[tomcat7] 01/01: CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (Closes: #845425)

Thu Dec 8 10:04:53 UTC 2016

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit 49e4e30b8c12ffc28378075545f413b725ad5cd9
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Thu Dec 8 11:02:47 2016 +0100

    CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (Closes: #845425)
---
 debian/changelog                   |  2 ++
 debian/patches/CVE-2016-6797.patch | 14 +++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 6ad52a1..9d3ef28 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium
   * CVE-2016-5018 follow-up: Applied a missing modification fixing
     a ClassNotFoundException when the security manager is enabled
     (Closes: #846298)
+  * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
+    from accessing the global resources (Closes: #845425)
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Refreshed the expired SSL certificates used by the tests
diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch
index 4ee06c1..8940f17 100644
--- a/debian/patches/CVE-2016-6797.patch
+++ b/debian/patches/CVE-2016-6797.patch
@@ -4,6 +4,7 @@ Description: Fixes CVE-2016-6797: The ResourceLinkFactory did not limit web
  application to access any global JNDI resource whether an explicit
  ResourceLink had been configured or not.
 Origin: backport, https://svn.apache.org/r1757275
+                  https://svn.apache.org/r1763236
 --- a/java/org/apache/catalina/core/NamingContextListener.java
 +++ b/java/org/apache/catalina/core/NamingContextListener.java
 @@ -41,6 +41,7 @@
@@ -82,7 +83,7 @@ Origin: backport, https://svn.apache.org/r1757275
  
      // --------------------------------------------------------- Public Methods
  
-@@ -69,6 +74,56 @@
+@@ -69,6 +74,59 @@
      }
  
  
@@ -128,9 +129,12 @@ Origin: backport, https://svn.apache.org/r1757275
 +
 +    private static boolean validateGlobalResourceAccess(String globalName) {
 +        ClassLoader cl = Thread.currentThread().getContextClassLoader();
-+        Map<String,String> registrations = globalResourceRegistrations.get(cl);
-+        if (registrations != null && registrations.containsValue(globalName)) {
-+            return true;
++        while (cl != null) {
++            Map<String,String> registrations = globalResourceRegistrations.get(cl);
++            if (registrations != null && registrations.containsValue(globalName)) {
++                return true;
++            }
++            cl = cl.getParent();
 +        }
 +        return false;
 +    }
@@ -139,7 +143,7 @@ Origin: backport, https://svn.apache.org/r1757275
      // -------------------------------------------------- ObjectFactory Methods
  
  
-@@ -93,6 +148,12 @@
+@@ -93,6 +151,12 @@
          RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
          if (refAddr != null) {
              globalName = refAddr.getContent().toString();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

