[SCM] tomcat6 packaging branch, master, updated. debian/6.0.35-5+nmu1-5-g62b0e7f

Sat Dec 8 04:38:46 UTC 2012

The following commit has been merged in the master branch:
commit 210046af0084260264e231fbbd78d9d942d779ea
Author: tony mancill <tmancill at debian.org>
Date:   Thu Dec 6 21:45:03 2012 -0800

    add patch for CVE-2012-3546

diff --git a/debian/patches/0016-CVE-2012-3546.patch b/debian/patches/0016-CVE-2012-3546.patch
new file mode 100644
index 0000000..0ae4bb6
--- /dev/null
+++ b/debian/patches/0016-CVE-2012-3546.patch
@@ -0,0 +1,46 @@
+Description: Remove unneeded handling of FORM authentication in RealmBase.
+ It is a fix for CVE-2012-3546.
+Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1381035&r2=1381034&pathrev=1381035
+
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -45,7 +45,6 @@
+ import org.apache.catalina.connector.Request;
+ import org.apache.catalina.connector.Response;
+ import org.apache.catalina.core.ContainerBase;
+-import org.apache.catalina.deploy.LoginConfig;
+ import org.apache.catalina.deploy.SecurityConstraint;
+ import org.apache.catalina.deploy.SecurityCollection;
+ import org.apache.catalina.util.HexUtils;
+@@ -734,31 +733,6 @@
+         if (constraints == null || constraints.length == 0)
+             return (true);
+ 
+-        // Specifically allow access to the form login and form error pages
+-        // and the "j_security_check" action
+-        LoginConfig config = context.getLoginConfig();
+-        if ((config != null) &&
+-            (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
+-            String requestURI = request.getRequestPathMB().toString();
+-            String loginPage = config.getLoginPage();
+-            if (loginPage.equals(requestURI)) {
+-                if (log.isDebugEnabled())
+-                    log.debug(" Allow access to login page " + loginPage);
+-                return (true);
+-            }
+-            String errorPage = config.getErrorPage();
+-            if (errorPage.equals(requestURI)) {
+-                if (log.isDebugEnabled())
+-                    log.debug(" Allow access to error page " + errorPage);
+-                return (true);
+-            }
+-            if (requestURI.endsWith(Constants.FORM_ACTION)) {
+-                if (log.isDebugEnabled())
+-                    log.debug(" Allow access to username/password submission");
+-                return (true);
+-            }
+-        }
+-
+         // Which user principal have we already authenticated?
+         Principal principal = request.getPrincipal();
+         boolean status = false;
diff --git a/debian/patches/series b/debian/patches/series
index 833be91..e473e1b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ cve-2012-2733.patch
 cve-2012-3439.patch
 0014-CVE-2012-4534.patch
 0015-CVE-2012-4431.patch
+0016-CVE-2012-3546.patch

-- 
tomcat6 packaging

