[tomcat6] 01/01: Import Debian patch 6.0.45+dfsg-1~deb7u4
Markus Koschany
apo at moszumanska.debian.org
Tue Dec 6 13:52:50 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat6.
commit a9f88cb720c30a4327c7adf288827b1cbf5b6c54
Author: Markus Koschany <apo at debian.org>
Date: Tue Dec 6 13:57:24 2016 +0100
Import Debian patch 6.0.45+dfsg-1~deb7u4
---
debian/changelog | 11 ++++++++
debian/patches/CVE-2016-5018-part2.patch | 36 ++++++++++++++++++++++++
debian/patches/CVE-2016-6797-part2.patch | 48 ++++++++++++++++++++++++--------
debian/patches/series | 1 +
debian/rules | 6 ++++
debian/tomcat6.postinst | 2 +-
6 files changed, 91 insertions(+), 13 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index fbc761d..1e8d57c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tomcat6 (6.0.45+dfsg-1~deb7u4) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-9774: Privilege escalation when the package is upgraded.
+ * Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with
+ SecurityManager enabled.
+ * Update CVE-2016-6797-part2.patch and fix a regression in
+ ResourceLinkFactory.java.
+
+ -- Markus Koschany <apo at debian.org> Tue, 06 Dec 2016 13:57:24 +0100
+
tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high
* Fixed CVE-2016-0762: The Realm implementations did not process the supplied
diff --git a/debian/patches/CVE-2016-5018-part2.patch b/debian/patches/CVE-2016-5018-part2.patch
new file mode 100644
index 0000000..84e26ae
--- /dev/null
+++ b/debian/patches/CVE-2016-5018-part2.patch
@@ -0,0 +1,36 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 6 Dec 2016 13:52:09 +0100
+Subject: CVE-2016-5018-part2
+
+---
+ java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 --
+ java/org/apache/jasper/security/SecurityClassLoad.java | 3 ---
+ 2 files changed, 5 deletions(-)
+
+diff --git a/java/org/apache/jasper/compiler/JspRuntimeContext.java b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+index 254ad87..8cbda92 100644
+--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java
++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+@@ -82,8 +82,6 @@ public final class JspRuntimeContext {
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+- factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "servlet.JspServletWrapper");
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index a25431f..652d749 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -47,9 +47,6 @@ public final class SecurityClassLoad {
+ loader.loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+ loader.loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+-
+- loader.loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+ loader.loadClass( basePackage +
+ "runtime.TagHandlerPool");
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
index eac0cb1..3e6e7a4 100644
--- a/debian/patches/CVE-2016-6797-part2.patch
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -5,11 +5,11 @@ Subject: CVE-2016-6797 part2
Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
---
- .../apache/naming/factory/ResourceLinkFactory.java | 54 +++++++++-------------
- 1 file changed, 23 insertions(+), 31 deletions(-)
+ .../apache/naming/factory/ResourceLinkFactory.java | 70 ++++++++++++----------
+ 1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 56b1423..4a13b10 100644
+index 56b1423..51b5a1e 100644
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
@@ -5,17 +5,15 @@
@@ -33,11 +33,13 @@ index 56b1423..4a13b10 100644
package org.apache.naming.factory;
import java.util.HashMap;
-@@ -32,24 +30,16 @@ import javax.naming.spi.ObjectFactory;
+@@ -31,24 +29,19 @@ import javax.naming.Reference;
+ import javax.naming.spi.ObjectFactory;
import org.apache.naming.ResourceLinkRef;
-
-
++import org.apache.naming.StringManager;
+
/**
* <p>Object factory for resource links.</p>
- *
@@ -56,11 +58,11 @@ index 56b1423..4a13b10 100644
// ------------------------------------------------------- Static Variables
--
++ private static final StringManager sm = StringManager.getManager(Constants.Package);
+
/**
* Global naming context.
- */
-@@ -60,10 +50,9 @@ public class ResourceLinkFactory
+@@ -60,10 +53,9 @@ public class ResourceLinkFactory
// --------------------------------------------------------- Public Methods
@@ -72,7 +74,23 @@ index 56b1423..4a13b10 100644
* @param newGlobalContext new global context value
*/
public static void setGlobalContext(Context newGlobalContext) {
-@@ -128,24 +117,21 @@ public class ResourceLinkFactory
+@@ -118,9 +110,12 @@ public class ResourceLinkFactory
+
+ private static boolean validateGlobalResourceAccess(String globalName) {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+- Map<String,String> registrations = globalResourceRegistrations.get(cl);
+- if (registrations != null && registrations.containsValue(globalName)) {
+- return true;
++ while (cl != null) {
++ Map<String,String> registrations = globalResourceRegistrations.get(cl);
++ if (registrations != null && registrations.containsValue(globalName)) {
++ return true;
++ }
++ cl = cl.getParent();
+ }
+ return false;
+ }
+@@ -128,24 +123,21 @@ public class ResourceLinkFactory
// -------------------------------------------------- ObjectFactory Methods
@@ -102,21 +120,27 @@ index 56b1423..4a13b10 100644
// Read the global ref addr
String globalName = null;
RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
-@@ -158,14 +144,20 @@ public class ResourceLinkFactory
+@@ -158,14 +150,26 @@ public class ResourceLinkFactory
}
Object result = null;
result = globalContext.lookup(globalName);
- // FIXME: Check type
+ // Check the expected type
+ String expectedClassName = ref.getClassName();
++ if (expectedClassName == null) {
++ throw new IllegalArgumentException(
++ sm.getString("resourceLinkFactory.nullType", name, globalName));
++ }
+ try {
+ Class<?> expectedClazz = Class.forName(
+ expectedClassName, true, Thread.currentThread().getContextClassLoader());
+ if (!expectedClazz.isAssignableFrom(result.getClass())) {
-+ throw new IllegalArgumentException();
++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType",
++ name, globalName, expectedClassName, result.getClass().getName()));
+ }
+ } catch (ClassNotFoundException e) {
-+ throw new IllegalStateException(e);
++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType",
++ name, globalName, expectedClassName), e);
+ }
return result;
}
diff --git a/debian/patches/series b/debian/patches/series
index d5bde93..05ba616 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ CVE-2016-6796.patch
CVE-2016-6816.patch
CVE-2016-8735.patch
CVE-2016-6797-part2.patch
+CVE-2016-5018-part2.patch
diff --git a/debian/rules b/debian/rules
index 8162d37..d1b69f5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,12 @@ binary-indep: build install
chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh
dh_compress
dh_fixperms
+
+ # Make the /etc/tomcat6/Catalina/localhost directory writable by the tomcat user
+ for PACKAGE in tomcat6 tomcat6-admin tomcat6-docs tomcat6-examples; do \
+ chmod 775 --verbose debian/$$PACKAGE/etc/tomcat6/Catalina/localhost; \
+ done
+
dh_installdeb
dh_gencontrol
dh_md5sums
diff --git a/debian/tomcat6.postinst b/debian/tomcat6.postinst
index 468f6f2..e4c3ee4 100644
--- a/debian/tomcat6.postinst
+++ b/debian/tomcat6.postinst
@@ -52,7 +52,7 @@ case "$1" in
chmod 640 /etc/tomcat6/tomcat-users.xml
chown -Rh $TOMCAT6_USER:$TOMCAT6_GROUP /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared
chmod 775 /var/lib/tomcat6/webapps
- chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost
+ chmod 775 /etc/tomcat6/Catalina
# Authorize user tomcat6 to open privileged ports via authbind.
TOMCAT_UID="`id -u $TOMCAT6_USER`"
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git
More information about the pkg-java-commits
mailing list