
++ {
++ format(msg);
++ if (arg0!=null)
++ {
++ _buffer.append(' ');
++ format(String.valueOf(arg0));
++ }
++ if (arg1!=null)
++ {
++ _buffer.append(' ');
++ format(String.valueOf(arg1));
++ }
++ }
++ }
++
++ private void format(String msg)
++ {
++ for (int i=0;i<msg.length();i++)
++ {
++ char c=msg.charAt(i);
++ if (Character.isISOControl(c))
++ {
++ if (c=='\n')
++ _buffer.append('|');
++ else if (c=='\r')
++ _buffer.append('<');
++ else
++ _buffer.append('?');
++ }
++ else
++ _buffer.append(c);
++ }
++ }
++
++ private void format(Throwable th)
++ {
++ _buffer.append('\n');
++ format(th.toString());
++ StackTraceElement[] elements = th.getStackTrace();
++ for (int i=0;elements!=null && i<elements.length;i++)
++ {
++ _buffer.append("\n\tat ");
++ format(elements[i].toString());
++ }
+ }
+
+ public Logger getLogger(String name)
+ {
+- if ((name==null && this.name==null) ||
+- (name!=null && name.equals(this.name)))
++ if ((name==null && this._name==null) ||
++ (name!=null && name.equals(this._name)))
+ return this;
+ return new StdErrLog(name);
+ }
+
+ public String toString()
+ {
+- return "STDERR"+name;
++ return "STDERR"+_name;
+ }
++
+
+ }
+
Added: trunk/jetty/debian/patches/03_jsnoop-vul.patch
===================================================================
--- trunk/jetty/debian/patches/03_jsnoop-vul.patch (rev 0)
+++ trunk/jetty/debian/patches/03_jsnoop-vul.patch 2009-11-27 23:11:38 UTC (rev 11148)
@@ -0,0 +1,18 @@
+Description: Prevents javascript injection.
+
+--- a/examples/test-webapp/src/main/webapp/snoop.jsp 2009-11-27 23:59:43.417283321 +0100
++++ a/examples/test-webapp/src/main/webapp/snoop.jsp 2009-11-28 00:00:19.801283807 +0100
+@@ -32,11 +32,11 @@
+ </TR>
+ <TR>
+ <TH align=right>Path info:</TH>
+- <TD><%= request.getPathInfo() %></TD>
++ <TD><%= request.getPathInfo().replaceAll("<", "<").replaceAll(">",">") %></TD>
+ </TR>
+ <TR>
+ <TH align=right>Path translated:</TH>
+- <TD><%= request.getPathTranslated() %></TD>
++ <TD><%= request.getPathTranslated().replaceAll("<", "<").replaceAll(">",">") %></TD>
+ </TR>
+ <TR>
+ <TH align=right>Query string:</TH>
Added: trunk/jetty/debian/patches/series
===================================================================
--- trunk/jetty/debian/patches/series (rev 0)
+++ trunk/jetty/debian/patches/series 2009-11-27 23:11:38 UTC (rev 11148)
@@ -0,0 +1,3 @@
+01_CVE_2009_3579.patch
+02_log_exploit.patch
+03_jsnoop-vul.patch
Modified: trunk/jetty/debian/rules
===================================================================
--- trunk/jetty/debian/rules 2009-11-27 09:58:51 UTC (rev 11147)
+++ trunk/jetty/debian/rules 2009-11-27 23:11:38 UTC (rev 11148)
@@ -2,6 +2,7 @@
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/ant.mk
+include /usr/share/cdbs/1/rules/patchsys-quilt.mk
PACKAGE := $(DEB_SOURCE_PACKAGE)
VERSION := $(DEB_UPSTREAM_VERSION)
More information about the pkg-java-commits
mailing list