[tomcat7] 01/01: Import Debian patch 7.0.28-4+deb7u8

Markus Koschany apo at moszumanska.debian.org
Tue Dec 6 14:16:30 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat7.

commit 7ede8c819a6f7ec8eb7cd297a3d71ed5493811bc
Author: Markus Koschany <apo at debian.org>
Date:   Mon Dec 5 22:17:10 2016 +0100

    Import Debian patch 7.0.28-4+deb7u8
---
 debian/changelog                         | 11 ++++++
 debian/patches/CVE-2016-5018-part2.patch | 36 ++++++++++++++++++++
 debian/patches/CVE-2016-6797-part2.patch | 58 +++++++++++++++++++++++++-------
 debian/patches/series                    |  1 +
 debian/rules                             |  6 ++++
 debian/tomcat7.postinst                  |  2 +-
 6 files changed, 101 insertions(+), 13 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 3169446..db98a75 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tomcat7 (7.0.28-4+deb7u8) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with
+    SecurityManager enabled.
+  * Update CVE-2016-6797-part2.patch and fix a regression in
+    ResourceLinkFactory.java. (Closes: #845425)
+  * Fix CVE-2016-9774: Privilege escalation when the package is upgraded.
+
+ -- Markus Koschany <apo at debian.org>  Mon, 05 Dec 2016 22:17:10 +0100
+
 tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
 
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
diff --git a/debian/patches/CVE-2016-5018-part2.patch b/debian/patches/CVE-2016-5018-part2.patch
new file mode 100644
index 0000000..c7343fe
--- /dev/null
+++ b/debian/patches/CVE-2016-5018-part2.patch
@@ -0,0 +1,36 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 5 Dec 2016 21:38:15 +0100
+Subject: CVE-2016-5018 part2
+
+---
+ java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 --
+ java/org/apache/jasper/security/SecurityClassLoad.java | 3 ---
+ 2 files changed, 5 deletions(-)
+
+diff --git a/java/org/apache/jasper/compiler/JspRuntimeContext.java b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+index 893541a..7468192 100644
+--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java
++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+@@ -91,8 +91,6 @@ public final class JspRuntimeContext {
+                 factory.getClass().getClassLoader().loadClass( basePackage +
+                                                                "runtime.JspRuntimeLibrary");
+                 factory.getClass().getClassLoader().loadClass( basePackage +
+-                                                               "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+-                factory.getClass().getClassLoader().loadClass( basePackage +
+                                                                "runtime.ServletResponseWrapperInclude");
+                 factory.getClass().getClassLoader().loadClass( basePackage +
+                                                                "servlet.JspServletWrapper");
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index a066dfb..a96d7ba 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -47,9 +47,6 @@ public final class SecurityClassLoad {
+             loader.loadClass( basePackage +
+                 "runtime.JspRuntimeLibrary");
+             loader.loadClass( basePackage +
+-                "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+-            
+-            loader.loadClass( basePackage +
+                 "runtime.ServletResponseWrapperInclude");
+             loader.loadClass( basePackage +
+                 "runtime.TagHandlerPool");
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
index d7c4466..3918897 100644
--- a/debian/patches/CVE-2016-6797-part2.patch
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -5,11 +5,11 @@ Subject: CVE-2016-6797 part2
 Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
 Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
 ---
- .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------
- 1 file changed, 23 insertions(+), 30 deletions(-)
+ .../apache/naming/factory/ResourceLinkFactory.java | 74 ++++++++++++----------
+ 1 file changed, 39 insertions(+), 35 deletions(-)
 
 diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 157adfb..9d1c577 100644
+index 157adfb..4a77d5b 100644
 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java
 +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
 @@ -5,17 +5,15 @@
@@ -33,11 +33,13 @@ index 157adfb..9d1c577 100644
  package org.apache.naming.factory;
  
  import java.util.HashMap;
-@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory;
+@@ -31,24 +29,18 @@ import javax.naming.Reference;
+ import javax.naming.spi.ObjectFactory;
  
  import org.apache.naming.ResourceLinkRef;
- 
 -
++import org.apache.naming.StringManager;
+ 
  /**
   * <p>Object factory for resource links.</p>
 - * 
@@ -56,11 +58,11 @@ index 157adfb..9d1c577 100644
  
