[pkg-java] r13293 - in trunk/tomcat6/debian: . patches
Tony Mancill
tmancill at alioth.debian.org
Sat Feb 12 17:18:41 UTC 2011
Author: tmancill
Date: 2011-02-12 17:18:39 +0000 (Sat, 12 Feb 2011)
New Revision: 13293
Added:
trunk/tomcat6/debian/patches/0012-CVE-2010-3718.patch
trunk/tomcat6/debian/patches/0013-CVE-2011-0013.patch
trunk/tomcat6/debian/patches/0014-CVE-2011-0534.patch
Modified:
trunk/tomcat6/debian/changelog
trunk/tomcat6/debian/patches/series
Log:
updates for 6.0.28-10
Modified: trunk/tomcat6/debian/changelog
===================================================================
--- trunk/tomcat6/debian/changelog 2011-02-12 17:09:45 UTC (rev 13292)
+++ trunk/tomcat6/debian/changelog 2011-02-12 17:18:39 UTC (rev 13293)
@@ -1,10 +1,12 @@
-tomcat6 (6.0.28-10) UNRELEASED; urgency=low
+tomcat6 (6.0.28-10) unstable; urgency=medium
* Team upload.
* Add Portuguese/Brazilian debconf translation.
Thanks to José de Figueiredo (Closes: #608527)
+ * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013
+ (Closes: #612257)
- -- tony mancill <tmancill at debian.org> Tue, 18 Jan 2011 21:41:22 -0800
+ -- tony mancill <tmancill at debian.org> Wed, 09 Feb 2011 21:49:33 -0800
tomcat6 (6.0.28-9) unstable; urgency=medium
Added: trunk/tomcat6/debian/patches/0012-CVE-2010-3718.patch
===================================================================
--- trunk/tomcat6/debian/patches/0012-CVE-2010-3718.patch (rev 0)
+++ trunk/tomcat6/debian/patches/0012-CVE-2010-3718.patch 2011-02-12 17:18:39 UTC (rev 13293)
@@ -0,0 +1,31 @@
+--- a/java/org/apache/catalina/core/StandardContext.java
++++ b/java/org/apache/catalina/core/StandardContext.java
+@@ -5309,11 +5309,11 @@
+ dir.mkdirs();
+
+ // Set the appropriate servlet context attribute
+- getServletContext().setAttribute(Globals.WORK_DIR_ATTR, dir);
+- if (getServletContext() instanceof ApplicationContext)
+- ((ApplicationContext) getServletContext()).setAttributeReadOnly
+- (Globals.WORK_DIR_ATTR);
+-
++ if (context == null) {
++ getServletContext();
++ }
++ context.setAttribute(Globals.WORK_DIR_ATTR, dir);
++ context.setAttributeReadOnly(Globals.WORK_DIR_ATTR);
+ }
+
+
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -93,6 +93,9 @@
+ <bug>49436</bug>: Correct documented default for readonly attribute of
+ the UserDatabase component. (markt)
+ </fix>
++ <fix>
++ Code clean-up. Avoid some casts in StandardContext. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
Added: trunk/tomcat6/debian/patches/0013-CVE-2011-0013.patch
===================================================================
--- trunk/tomcat6/debian/patches/0013-CVE-2011-0013.patch (rev 0)
+++ trunk/tomcat6/debian/patches/0013-CVE-2011-0013.patch 2011-02-12 17:18:39 UTC (rev 13293)
@@ -0,0 +1,63 @@
+--- a/java/org/apache/catalina/manager/HTMLManagerServlet.java
++++ b/java/org/apache/catalina/manager/HTMLManagerServlet.java
+@@ -407,10 +407,11 @@
+
+ args = new Object[7];
+ args[0] = URL_ENCODER.encode(displayPath);
+- args[1] = displayPath;
+- args[2] = context.getDisplayName();
+- if (args[2] == null) {
++ args[1] = RequestUtil.filter(displayPath);
++ if (context.getDisplayName() == null) {
+ args[2] = " ";
++ } else {
