[tomcat7] 01/02: Fix CVE-2013-2071: Information disclosure

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Feb 17 16:33:43 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.

commit 3404ea4badb09b7afe99f0cb18213a968b78bb70
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Feb 17 16:24:32 2014 +0100

    Fix CVE-2013-2071: Information disclosure
---
 debian/changelog                        |  3 ++
 debian/patches/0020-CVE-2013-2071.patch | 62 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 3 files changed, 66 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f89b688..a497314 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high
     a request for an authenticated resource while the victim is completing
     the login form, an attacker could inject a request that would be executed
     using the victim's credentials.
+  * Fix for CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
+    prevents the request from being recycled. This may expose elements of a
+    previous request to a current request.
 
  -- Emmanuel Bourg <ebourg at apache.org>  Sun, 09 Feb 2014 01:09:12 +0100
 
diff --git a/debian/patches/0020-CVE-2013-2071.patch b/debian/patches/0020-CVE-2013-2071.patch
new file mode 100644
index 0000000..856e863
--- /dev/null
+++ b/debian/patches/0020-CVE-2013-2071.patch
@@ -0,0 +1,62 @@
+Description: Fix for CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
+ prevents the request from being recycled. This may expose elements of a previous
+ request to a current request.
+Origin: backport from Tomcat 7.0.40, http://svn.apache.org/r1471372
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
+--- a/java/org/apache/catalina/core/AsyncContextImpl.java
++++ b/java/org/apache/catalina/core/AsyncContextImpl.java
+@@ -98,9 +98,10 @@ public class AsyncContextImpl implements
+         for (AsyncListenerWrapper listener : listenersCopy) {
+             try {
+                 listener.fireOnComplete(event);
+-            } catch (IOException ioe) {
++            } catch (Throwable t) {
++                ExceptionUtils.handleThrowable(t);
+                 log.warn("onComplete() failed for listener of type [" +
+-                        listener.getClass().getName() + "]", ioe);
++                        listener.getClass().getName() + "]", t);
+             }
+         }
+     }
+@@ -115,7 +116,13 @@ public class AsyncContextImpl implements
+                 new ArrayList<AsyncListenerWrapper>();
+             listenersCopy.addAll(listeners);
+             for (AsyncListenerWrapper listener : listenersCopy) {
+-                listener.fireOnTimeout(event);
++                try {
++                    listener.fireOnTimeout(event);
++                } catch (Throwable t) {
++                    ExceptionUtils.handleThrowable(t);
++                    log.warn("onTimeout() failed for listener of type [" +
++                            listener.getClass().getName() + "]", t);
++                }
+                 listenerInvoked = true;
+             }
+             if (listenerInvoked) {
+@@ -294,9 +301,10 @@ public class AsyncContextImpl implements
+         for (AsyncListenerWrapper listener : listenersCopy) {
+             try {
+                 listener.fireOnStartAsync(event);
+-            } catch (IOException ioe) {
++            } catch (Throwable t) {
++                ExceptionUtils.handleThrowable(t);
+                 log.warn("onStartAsync() failed for listener of type [" +
+-                        listener.getClass().getName() + "]", ioe);
++                        listener.getClass().getName() + "]", t);
+             }
+         }
+         listeners.clear();
+@@ -357,9 +365,10 @@ public class AsyncContextImpl implements
+         for (AsyncListenerWrapper listener : listenersCopy) {
+             try {
+                 listener.fireOnError(errorEvent);
+-            } catch (IOException ioe) {
+-                log.warn("onStartAsync() failed for listener of type [" +
+-                        listener.getClass().getName() + "]", ioe);
++            } catch (Throwable t2) {
++                ExceptionUtils.handleThrowable(t);
++                log.warn("onError() failed for listener of type [" +
++                        listener.getClass().getName() + "]", t2);
+             }
+         }
+     }
diff --git a/debian/patches/series b/debian/patches/series
index 49e83e1..e4650e5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ cve-2012-3439-tests.patch
 0017-CVE-2012-3546.patch
 0018-CVE-2014-0050.patch
 0019-CVE-2013-2067.patch
+0020-CVE-2013-2071.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list