[tomcat8] 01/01: CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (see #845425)

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit 6f224b9febcda102aaaf89d109d1e7e0e95474b6
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Thu Dec 8 09:29:44 2016 +0100

    CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (see #845425)
---
 debian/changelog                   |  2 ++
 debian/patches/CVE-2016-6797.patch | 15 +++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d3cfda0..526f8d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,6 +18,8 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium
     server. Enable SSL to be configured for the registry as well as the server.
   * CVE-2016-5018 follow-up: Applied a missing modification fixing
     a ClassNotFoundException when the security manager is enabled (see #846298)
+  * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
+    from accessing the global resources (see #845425)
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Backported a fix disabling the broken SSLv3 tests
diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch
index 525276f..7e0c0cb 100644
--- a/debian/patches/CVE-2016-6797.patch
+++ b/debian/patches/CVE-2016-6797.patch
@@ -4,6 +4,7 @@ Description: Fixes CVE-2016-6797: The ResourceLinkFactory did not limit web
  application to access any global JNDI resource whether an explicit
  ResourceLink had been configured or not.
 Origin: backport, https://svn.apache.org/r1757273
+                  https://svn.apache.org/r1763234
 --- a/java/org/apache/catalina/core/NamingContextListener.java
 +++ b/java/org/apache/catalina/core/NamingContextListener.java
 @@ -40,6 +40,7 @@
@@ -82,7 +83,7 @@ Origin: backport, https://svn.apache.org/r1757273
  
      // --------------------------------------------------------- Public Methods
  
-@@ -69,6 +74,56 @@
+@@ -69,6 +74,58 @@
      }
  
  
@@ -125,12 +126,14 @@ Origin: backport, https://svn.apache.org/r1757273
 +        }
 +    }
 +
-+
 +    private static boolean validateGlobalResourceAccess(String globalName) {
 +        ClassLoader cl = Thread.currentThread().getContextClassLoader();
-+        Map<String,String> registrations = globalResourceRegistrations.get(cl);
-+        if (registrations != null && registrations.containsValue(globalName)) {
-+            return true;
++        while (cl != null) {
++            Map<String,String> registrations = globalResourceRegistrations.get(cl);
++            if (registrations != null && registrations.containsValue(globalName)) {
++                return true;
++            }
++            cl = cl.getParent();
 +        }
 +        return false;
 +    }
@@ -139,7 +142,7 @@ Origin: backport, https://svn.apache.org/r1757273
      // -------------------------------------------------- ObjectFactory Methods
  
  
-@@ -93,6 +148,12 @@
+@@ -93,6 +150,12 @@
          RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
          if (refAddr != null) {
              globalName = refAddr.getContent().toString();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git