++ args[2] = RequestUtil.filter(context.getDisplayName());
+ }
+ args[3] = new Boolean(context.getAvailable());
+ args[4] = response.encodeURL
+--- a/java/org/apache/catalina/manager/StatusTransformer.java
++++ b/java/org/apache/catalina/manager/StatusTransformer.java
+@@ -575,7 +575,7 @@
+ }
+
+ writer.print("<a href=\"#" + (count++) + ".0\">");
+- writer.print(webModuleName);
++ writer.print(filter(webModuleName));
+ writer.print("</a>");
+ if (iterator.hasNext()) {
+ writer.print("<br>");
+@@ -650,7 +650,7 @@
+ }
+
+ writer.print("<h1>");
+- writer.print(name);
++ writer.print(filter(name));
+ writer.print("</h1>");
+ writer.print("</a>");
+
+@@ -778,11 +778,11 @@
+ mBeanServer.invoke(objectName, "findMappings", null, null);
+
+ writer.print("<h2>");
+- writer.print(servletName);
++ writer.print(filter(servletName));
+ if ((mappings != null) && (mappings.length > 0)) {
+ writer.print(" [ ");
+ for (int i = 0; i < mappings.length; i++) {
+- writer.print(mappings[i]);
++ writer.print(filter(mappings[i]));
+ if (i < mappings.length - 1) {
+ writer.print(" , ");
+ }
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -45,6 +45,9 @@
+ <fix>Arrange filter logic. (jfclere)
+ </fix>
+ <fix>
++ filter input of manager app servlets. (kkolinko)
++ </fix>
++ <fix>
+ <bug>49230</bug>: Enhance JRE leak prevention listener with protection
+ for the keep-alive thread started by
+ <code>sun.net.www.http.HttpClient</code>. Patch provided by Rob Kooper.
Added: trunk/tomcat6/debian/patches/0014-CVE-2011-0534.patch
===================================================================
--- trunk/tomcat6/debian/patches/0014-CVE-2011-0534.patch (rev 0)
+++ trunk/tomcat6/debian/patches/0014-CVE-2011-0534.patch 2011-02-12 17:18:39 UTC (rev 13293)
@@ -0,0 +1,171 @@
+--- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java
++++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java
+@@ -41,6 +41,11 @@
+ */
+ public class InternalNioInputBuffer implements InputBuffer {
+
++ /**
++ * Logger.
++ */
++ private static final org.apache.juli.logging.Log log =
++ org.apache.juli.logging.LogFactory.getLog(InternalNioInputBuffer.class);
+
+ // -------------------------------------------------------------- Constants
+
+@@ -57,12 +62,7 @@
+ this.request = request;
+ headers = request.getMimeHeaders();
+
+- buf = new byte[headerBufferSize];
+-// if (headerBufferSize < (8 * 1024)) {
+-// bbuf = ByteBuffer.allocateDirect(6 * 1500);
+-// } else {
+-// bbuf = ByteBuffer.allocateDirect((headerBufferSize / 1500 + 1) * 1500);
+-// }
++ this.headerBufferSize = headerBufferSize;
+
+ inputStreamInputBuffer = new SocketInputBuffer();
+
+@@ -189,6 +189,28 @@
+ protected int lastActiveFilter;
+
+
++ /**
++ * Maximum allowed size of the HTTP request line plus headers.
++ */
++ private final int headerBufferSize;
++
++ /**
++ * Known size of the NioChannel read buffer.
++ */
++ private int socketReadBufferSize;
++
++ /**
++ * Additional size we allocate to the buffer to be more effective when
++ * skipping empty lines that may precede the request.
++ */
++ private static final int skipBlankLinesSize = 1024;
++
++ /**
++ * How many bytes in the buffer are occupied by skipped blank lines that
++ * precede the request.
