[tomcat8] 01/01: CVE-2016-5018 follow-up: Fixed the ClassNotFoundException when the security manager is enabled (see #846298)
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Dec 5 16:50:16 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat8.
commit ea8fec374a4bf469ed85a9954ee00a453ff31bed
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Dec 5 17:47:26 2016 +0100
CVE-2016-5018 follow-up: Fixed the ClassNotFoundException when the security manager is enabled (see #846298)
---
debian/changelog | 2 ++
debian/patches/CVE-2016-5018.patch | 27 ++++++++++++++++++++++++---
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 8c45cb1..d3cfda0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,8 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium
* Backported the fix for upstream bug 57377: Remove the restriction that
prevented the use of SSL when specifying a bind address for the JMX/RMI
server. Enable SSL to be configured for the registry as well as the server.
+ * CVE-2016-5018 follow-up: Applied a missing modification fixing
+ a ClassNotFoundException when the security manager is enabled (see #846298)
* Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
with recent JREs
* Backported a fix disabling the broken SSLv3 tests
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
index bb39983..17460a0 100644
--- a/debian/patches/CVE-2016-5018.patch
+++ b/debian/patches/CVE-2016-5018.patch
@@ -2,8 +2,7 @@ Description: Fixes CVE-2016-5018: A malicious web application was able to bypass
a configured SecurityManager via a Tomcat utility method that was accessible to
web applications.
Origin: backport, http://svn.apache.org/r1754901
-diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
-index e3b53ca..19d8fa6 100644
+ http://svn.apache.org/r1760307
--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
@@ -14,7 +14,6 @@
@@ -69,7 +68,7 @@ index e3b53ca..19d8fa6 100644
/**
* Returns the value of the javax.servlet.error.exception request
* attribute value, if present, otherwise the value of the
-@@ -292,29 +257,7 @@ public static void introspect(Object bean, ServletRequest request)
+@@ -292,29 +257,7 @@
public static void introspecthelper(Object bean, String prop,
String value, ServletRequest request,
String param, boolean ignoreMethodNF)
@@ -100,3 +99,25 @@ index e3b53ca..19d8fa6 100644
Method method = null;
Class<?> type = null;
Class<?> propertyEditorClass = null;
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -44,8 +44,6 @@
+
+ loader.loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+- loader.loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+
+ loader.loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+--- a/java/org/apache/jasper/servlet/JasperInitializer.java
++++ b/java/org/apache/jasper/servlet/JasperInitializer.java
+@@ -60,8 +60,6 @@
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+- factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "servlet.JspServletWrapper");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list