[tomcat6] 01/01: Import Debian patch 6.0.45+dfsg-1~deb7u5

Markus Koschany apo at moszumanska.debian.org
Sat Dec 17 21:46:09 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat6.

commit 014753724b6a82042dcb67142708907bb507173e
Author: Markus Koschany <apo at debian.org>
Date:   Sat Dec 17 17:28:37 2016 +0100

    Import Debian patch 6.0.45+dfsg-1~deb7u5
---
 debian/changelog                         |   6 ++
 debian/patches/CVE-2016-6797-part2.patch | 136 ++-----------------------------
 debian/patches/series                    |   2 +-
 3 files changed, 12 insertions(+), 132 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 162788d..cfc23e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+tomcat6 (6.0.45+dfsg-1~deb7u5) wheezy-security; urgency=high
+
+  * Backport only the minimal changes to fix #845425. (Closes: #848492)
+
+ -- Markus Koschany <apo at debian.org>  Sat, 17 Dec 2016 17:28:37 +0100
+
 tomcat6 (6.0.45+dfsg-1~deb7u4) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
index 3e6e7a4..ae4206a 100644
--- a/debian/patches/CVE-2016-6797-part2.patch
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -1,80 +1,17 @@
 From: Markus Koschany <apo at debian.org>
-Date: Thu, 1 Dec 2016 15:02:31 +0100
+Date: Sat, 17 Dec 2016 17:26:40 +0100
 Subject: CVE-2016-6797 part2
 
-Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
 Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
 ---
- .../apache/naming/factory/ResourceLinkFactory.java | 70 ++++++++++++----------
- 1 file changed, 37 insertions(+), 33 deletions(-)
+ java/org/apache/naming/factory/ResourceLinkFactory.java | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
 
 diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 56b1423..51b5a1e 100644
+index 56b1423..0c899ec 100644
 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java
 +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
-@@ -5,17 +5,15 @@
-  * The ASF licenses this file to You under the Apache License, Version 2.0
-  * (the "License"); you may not use this file except in compliance with
-  * the License.  You may obtain a copy of the License at
-- * 
-+ *
-  *      http://www.apache.org/licenses/LICENSE-2.0
-- * 
-+ *
-  * Unless required by applicable law or agreed to in writing, software
-  * distributed under the License is distributed on an "AS IS" BASIS,
-  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  * See the License for the specific language governing permissions and
-  * limitations under the License.
-- */ 
--
--
-+ */
- package org.apache.naming.factory;
- 
- import java.util.HashMap;
-@@ -31,24 +29,19 @@ import javax.naming.Reference;
- import javax.naming.spi.ObjectFactory;
- 
- import org.apache.naming.ResourceLinkRef;
--
-+import org.apache.naming.StringManager;
- 
- /**
-  * <p>Object factory for resource links.</p>
-- * 
-+ *
-  * @author Remy Maucherat
-  *
-  */
--
--public class ResourceLinkFactory
--    implements ObjectFactory {
--
--
--    // ----------------------------------------------------------- Constructors
--
-+public class ResourceLinkFactory implements ObjectFactory {
- 
-     // ------------------------------------------------------- Static Variables
- 
-+    private static final StringManager sm = StringManager.getManager(Constants.Package);
- 
-     /**
-      * Global naming context.
-@@ -60,10 +53,9 @@ public class ResourceLinkFactory
- 
-     // --------------------------------------------------------- Public Methods
- 
--
-     /**
-      * Set the global context (note: can only be used once).
--     * 
-+     *
-      * @param newGlobalContext new global context value
-      */
-     public static void setGlobalContext(Context newGlobalContext) {
-@@ -118,9 +110,12 @@ public class ResourceLinkFactory
+@@ -118,9 +118,12 @@ public class ResourceLinkFactory
  
      private static boolean validateGlobalResourceAccess(String globalName) {
          ClassLoader cl = Thread.currentThread().getContextClassLoader();
@@ -90,66 +27,3 @@ index 56b1423..51b5a1e 100644
          }
          return false;
      }
-@@ -128,24 +123,21 @@ public class ResourceLinkFactory
- 
-     // -------------------------------------------------- ObjectFactory Methods
- 
--
-     /**
-      * Create a new DataSource instance.
--     * 
-+     *
-      * @param obj The reference object describing the DataSource
-      */
-     public Object getObjectInstance(Object obj, Name name, Context nameCtx,
--                                    Hashtable environment)
--        throws NamingException {
--        
--        if (!(obj instanceof ResourceLinkRef))
-+            Hashtable<?,?> environment) throws NamingException {
-+
-+        if (!(obj instanceof ResourceLinkRef)) {
-             return null;
-+        }
- 
-         // Can we process this request?
-         Reference ref = (Reference) obj;
- 
--        String type = ref.getClassName();
--
-         // Read the global ref addr
-         String globalName = null;
-         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
-@@ -158,14 +150,26 @@ public class ResourceLinkFactory
-             }
-             Object result = null;
-             result = globalContext.lookup(globalName);
--            // FIXME: Check type
-+            // Check the expected type
-+            String expectedClassName = ref.getClassName();
-+            if (expectedClassName == null) {
-+                throw new IllegalArgumentException(
-+                        sm.getString("resourceLinkFactory.nullType", name, globalName));
-+            }
-+            try {
-+                Class<?> expectedClazz = Class.forName(
-+                        expectedClassName, true, Thread.currentThread().getContextClassLoader());
-+                if (!expectedClazz.isAssignableFrom(result.getClass())) {
-+                    throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType",
-+                            name, globalName, expectedClassName, result.getClass().getName()));
-+                }
-+            } catch (ClassNotFoundException e) {
-+                throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType",
-+                        name, globalName, expectedClassName), e);
-+            }
-             return result;
-         }
- 
--        return (null);
--
--        
-+        return null;
-     }
--
--
- }
diff --git a/debian/patches/series b/debian/patches/series
index 05ba616..ad4e253 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,5 +14,5 @@ CVE-2016-5018.patch
 CVE-2016-6796.patch
 CVE-2016-6816.patch
 CVE-2016-8735.patch
-CVE-2016-6797-part2.patch
 CVE-2016-5018-part2.patch
+CVE-2016-6797-part2.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git

More information about the pkg-java-commits mailing list