++ */
++ private int skipBlankLinesBytes;
++
+ // ------------------------------------------------------------- Properties
+
+
+@@ -197,6 +219,12 @@
+ */
+ public void setSocket(NioChannel socket) {
+ this.socket = socket;
++ socketReadBufferSize = socket.getBufHandler().getReadBuffer().capacity();
++ int bufLength = skipBlankLinesSize + headerBufferSize
++ + socketReadBufferSize;
++ if (buf == null || buf.length < bufLength) {
++ buf = new byte[bufLength];
++ }
+ }
+
+ /**
+@@ -421,25 +449,23 @@
+ if (useAvailableData) {
+ return false;
+ }
++ // Ignore bytes that were read
++ pos = lastValid = 0;
+ // Do a simple read with a short timeout
+ if ( readSocket(true, false)==0 ) return false;
+ }
+ chr = buf[pos++];
+ } while ((chr == Constants.CR) || (chr == Constants.LF));
+ pos--;
+- parsingRequestLineStart = pos;
+- parsingRequestLinePhase = 1;
+- }
+- if ( parsingRequestLinePhase == 1 ) {
+- // Mark the current buffer position
+-
+- if (pos >= lastValid) {
+- if (useAvailableData) {
+- return false;
+- }
+- // Do a simple read with a short timeout
+- if ( readSocket(true, false)==0 ) return false;
++ if (pos >= skipBlankLinesSize) {
++ // Move data, to have enough space for further reading
++ // of headers and body
++ System.arraycopy(buf, pos, buf, 0, lastValid - pos);
++ lastValid -= pos;
++ pos = 0;
+ }
++ skipBlankLinesBytes = pos;
++ parsingRequestLineStart = pos;
+ parsingRequestLinePhase = 2;
+ }
+ if ( parsingRequestLinePhase == 2 ) {
+@@ -578,6 +604,13 @@
+
+ private void expand(int newsize) {
+ if ( newsize > buf.length ) {
++ if (parsingHeader) {
++ throw new IllegalArgumentException(
++ sm.getString("iib.requestheadertoolarge.error"));
++ }
++ // Should not happen
++ log.warn("Expanding buffer size. Old size: " + buf.length
++ + ", new size: " + newsize, new Exception());
+ byte[] tmp = new byte[newsize];
+ System.arraycopy(buf,0,tmp,0,buf.length);
+ buf = tmp;
+@@ -639,6 +672,19 @@
+ if (status == HeaderParseStatus.DONE) {
+ parsingHeader = false;
+ end = pos;
++ // Checking that
++ // (1) Headers plus request line size does not exceed its limit
++ // (2) There are enough bytes to avoid expanding the buffer when
++ // reading body
++ // Technically, (2) is technical limitation, (1) is logical
++ // limitation to enforce the meaning of headerBufferSize
++ // From the way how buf is allocated and how blank lines are being
++ // read, it should be enough to check (1) only.
++ if (end - skipBlankLinesBytes > headerBufferSize
++ || buf.length - end < socketReadBufferSize) {
++ throw new IllegalArgumentException(
++ sm.getString("iib.requestheadertoolarge.error"));
++ }
+ return true;
+ } else {
+ return false;
+@@ -889,16 +935,7 @@
+ // Do a simple read with a short timeout
+ read = readSocket(timeout,block)>0;
+ } else {
+-
+- if (buf.length - end < 4500) {
+- // In this case, the request header was really large, so we allocate a
+- // brand new one; the old one will get GCed when subsequent requests
+- // clear all references
+- buf = new byte[buf.length];
+- end = 0;
+- }
+- pos = end;
+- lastValid = pos;
++ lastValid = pos = end;
+ // Do a simple read with a short timeout
+ read = readSocket(timeout, block)>0;
+ }
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -48,6 +48,10 @@
+ filter input of manager app servlets. (kkolinko)
+ </fix>
+ <fix>
++ <bug>50631</bug>: InternalNioInputBuffer should honor
++ <code>maxHttpHeadSize</code>. (kkolinko)
++ </fix>
++ <fix>
+ <bug>49230</bug>: Enhance JRE leak prevention listener with protection
+ for the keep-alive thread started by
+ <code>sun.net.www.http.HttpClient</code>. Patch provided by Rob Kooper.
Modified: trunk/tomcat6/debian/patches/series
===================================================================
--- trunk/tomcat6/debian/patches/series 2011-02-12 17:09:45 UTC (rev 13292)
+++ trunk/tomcat6/debian/patches/series 2011-02-12 17:18:39 UTC (rev 13293)
@@ -9,3 +9,6 @@
0009-allow-empty-PID-file.patch
0010-Use-java.security.policy-file-in-catalina.sh.patch
0011-CVE-2010-4172.patch
+0012-CVE-2010-3718.patch
+0013-CVE-2011-0013.patch
+0014-CVE-2011-0534.patch
More information about the pkg-java-commits
mailing list