      // ------------------------------------------------------- Static Variables
  
--
++    private static final StringManager sm = StringManager.getManager(Constants.Package);
+ 
      /**
       * Global naming context.
-      */
-@@ -60,10 +49,9 @@ public class ResourceLinkFactory
+@@ -60,10 +52,9 @@ public class ResourceLinkFactory
  
      // --------------------------------------------------------- Public Methods
  
@@ -72,7 +74,23 @@ index 157adfb..9d1c577 100644
       * @param newGlobalContext new global context value
       */
      public static void setGlobalContext(Context newGlobalContext) {
-@@ -128,19 +116,18 @@ public class ResourceLinkFactory
+@@ -118,9 +109,12 @@ public class ResourceLinkFactory
+ 
+     private static boolean validateGlobalResourceAccess(String globalName) {
+         ClassLoader cl = Thread.currentThread().getContextClassLoader();
+-        Map<String,String> registrations = globalResourceRegistrations.get(cl);
+-        if (registrations != null && registrations.containsValue(globalName)) {
+-            return true;
++        while (cl != null) {
++            Map<String,String> registrations = globalResourceRegistrations.get(cl);
++            if (registrations != null && registrations.containsValue(globalName)) {
++                return true;
++            }
++            cl = cl.getParent();
+         }
+         return false;
+     }
+@@ -128,19 +122,18 @@ public class ResourceLinkFactory
  
      // -------------------------------------------------- ObjectFactory Methods
  
@@ -97,21 +115,37 @@ index 157adfb..9d1c577 100644
  
          // Can we process this request?
          Reference ref = (Reference) obj;
-@@ -158,14 +145,20 @@ public class ResourceLinkFactory
+@@ -150,22 +143,33 @@ public class ResourceLinkFactory
+         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+         if (refAddr != null) {
+             globalName = refAddr.getContent().toString();
+-            // When running under a security manager confirm that the current
+-            // web application has really been configured to access the specified
+-            // global resource
++            // Confirm that the current web application is currently configured
++            // to access the specified global resource
+             if (!validateGlobalResourceAccess(globalName)) {
+                 return null;
              }
              Object result = null;
              result = globalContext.lookup(globalName);
 -            // FIXME: Check type
 +            // Check the expected type
 +            String expectedClassName = ref.getClassName();
++            if (expectedClassName == null) {
++                throw new IllegalArgumentException(
++                        sm.getString("resourceLinkFactory.nullType", name, globalName));
++            }
 +            try {
 +                Class<?> expectedClazz = Class.forName(
 +                        expectedClassName, true, Thread.currentThread().getContextClassLoader());
 +                if (!expectedClazz.isAssignableFrom(result.getClass())) {
-+                    throw new IllegalArgumentException();
++                    throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType",
++                            name, globalName, expectedClassName, result.getClass().getName()));
 +                }
 +            } catch (ClassNotFoundException e) {
-+                throw new IllegalStateException(e);
++                throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType",
++                        name, globalName, expectedClassName), e);
 +            }
              return result;
          }
diff --git a/debian/patches/series b/debian/patches/series
index 4aa0c0e..26bf020 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,3 +45,4 @@ CVE-2016-0762.patch
 CVE-2016-6816.patch
 CVE-2016-8735.patch
 CVE-2016-6797-part2.patch
+CVE-2016-5018-part2.patch
diff --git a/debian/rules b/debian/rules
index 31423af..55f3890 100755
--- a/debian/rules
+++ b/debian/rules
@@ -168,6 +168,12 @@ binary-indep: build install
 	jh_manifest
 	dh_compress
 	dh_fixperms
+
+	# Make the /etc/tomcat7/Catalina/localhost directory writable by the tomcat user
+	for PACKAGE in tomcat7 tomcat7-admin tomcat7-docs tomcat7-examples; do \
+			chmod 775 --verbose debian/$$PACKAGE/etc/tomcat7/Catalina/localhost; \
+	done
+
 	dh_installdeb
 	dh_gencontrol
 	dh_md5sums
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index bedfba9..a8919dd 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -69,7 +69,7 @@ case "$1" in
 
 	chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
 	chmod 775 /var/lib/tomcat7/webapps
-	chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
+	chmod 775 /etc/tomcat7/Catalina
 
 	# Authorize user tomcat7 to open privileged ports via authbind.
 	TOMCAT_UID="`id -u $TOMCAT7_USER`"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git



More information about the pkg-java-commits mailing list