[tomcat6] 02/03: Import Debian patch 6.0.45+dfsg-1~deb7u3

Markus Koschany apo at moszumanska.debian.org
Thu Dec 1 20:42:37 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to annotated tag debian/6.0.45+dfsg-1_deb7u3
in repository tomcat6.

commit 49766f57ad1d039638c8cef1187c4d965c7aad30
Author: Markus Koschany <apo at debian.org>
Date:   Thu Dec 1 20:01:25 2016 +0000

    Import Debian patch 6.0.45+dfsg-1~deb7u3
---
 debian/changelog                         |   6 +-
 debian/patches/CVE-2016-6797-part2.patch | 131 +++++++++++++++++++++++++++++++
 debian/patches/series                    |   1 +
 debian/tomcat6.postrm                    |   2 +-
 4 files changed, 137 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 5ecc7a3..fbc761d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high
+tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high
 
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
@@ -37,8 +37,10 @@ tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high
       vulnerability that could be exploited to overwrite any file on the system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
+  * Fix possible privilege escalation via package purge by removing the chown
+    command in postrm maintainer script. See #845385 for more information.
 
- -- Markus Koschany <apo at debian.org>  Fri, 25 Nov 2016 22:04:20 +0100
+ -- Markus Koschany <apo at debian.org>  Thu, 01 Dec 2016 20:01:25 +0000
 
 tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high
 
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
new file mode 100644
index 0000000..eac0cb1
--- /dev/null
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -0,0 +1,131 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 1 Dec 2016 15:02:31 +0100
+Subject: CVE-2016-6797 part2
+
+Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
+---
+ .../apache/naming/factory/ResourceLinkFactory.java | 54 +++++++++-------------
+ 1 file changed, 23 insertions(+), 31 deletions(-)
+
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 56b1423..4a13b10 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -5,17 +5,15 @@
+  * The ASF licenses this file to You under the Apache License, Version 2.0
+  * (the "License"); you may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+- * 
++ *
+  *      http://www.apache.org/licenses/LICENSE-2.0
+- * 
++ *
+  * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+- */ 
+-
+-
++ */
+ package org.apache.naming.factory;
+ 
+ import java.util.HashMap;
+@@ -32,24 +30,16 @@ import javax.naming.spi.ObjectFactory;
+ 
+ import org.apache.naming.ResourceLinkRef;
+ 
+-
+ /**
+  * <p>Object factory for resource links.</p>
+- * 
++ *
+  * @author Remy Maucherat
+  *
+  */
+-
+-public class ResourceLinkFactory
+-    implements ObjectFactory {
+-
+-
+-    // ----------------------------------------------------------- Constructors
+-
++public class ResourceLinkFactory implements ObjectFactory {
+ 
+     // ------------------------------------------------------- Static Variables
+ 
+-
+     /**
+      * Global naming context.
+      */
+@@ -60,10 +50,9 @@ public class ResourceLinkFactory
+ 
+     // --------------------------------------------------------- Public Methods
+ 
+-
+     /**
+      * Set the global context (note: can only be used once).
+-     * 
++     *
+      * @param newGlobalContext new global context value
+      */
+     public static void setGlobalContext(Context newGlobalContext) {
+@@ -128,24 +117,21 @@ public class ResourceLinkFactory
+ 
+     // -------------------------------------------------- ObjectFactory Methods
+ 
+-
+     /**
+      * Create a new DataSource instance.
+-     * 
++     *
+      * @param obj The reference object describing the DataSource
+      */
+     public Object getObjectInstance(Object obj, Name name, Context nameCtx,
+-                                    Hashtable environment)
+-        throws NamingException {
+-        
+-        if (!(obj instanceof ResourceLinkRef))
++            Hashtable<?,?> environment) throws NamingException {
++
++        if (!(obj instanceof ResourceLinkRef)) {
+             return null;
++        }
+ 
+         // Can we process this request?
+         Reference ref = (Reference) obj;
+ 
+-        String type = ref.getClassName();
+-
+         // Read the global ref addr
+         String globalName = null;
+         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+@@ -158,14 +144,20 @@ public class ResourceLinkFactory
+             }
+             Object result = null;
+             result = globalContext.lookup(globalName);
+-            // FIXME: Check type
++            // Check the expected type
++            String expectedClassName = ref.getClassName();
++            try {
++                Class<?> expectedClazz = Class.forName(
++                        expectedClassName, true, Thread.currentThread().getContextClassLoader());
++                if (!expectedClazz.isAssignableFrom(result.getClass())) {
++                    throw new IllegalArgumentException();
++                }
++            } catch (ClassNotFoundException e) {
++                throw new IllegalStateException(e);
++            }
+             return result;
+         }
+ 
+-        return (null);
+-
+-        
++        return null;
+     }
+-
+-
+ }
diff --git a/debian/patches/series b/debian/patches/series
index e2c4068..d5bde93 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ CVE-2016-5018.patch
 CVE-2016-6796.patch
 CVE-2016-6816.patch
 CVE-2016-8735.patch
+CVE-2016-6797-part2.patch
diff --git a/debian/tomcat6.postrm b/debian/tomcat6.postrm
index 359ca31..d210343 100644
--- a/debian/tomcat6.postrm
+++ b/debian/tomcat6.postrm
@@ -60,7 +60,7 @@ case "$1" in
         rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind 
         # Put all files owned by group tomcat6 back into root group before deleting
         # the tomcat6 user and group
-        chown -Rhf root:root /etc/tomcat6/ || true
+        #chown -Rhf root:root /etc/tomcat6/ || true
         # Remove user/group and log files (don't remove everything under
         # /var/lib/tomcat6 because there might be user-installed webapps)
         db_get tomcat6/username && TOMCAT6_USER="$RET" || TOMCAT6_USER="tomcat6"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git

More information about the pkg-java-commits mailing list