[tomcat7] 01/01: Import Debian patch 7.0.28-4+deb7u8
Markus Koschany
apo at moszumanska.debian.org
Sun Dec 18 19:26:37 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit b429b7bd009b6b9187a519a1aab20bc107c7bc7b
Author: Markus Koschany <apo at debian.org>
Date: Sun Dec 18 19:49:02 2016 +0100
Import Debian patch 7.0.28-4+deb7u8
---
debian/changelog | 8 +-
debian/patches/CVE-2015-5345.patch | 228 +++++++++++++++++++++++++++----
debian/patches/CVE-2016-6797-part2.patch | 143 +------------------
debian/patches/series | 2 +-
4 files changed, 214 insertions(+), 167 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index db98a75..4ca8873 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tomcat7 (7.0.28-4+deb7u8) UNRELEASED; urgency=high
+tomcat7 (7.0.28-4+deb7u8) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
* Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with
@@ -6,8 +6,12 @@ tomcat7 (7.0.28-4+deb7u8) UNRELEASED; urgency=high
* Update CVE-2016-6797-part2.patch and fix a regression in
ResourceLinkFactory.java. (Closes: #845425)
* Fix CVE-2016-9774: Privilege escalation when the package is upgraded.
+ (Closes: #845393)
+ * Update CVE-2015-5345.patch and enable the use of the
+ mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled
+ attributes on a context.
- -- Markus Koschany <apo at debian.org> Mon, 05 Dec 2016 22:17:10 +0100
+ -- Markus Koschany <apo at debian.org> Sun, 18 Dec 2016 19:49:02 +0100
tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index 501025d..c3140d9 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -8,20 +8,23 @@ the existence of a directory via a URL that lacks a trailing / (slash)
character.
Origin: https://svn.apache.org/viewvc?view=revision&revision=1715213
+Origin: http://svn.apache.org/viewvc?view=revision&revision=1716860
+Origin: http://svn.apache.org/viewvc?view=revision&revision=1717210
Origin: https://svn.apache.org/viewvc?view=revision&revision=1717212
---
- java/org/apache/catalina/Context.java | 40 +++++++++++++++++++++
- .../catalina/authenticator/FormAuthenticator.java | 14 ++++++++
- java/org/apache/catalina/core/StandardContext.java | 41 ++++++++++++++++++++--
- .../apache/catalina/core/mbeans-descriptors.xml | 8 +++++
- .../apache/catalina/servlets/DefaultServlet.java | 28 ++++++++++++++-
- .../apache/catalina/servlets/WebdavServlet.java | 5 +++
- .../org/apache/catalina/startup/FailedContext.java | 19 +++++++++-
- .../org/apache/tomcat/util/http/mapper/Mapper.java | 21 ++++++-----
+ java/org/apache/catalina/Context.java | 40 ++++++++++++
+ .../catalina/authenticator/FormAuthenticator.java | 14 +++++
+ .../apache/catalina/connector/MapperListener.java | 4 +-
+ java/org/apache/catalina/core/StandardContext.java | 41 +++++++++++-
+ .../apache/catalina/core/mbeans-descriptors.xml | 8 +++
+ .../apache/catalina/servlets/DefaultServlet.java | 72 ++++++++++++++--------
+ .../apache/catalina/servlets/WebdavServlet.java | 40 +++++++-----
+ .../org/apache/catalina/startup/FailedContext.java | 19 +++++-
+ .../org/apache/tomcat/util/http/mapper/Mapper.java | 53 +++++++++++-----
.../apache/catalina/startup/TomcatBaseTest.java | 3 +-
- webapps/docs/changelog.xml | 10 ++++++
- webapps/docs/config/context.xml | 16 +++++++++
- 11 files changed, 188 insertions(+), 17 deletions(-)
+ webapps/docs/changelog.xml | 10 +++
+ webapps/docs/config/context.xml | 16 +++++
+ 12 files changed, 258 insertions(+), 62 deletions(-)
diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java
index 3eee519..b3e5a7b 100644
@@ -98,6 +101,21 @@ index 7a728c8..f71e508 100644
session = request.getSessionInternal(true);
if (log.isDebugEnabled()) {
log.debug("Save request in session '" + session.getIdInternal() + "'");
+diff --git a/java/org/apache/catalina/connector/MapperListener.java b/java/org/apache/catalina/connector/MapperListener.java
+index 4013663..ddb6141 100644
+--- a/java/org/apache/catalina/connector/MapperListener.java
++++ b/java/org/apache/catalina/connector/MapperListener.java
+@@ -360,7 +360,9 @@ public class MapperListener extends LifecycleMBeanBase
+ String[] welcomeFiles = context.findWelcomeFiles();
+
+ mapper.addContextVersion(host.getName(), host, contextPath,
+- context.getWebappVersion(), context, welcomeFiles, resources);
++ context.getWebappVersion(), context, welcomeFiles, resources,
++ context.getMapperContextRootRedirectEnabled(),
++ context.getMapperDirectoryRedirectEnabled());
+
+ for (Container container : context.findChildren()) {
+ registerWrapper((Wrapper) container);
diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
index d5f5cc6..933e90b 100644
--- a/java/org/apache/catalina/core/StandardContext.java
@@ -178,10 +196,10 @@ index 190d50f..d95ff2d 100644
description="Associated naming context listener."
