[tomcat7] 01/01: Fix CVE-2014-0050: DoS caused by malformed multipart requests
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Sun Feb 9 00:23:29 UTC 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.
commit d9598bc7990c03fa2976b2862943daddceb67e38
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Sun Feb 9 01:21:39 2014 +0100
Fix CVE-2014-0050: DoS caused by malformed multipart requests
---
debian/changelog | 8 +++++
debian/patches/0018-CVE-2014-0050.patch | 56 +++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 65 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3d3955a..59c8846 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2014-0050: Multipart requests with a malformed Content-Type header
+ can trigger an infinite loop causing a denial of service.
+
+ -- Emmanuel Bourg <ebourg at apache.org> Sun, 09 Feb 2014 01:09:12 +0100
+
tomcat7 (7.0.28-4) unstable; urgency=high
* Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440)
diff --git a/debian/patches/0018-CVE-2014-0050.patch b/debian/patches/0018-CVE-2014-0050.patch
new file mode 100644
index 0000000..0a59fa1
--- /dev/null
+++ b/debian/patches/0018-CVE-2014-0050.patch
@@ -0,0 +1,56 @@
+Description: Fixes an infinite loop caused by invalid MIME boundaries
+Author: Mark Thomas <markt at apache.org>, backported by Emmanuel Bourg <ebourg at apache.org>
+Origin: backport from Tomcat 7.0.51, http://svn.apache.org/r1565169
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -300,8 +300,12 @@
+
+ // We prepend CR/LF to the boundary to chop trailing CR/LF from
+ // body-data tokens.
+- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
+ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
++ if (bufSize < this.boundaryLength + 1) {
++ throw new IllegalArgumentException(
++ "The buffer size specified for the MultipartStream is too small");
++ }
++ this.boundary = new byte[this.boundaryLength];
+ this.keepRegion = this.boundary.length;
+ System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
+ BOUNDARY_PREFIX.length);
+--- a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
++++ b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+@@ -825,7 +825,13 @@
+
+ notifier = new MultipartStream.ProgressNotifier(listener,
+ ctx.getContentLength());
+- multi = new MultipartStream(input, boundary, notifier);
++ try {
++ multi = new MultipartStream(input, boundary, notifier);
++ } catch (IllegalArgumentException iae) {
++ throw new InvalidContentTypeException(String.format(
++ "The boundary specified in the %s header is too long",
++ CONTENT_TYPE), iae);
++ }
+ multi.setHeaderEncoding(charEncoding);
+
+ skipPreamble = true;
+@@ -1001,7 +1007,7 @@
+ * detail message.
+ */
+ public InvalidContentTypeException() {
+- // Nothing to do.
++ super();
+ }
+
+ /**
+@@ -1013,6 +1019,10 @@
+ public InvalidContentTypeException(String message) {
+ super(message);
+ }
++
++ public InvalidContentTypeException(String msg, Throwable cause) {
++ super(msg, cause);
++ }
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 8635686..a2e18e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ cve-2012-3439.patch
cve-2012-3439-tests.patch
0016-CVE-2012-4431.patch
0017-CVE-2012-3546.patch
+0018-CVE-2014-0050.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list