[tomcat7] 01/02: Fix CVE-2013-2067: Session fixation

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.

commit 088616a8b60a2ea2007392af2781978e0570d3bd
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Feb 17 15:49:29 2014 +0100

    Fix CVE-2013-2067: Session fixation
---
 debian/changelog                        |  5 +++++
 debian/patches/0019-CVE-2013-2067.patch | 32 ++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 3 files changed, 38 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 59c8846..f89b688 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high
   * Team upload.
   * Fix CVE-2014-0050: Multipart requests with a malformed Content-Type header
     can trigger an infinite loop causing a denial of service.
+  * Fix CVE-2013-2067: FORM authentication associates the most recent request
+    requiring authentication with the current session. By repeatedly sending
+    a request for an authenticated resource while the victim is completing
+    the login form, an attacker could inject a request that would be executed
+    using the victim's credentials.
 
  -- Emmanuel Bourg <ebourg at apache.org>  Sun, 09 Feb 2014 01:09:12 +0100
 
diff --git a/debian/patches/0019-CVE-2013-2067.patch b/debian/patches/0019-CVE-2013-2067.patch
new file mode 100644
index 0000000..f4fec30
--- /dev/null
+++ b/debian/patches/0019-CVE-2013-2067.patch
@@ -0,0 +1,32 @@
+Description: Fix for CVE-2013-2067: FORM authentication associates the most
+ recent request requiring authentication with the current session. By repeatedly
+ sending a request for an authenticated resource while the victim is completing
+ the login form, an attacker could inject a request that would be executed using
+ the victim's credentials.
+Origin: backport from Tomcat 7.0.33, http://svn.apache.org/r1408044
+--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
++++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -31,6 +31,7 @@
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
++import org.apache.catalina.Manager;
+ import org.apache.catalina.Realm;
+ import org.apache.catalina.Session;
+ import org.apache.catalina.connector.Request;
+@@ -402,6 +403,15 @@
+             return;
+         }
+ 
++        if (getChangeSessionIdOnAuthentication()) {
++            Session session = request.getSessionInternal(false);
++            if (session != null) {
++                Manager manager = request.getContext().getManager();
++                manager.changeSessionId(session);
++                request.changeSessionId(session.getId());
++            }
++        }
++
+         // Always use GET for the login page, regardless of the method used
+         String oldMethod = request.getMethod();
+         request.getCoyoteRequest().method().setString("GET");
diff --git a/debian/patches/series b/debian/patches/series
index a2e18e2..49e83e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ cve-2012-3439-tests.patch
 0016-CVE-2012-4431.patch
 0017-CVE-2012-3546.patch
 0018-CVE-2014-0050.patch
+0019-CVE-2013-2067.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git