[tomcat8] 01/01: Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Fri Dec 18 13:02:33 UTC 2015
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat8.
commit f04705358c7d1d899755271c4185a4f35d87dcc2
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Fri Dec 18 13:08:36 2015 +0100
Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
---
debian/changelog | 8 +++
debian/patches/CVE-2014-7810.patch | 110 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 119 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 59a638c..348758b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium
+
+ * Fixed CVE-2014-7810: Malicious web applications could use expression
+ language to bypass the protections of a Security Manager as expressions
+ were evaluated within a privileged code section.
+
+ -- Emmanuel Bourg <ebourg at apache.org> Fri, 18 Dec 2015 10:20:56 +0100
+
tomcat8 (8.0.14-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/patches/CVE-2014-7810.patch b/debian/patches/CVE-2014-7810.patch
new file mode 100644
index 0000000..dfbd540
--- /dev/null
+++ b/debian/patches/CVE-2014-7810.patch
@@ -0,0 +1,110 @@
+Description: CVE-2014-7810: Fix potential issue with BeanELresolver when running under a security manager.
+ Some classes may not be accessible but may have accessible interfaces.
+Origin: backport, http://svn.apache.org/r1644018
+ http://svn.apache.org/r1645642
+diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java
+index 3b40e8c..032662a 100644
+--- a/java/javax/el/BeanELResolver.java
++++ b/java/javax/el/BeanELResolver.java
+@@ -229,15 +229,39 @@ public class BeanELResolver extends ELResolver {
+ try {
+ BeanInfo info = Introspector.getBeanInfo(this.type);
+ PropertyDescriptor[] pds = info.getPropertyDescriptors();
+- for (int i = 0; i < pds.length; i++) {
+- this.properties.put(pds[i].getName(), new BeanProperty(
+- type, pds[i]));
++ for (PropertyDescriptor pd: pds) {
++ this.properties.put(pd.getName(), new BeanProperty(type, pd));
++ }
++ if (System.getSecurityManager() != null) {
++ // When running with SecurityManager, some classes may be
++ // not accessible, but have accessible interfaces.
++ populateFromInterfaces(type);
+ }
+ } catch (IntrospectionException ie) {
+ throw new ELException(ie);
+ }
+ }
+
++ private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException {
++ Class<?> interfaces[] = aClass.getInterfaces();
++ if (interfaces.length > 0) {
++ for (Class<?> ifs : interfaces) {
++ BeanInfo info = Introspector.getBeanInfo(ifs);
++ PropertyDescriptor[] pds = info.getPropertyDescriptors();
++ for (PropertyDescriptor pd : pds) {
++ if (!this.properties.containsKey(pd.getName())) {
++ this.properties.put(pd.getName(), new BeanProperty(
++ this.type, pd));
++ }
++ }
++ }
++ }
++ Class<?> superclass = aClass.getSuperclass();
++ if (superclass != null) {
++ populateFromInterfaces(superclass);
++ }
++ }
++
+ private BeanProperty get(ELContext ctx, String name) {
+ BeanProperty property = this.properties.get(name);
+ if (property == null) {
+diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java b/java/org/apache/jasper/runtime/PageContextImpl.java
+index 280a822..a4f04e0 100644
+--- a/java/org/apache/jasper/runtime/PageContextImpl.java
++++ b/java/org/apache/jasper/runtime/PageContextImpl.java
+@@ -926,37 +926,11 @@ public class PageContextImpl extends PageContext {
+ final Class<?> expectedType, final PageContext pageContext,
+ final ProtectedFunctionMapper functionMap)
+ throws ELException {
+- Object retValue;
+ final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
+- if (SecurityUtil.isPackageProtectionEnabled()) {
+- try {
+- retValue = AccessController
+- .doPrivileged(new PrivilegedExceptionAction<Object>() {
+-
+- @Override
+- public Object run() throws Exception {
+- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+- ctx.setFunctionMapper(functionMap);
+- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+- return ve.getValue(ctx);
+- }
+- });
+- } catch (PrivilegedActionException ex) {
+- Exception realEx = ex.getException();
+- if (realEx instanceof ELException) {
+- throw (ELException) realEx;
+- } else {
+- throw new ELException(realEx);
+- }
+- }
+- } else {
+- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+- ctx.setFunctionMapper(functionMap);
+- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+- retValue = ve.getValue(ctx);
+- }
+-
+- return retValue;
++ ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
++ ctx.setFunctionMapper(functionMap);
++ ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
++ return ve.getValue(ctx);
+ }
+
+ @Override
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index fc020b3..109a700 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -91,8 +91,6 @@ public final class SecurityClassLoad {
+ "runtime.PageContextImpl$11");
+ loader.loadClass( basePackage +
+ "runtime.PageContextImpl$12");
+- loader.loadClass( basePackage +
+- "runtime.PageContextImpl$13");
+
+ loader.loadClass( basePackage +
+ "runtime.JspContextWrapper");
diff --git a/debian/patches/series b/debian/patches/series
index 1e5dd81..86954a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@
0018-fix-manager-webapp.patch
0019-add-distribution-to-error-page.patch
#0020-disable-java8-support-with-jdtcompiler.patch
+CVE-2014-7810.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list