[tomcat7] 01/01: Import Debian patch 7.0.28-4+deb7u7

Markus Koschany apo at moszumanska.debian.org
Thu Dec 1 22:28:07 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat7.

commit edf3e37ca1cc57fb2f14877d817dfd7b04c2045d
Author: Markus Koschany <apo at debian.org>
Date:   Thu Dec 1 23:00:20 2016 +0100

    Import Debian patch 7.0.28-4+deb7u7
---
 debian/changelog                         |   6 +-
 debian/patches/CVE-2016-6797-part2.patch | 126 +++++++++++++++++++++++++++++++
 debian/patches/series                    |   1 +
 debian/tomcat7.postrm.in                 |   2 +-
 4 files changed, 132 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 22e54ee..3169446 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high
+tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
 
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
@@ -37,8 +37,10 @@ tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high
       vulnerability that could be exploited to overwrite any file on the system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
+  * Fix possible privilege escalation via package purge by removing the chown
+    command in postrm maintainer script. See #845385 for more information.
 
- -- Markus Koschany <apo at debian.org>  Sat, 26 Nov 2016 15:39:08 +0100
+ -- Markus Koschany <apo at debian.org>  Thu, 01 Dec 2016 23:00:20 +0100
 
 tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high
 
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
new file mode 100644
index 0000000..d7c4466
--- /dev/null
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -0,0 +1,126 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 1 Dec 2016 22:09:47 +0100
+Subject: CVE-2016-6797 part2
+
+Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
+---
+ .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------
+ 1 file changed, 23 insertions(+), 30 deletions(-)
+
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 157adfb..9d1c577 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -5,17 +5,15 @@
+  * The ASF licenses this file to You under the Apache License, Version 2.0
+  * (the "License"); you may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+- * 
++ *
+  *      http://www.apache.org/licenses/LICENSE-2.0
+- * 
++ *
+  * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+- */ 
+-
+-
++ */
+ package org.apache.naming.factory;
+ 
+ import java.util.HashMap;
+@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory;
+ 
+ import org.apache.naming.ResourceLinkRef;
+ 
+-
+ /**
+  * <p>Object factory for resource links.</p>
+- * 
++ *
+  * @author Remy Maucherat
+- * @version $Id: ResourceLinkFactory.java 1056946 2011-01-09 14:48:08Z markt $
+  */
+-
+-public class ResourceLinkFactory
+-    implements ObjectFactory {
+-
+-
+-    // ----------------------------------------------------------- Constructors
+-
++public class ResourceLinkFactory implements ObjectFactory {
+ 
+     // ------------------------------------------------------- Static Variables
+ 
+-
+     /**
+      * Global naming context.
+      */
+@@ -60,10 +49,9 @@ public class ResourceLinkFactory
+ 
+     // --------------------------------------------------------- Public Methods
+ 
+-
+     /**
+      * Set the global context (note: can only be used once).
+-     * 
++     *
+      * @param newGlobalContext new global context value
+      */
+     public static void setGlobalContext(Context newGlobalContext) {
+@@ -128,19 +116,18 @@ public class ResourceLinkFactory
+ 
+     // -------------------------------------------------- ObjectFactory Methods
+ 
+-
+     /**
+      * Create a new DataSource instance.
+-     * 
++     *
+      * @param obj The reference object describing the DataSource
+      */
+     @Override
+     public Object getObjectInstance(Object obj, Name name, Context nameCtx,
+-                                    Hashtable<?,?> environment)
+-        throws NamingException {
+-        
+-        if (!(obj instanceof ResourceLinkRef))
++            Hashtable<?,?> environment) throws NamingException {
++
++        if (!(obj instanceof ResourceLinkRef)) {
+             return null;
++        }
+ 
+         // Can we process this request?
+         Reference ref = (Reference) obj;
+@@ -158,14 +145,20 @@ public class ResourceLinkFactory
+             }
+             Object result = null;
+             result = globalContext.lookup(globalName);
+-            // FIXME: Check type
++            // Check the expected type
++            String expectedClassName = ref.getClassName();
++            try {
++                Class<?> expectedClazz = Class.forName(
++                        expectedClassName, true, Thread.currentThread().getContextClassLoader());
++                if (!expectedClazz.isAssignableFrom(result.getClass())) {
++                    throw new IllegalArgumentException();
++                }
++            } catch (ClassNotFoundException e) {
++                throw new IllegalStateException(e);
++            }
+             return result;
+         }
+ 
+-        return (null);
+-
+-        
++        return null;
+     }
+-
+-
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b49c674..4aa0c0e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@ CVE-2016-6797.patch
 CVE-2016-0762.patch
 CVE-2016-6816.patch
 CVE-2016-8735.patch
+CVE-2016-6797-part2.patch
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index 293ffde..616b3c8 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -61,7 +61,7 @@ case "$1" in
         rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
         # Put all files owned by group tomcat7 back into root group before deleting
         # the tomcat7 user and group
-        chown -Rhf root:root /etc/tomcat7/ || true
+        #chown -Rhf root:root /etc/tomcat7/ || true
         # Remove user/group and log files (don't remove everything under
         # /var/lib/tomcat7 because there might be user-installed webapps)
         db_get tomcat7/username && TOMCAT7_USER="$RET" || TOMCAT7_USER="tomcat7"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list