[tomcat7] 01/01: Import Debian patch 7.0.28-4+deb7u8
Markus Koschany
apo at moszumanska.debian.org
Tue Dec 6 14:16:30 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 7ede8c819a6f7ec8eb7cd297a3d71ed5493811bc
Author: Markus Koschany <apo at debian.org>
Date: Mon Dec 5 22:17:10 2016 +0100
Import Debian patch 7.0.28-4+deb7u8
---
debian/changelog | 11 ++++++
debian/patches/CVE-2016-5018-part2.patch | 36 ++++++++++++++++++++
debian/patches/CVE-2016-6797-part2.patch | 58 +++++++++++++++++++++++++-------
debian/patches/series | 1 +
debian/rules | 6 ++++
debian/tomcat7.postinst | 2 +-
6 files changed, 101 insertions(+), 13 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 3169446..db98a75 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tomcat7 (7.0.28-4+deb7u8) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with
+ SecurityManager enabled.
+ * Update CVE-2016-6797-part2.patch and fix a regression in
+ ResourceLinkFactory.java. (Closes: #845425)
+ * Fix CVE-2016-9774: Privilege escalation when the package is upgraded.
+
+ -- Markus Koschany <apo at debian.org> Mon, 05 Dec 2016 22:17:10 +0100
+
tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
* Fixed CVE-2016-0762: The Realm implementations did not process the supplied
diff --git a/debian/patches/CVE-2016-5018-part2.patch b/debian/patches/CVE-2016-5018-part2.patch
new file mode 100644
index 0000000..c7343fe
--- /dev/null
+++ b/debian/patches/CVE-2016-5018-part2.patch
@@ -0,0 +1,36 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 5 Dec 2016 21:38:15 +0100
+Subject: CVE-2016-5018 part2
+
+---
+ java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 --
+ java/org/apache/jasper/security/SecurityClassLoad.java | 3 ---
+ 2 files changed, 5 deletions(-)
+
+diff --git a/java/org/apache/jasper/compiler/JspRuntimeContext.java b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+index 893541a..7468192 100644
+--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java
++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java
+@@ -91,8 +91,6 @@ public final class JspRuntimeContext {
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+- factory.getClass().getClassLoader().loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+ factory.getClass().getClassLoader().loadClass( basePackage +
+ "servlet.JspServletWrapper");
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index a066dfb..a96d7ba 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -47,9 +47,6 @@ public final class SecurityClassLoad {
+ loader.loadClass( basePackage +
+ "runtime.JspRuntimeLibrary");
+ loader.loadClass( basePackage +
+- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper");
+-
+- loader.loadClass( basePackage +
+ "runtime.ServletResponseWrapperInclude");
+ loader.loadClass( basePackage +
+ "runtime.TagHandlerPool");
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
index d7c4466..3918897 100644
--- a/debian/patches/CVE-2016-6797-part2.patch
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -5,11 +5,11 @@ Subject: CVE-2016-6797 part2
Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
---
- .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------
- 1 file changed, 23 insertions(+), 30 deletions(-)
+ .../apache/naming/factory/ResourceLinkFactory.java | 74 ++++++++++++----------
+ 1 file changed, 39 insertions(+), 35 deletions(-)
diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 157adfb..9d1c577 100644
+index 157adfb..4a77d5b 100644
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
@@ -5,17 +5,15 @@
@@ -33,11 +33,13 @@ index 157adfb..9d1c577 100644
package org.apache.naming.factory;
import java.util.HashMap;
-@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory;
+@@ -31,24 +29,18 @@ import javax.naming.Reference;
+ import javax.naming.spi.ObjectFactory;
import org.apache.naming.ResourceLinkRef;
-
-
++import org.apache.naming.StringManager;
+
/**
* <p>Object factory for resource links.</p>
- *
@@ -56,11 +58,11 @@ index 157adfb..9d1c577 100644
// ------------------------------------------------------- Static Variables
--
++ private static final StringManager sm = StringManager.getManager(Constants.Package);
+
/**
* Global naming context.
