[tomcat8] 01/01: Fixed a privilege escalation when the package is upgraded (Closes: #845393)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Dec 2 09:14:42 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit d28c720ec76f020d4a4865931a58aba47f8bfc6b
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Dec 2 10:10:18 2016 +0100

    Fixed a privilege escalation when the package is upgraded (Closes: #845393)
---
 debian/changelog        | 2 ++
 debian/rules            | 6 ++++++
 debian/tomcat8.postinst | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 6343228..e26eb9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,8 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium
   * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader
   * Fixed a test failure in the new TestNamingContext test added with the fix
     for CVE-2016-6797
+  * Fixed a privilege escalation when the package is upgraded.
+    Thanks to Paul Szabo for the report (Closes: #845393)
   * Test failures are no longer ignored and now stop the build
 
  -- Emmanuel Bourg <ebourg at apache.org>  Tue, 22 Nov 2016 23:21:56 +0100
diff --git a/debian/rules b/debian/rules
index 07f3025..16d4dee 100755
--- a/debian/rules
+++ b/debian/rules
@@ -134,6 +134,12 @@ binary-indep: build install
 	jh_manifest
 	dh_compress
 	dh_fixperms
+
+	# Make the/etc/tomcat8/Catalina/localhost directory writable by the tomcat user
+	for PACKAGE in tomcat8 tomcat8-admin tomcat8-docs tomcat8-examples; do \
+	  chmod 775 --verbose debian/$$PACKAGE/etc/tomcat8/Catalina/localhost; \
+	done
+
 	dh_lintian
 	dh_installdeb
 	dh_gencontrol
diff --git a/debian/tomcat8.postinst b/debian/tomcat8.postinst
index 20e73c7..6f5d1b9 100644
--- a/debian/tomcat8.postinst
+++ b/debian/tomcat8.postinst
@@ -69,7 +69,7 @@ case "$1" in
 
 	chown -Rh $TOMCAT8_USER:$TOMCAT8_GROUP /var/lib/tomcat8/webapps /var/lib/tomcat8/lib
 	chmod 775 /var/lib/tomcat8/webapps
-	chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
+	chmod 775 /etc/tomcat8/Catalina
 
 	# Authorize user tomcat8 to open privileged ports via authbind.
 	TOMCAT_UID="`id -u $TOMCAT8_USER`"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list