type="org.apache.catalina.core.NamingContextListener" />
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
-index 7365f6b..cc1ab4d 100644
+index 7365f6b..0850ad4 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
-@@ -366,6 +366,10 @@ public class DefaultServlet
+@@ -366,42 +366,40 @@ public class DefaultServlet
* @param request The servlet request we are processing
*/
protected String getRelativePath(HttpServletRequest request) {
@@ -192,7 +210,62 @@ index 7365f6b..cc1ab4d 100644
// IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
// serves resources from the web app root with context rooted paths.
// i.e. it can not be used to mount the web app root under a sub-path
-@@ -775,7 +779,8 @@ public class DefaultServlet
+ // This method must construct a complete context rooted path, although
+ // subclasses can change this behaviour.
+
+- // Are we being processed by a RequestDispatcher.include()?
+- if (request.getAttribute(
+- RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+- String result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_PATH_INFO);
+- if (result == null) {
+- result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_SERVLET_PATH);
+- } else {
+- result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_SERVLET_PATH) + result;
+- }
+- if ((result == null) || (result.equals(""))) {
+- result = "/";
+- }
+- return (result);
+- }
++ String servletPath;
++ String pathInfo;
+
+- // No, extract the desired path directly from the request
+- String result = request.getPathInfo();
+- if (result == null) {
+- result = request.getServletPath();
++ if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
++ // For includes, get the info from the attributes
++ pathInfo = (String) request.getAttribute(RequestDispatcher.INCLUDE_PATH_INFO);
++ servletPath = (String) request.getAttribute(RequestDispatcher.INCLUDE_SERVLET_PATH);
+ } else {
+- result = request.getServletPath() + result;
++ pathInfo = request.getPathInfo();
++ servletPath = request.getServletPath();
++ }
++
++ StringBuilder result = new StringBuilder();
++ if (servletPath.length() > 0) {
++ result.append(servletPath);
++ }
++ if (pathInfo != null) {
++ result.append(pathInfo);
+ }
+- if ((result == null) || (result.equals(""))) {
+- result = "/";
++ if (result.length() == 0) {
++ result.append('/');
+ }
+- return (result);
+
++ return result.toString();
+ }
+
+
+@@ -775,7 +773,8 @@ public class DefaultServlet
boolean serveContent = content;
// Identify the requested resource path
@@ -202,7 +275,7 @@ index 7365f6b..cc1ab4d 100644
if (debug > 0) {
if (serveContent)
log("DefaultServlet.serveResource: Serving resource '" +
-@@ -785,6 +790,12 @@ public class DefaultServlet
+@@ -785,6 +784,12 @@ public class DefaultServlet
path + "' headers only");
}
@@ -215,7 +288,7 @@ index 7365f6b..cc1ab4d 100644
CacheEntry cacheEntry = resources.lookupCache(path);
if (!cacheEntry.exists) {
-@@ -853,6 +864,11 @@ public class DefaultServlet
+@@ -853,6 +858,11 @@ public class DefaultServlet
if (cacheEntry.context != null) {
@@ -227,7 +300,7 @@ index 7365f6b..cc1ab4d 100644
// Skip directory listings if we have been configured to
// suppress them
if (!listings) {
-@@ -1060,6 +1076,16 @@ public class DefaultServlet
+@@ -1060,6 +1070,16 @@ public class DefaultServlet
}
@@ -245,21 +318,58 @@ index 7365f6b..cc1ab4d 100644
/**
* Parse the content-range header.
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
-index 358b919..a7478d3 100644
+index 358b919..70204fa 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
-@@ -429,6 +429,11 @@ public class WebdavServlet
+@@ -427,24 +427,32 @@ public class WebdavServlet
+ *
+ * @param request The servlet request we are processing
*/
++
@Override
protected String getRelativePath(HttpServletRequest request) {
+- // Are we being processed by a RequestDispatcher.include()?