- */
-@@ -60,10 +49,9 @@ public class ResourceLinkFactory
+@@ -60,10 +52,9 @@ public class ResourceLinkFactory
// --------------------------------------------------------- Public Methods
@@ -72,7 +74,23 @@ index 157adfb..9d1c577 100644
* @param newGlobalContext new global context value
*/
public static void setGlobalContext(Context newGlobalContext) {
-@@ -128,19 +116,18 @@ public class ResourceLinkFactory
+@@ -118,9 +109,12 @@ public class ResourceLinkFactory
+
+ private static boolean validateGlobalResourceAccess(String globalName) {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+- Map<String,String> registrations = globalResourceRegistrations.get(cl);
+- if (registrations != null && registrations.containsValue(globalName)) {
+- return true;
++ while (cl != null) {
++ Map<String,String> registrations = globalResourceRegistrations.get(cl);
++ if (registrations != null && registrations.containsValue(globalName)) {
++ return true;
++ }
++ cl = cl.getParent();
+ }
+ return false;
+ }
+@@ -128,19 +122,18 @@ public class ResourceLinkFactory
// -------------------------------------------------- ObjectFactory Methods
@@ -97,21 +115,37 @@ index 157adfb..9d1c577 100644
// Can we process this request?
Reference ref = (Reference) obj;
-@@ -158,14 +145,20 @@ public class ResourceLinkFactory
+@@ -150,22 +143,33 @@ public class ResourceLinkFactory
+ RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+ if (refAddr != null) {
+ globalName = refAddr.getContent().toString();
+- // When running under a security manager confirm that the current
+- // web application has really been configured to access the specified
+- // global resource
++ // Confirm that the current web application is currently configured
++ // to access the specified global resource
+ if (!validateGlobalResourceAccess(globalName)) {
+ return null;
}
Object result = null;
result = globalContext.lookup(globalName);
- // FIXME: Check type
+ // Check the expected type
+ String expectedClassName = ref.getClassName();
++ if (expectedClassName == null) {
++ throw new IllegalArgumentException(
++ sm.getString("resourceLinkFactory.nullType", name, globalName));
++ }
+ try {
+ Class<?> expectedClazz = Class.forName(
+ expectedClassName, true, Thread.currentThread().getContextClassLoader());
+ if (!expectedClazz.isAssignableFrom(result.getClass())) {
-+ throw new IllegalArgumentException();
++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType",
++ name, globalName, expectedClassName, result.getClass().getName()));
+ }
+ } catch (ClassNotFoundException e) {
-+ throw new IllegalStateException(e);
++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType",
++ name, globalName, expectedClassName), e);
+ }
return result;
}
diff --git a/debian/patches/series b/debian/patches/series
index 4aa0c0e..26bf020 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,3 +45,4 @@ CVE-2016-0762.patch
CVE-2016-6816.patch
CVE-2016-8735.patch
CVE-2016-6797-part2.patch
+CVE-2016-5018-part2.patch
diff --git a/debian/rules b/debian/rules
index 31423af..55f3890 100755
--- a/debian/rules
+++ b/debian/rules
@@ -168,6 +168,12 @@ binary-indep: build install
jh_manifest
dh_compress
dh_fixperms
+
+ # Make the /etc/tomcat7/Catalina/localhost directory writable by the tomcat user
+ for PACKAGE in tomcat7 tomcat7-admin tomcat7-docs tomcat7-examples; do \
+ chmod 775 --verbose debian/$$PACKAGE/etc/tomcat7/Catalina/localhost; \
+ done
+
dh_installdeb
dh_gencontrol
dh_md5sums
diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst
index bedfba9..a8919dd 100644
--- a/debian/tomcat7.postinst
+++ b/debian/tomcat7.postinst
@@ -69,7 +69,7 @@ case "$1" in
chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared
chmod 775 /var/lib/tomcat7/webapps
- chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
+ chmod 775 /etc/tomcat7/Catalina
# Authorize user tomcat7 to open privileged ports via authbind.
TOMCAT_UID="`id -u $TOMCAT7_USER`"
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list