+- if (request.getAttribute(
+- RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+- String result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_PATH_INFO);
+- if ((result == null) || (result.equals("")))
+- result = "/";
+- return (result);
+- }
+-
+- // No, extract the desired path directly from the request
+- String result = request.getPathInfo();
+- if ((result == null) || (result.equals(""))) {
+- result = "/";
+- }
+- return (result);
+ return getRelativePath(request, false);
+ }
+
+ @Override
+ protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
- // Are we being processed by a RequestDispatcher.include()?
- if (request.getAttribute(
- RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
++ String pathInfo;
++
++ if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
++ // For includes, get the info from the attributes
++ pathInfo = (String) request.getAttribute(RequestDispatcher.INCLUDE_PATH_INFO);
++ } else {
++ pathInfo = request.getPathInfo();
++ }
++
++ StringBuilder result = new StringBuilder();
++ if (pathInfo != null) {
++ result.append(pathInfo);
++ }
++ if (result.length() == 0) {
++ result.append('/');
++ }
++
++ return result.toString();
+
+ }
+
diff --git a/java/org/apache/catalina/startup/FailedContext.java b/java/org/apache/catalina/startup/FailedContext.java
index 409783b..69fcd8a 100644
--- a/java/org/apache/catalina/startup/FailedContext.java
@@ -289,10 +399,55 @@ index 409783b..69fcd8a 100644
+
+}
diff --git a/java/org/apache/tomcat/util/http/mapper/Mapper.java b/java/org/apache/tomcat/util/http/mapper/Mapper.java
-index 6100a2b..30c7814 100644
+index 6100a2b..17eafde 100644
--- a/java/org/apache/tomcat/util/http/mapper/Mapper.java
+++ b/java/org/apache/tomcat/util/http/mapper/Mapper.java
-@@ -827,20 +827,13 @@ public final class Mapper {
+@@ -184,7 +184,6 @@ public final class Mapper {
+ context.resources = resources;
+ }
+
+-
+ /**
+ * Add a new Context to an existing Host.
+ *
+@@ -199,6 +198,27 @@ public final class Mapper {
+ public void addContextVersion(String hostName, Object host, String path,
+ String version, Object context, String[] welcomeResources,
+ javax.naming.Context resources) {
++ addContextVersion(hostName, host, path, version, context, welcomeResources, resources,
++ false, false);
++ }
++
++ /**
++ * Add a new Context to an existing Host.
++ *
++ * @param hostName Virtual host name this context belongs to
++ * @param host Host object
++ * @param path Context path
++ * @param version Context version
++ * @param context Context object
++ * @param welcomeResources Welcome files defined for this context
++ * @param resources Static resources of the context
++ * @param mapperContextRootRedirectEnabled Mapper does context root redirects
++ * @param mapperDirectoryRedirectEnabled Mapper does directory redirects
++ */
++ public void addContextVersion(String hostName, Object host, String path,
++ String version, Object context, String[] welcomeResources,
++ javax.naming.Context resources,
++ boolean mapperContextRootRedirectEnabled, boolean mapperDirectoryRedirectEnabled) {
+
+ Host[] hosts = this.hosts;
+ int pos = find(hosts, hostName);
+@@ -241,6 +261,8 @@ public final class Mapper {
+ newContextVersion.object = context;
+ newContextVersion.welcomeResources = welcomeResources;
+ newContextVersion.resources = resources;
++ newContextVersion.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
++ newContextVersion.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+ if (insertMap(contextVersions, newContextVersions, newContextVersion)) {
+ mappedContext.versions = newContextVersions;
+ }
+@@ -827,20 +849,13 @@ public final class Mapper {
int pathOffset = path.getOffset();
int pathEnd = path.getEnd();
@@ -315,9 +470,13 @@ index 6100a2b..30c7814 100644
path.setOffset(servletPath);
// Rule 1 -- Exact Match
-@@ -877,8 +870,10 @@ public final class Mapper {
+@@ -875,10 +890,13 @@ public final class Mapper {
+ }
+ }
- if(mappingData.wrapper == null && noServletPath) {
+- if(mappingData.wrapper == null && noServletPath) {
++ if(mappingData.wrapper == null && noServletPath &&
++ contextVersion.mapperContextRootRedirectEnabled) {
// The path is empty, redirect to "/"
+ path.append('/');
+ pathEnd = path.getEnd();
@@ -327,7 +486,7 @@ index 6100a2b..30c7814 100644
path.setEnd(pathEnd - 1);
return;
}
-@@ -999,7 +994,11 @@ public final class Mapper {
+@@ -999,11 +1017,16 @@ public final class Mapper {
Object file = null;
String pathStr = path.toString();
try {
@@ -340,6 +499,21 @@ index 6100a2b..30c7814 100644
} catch(NamingException nex) {
// Swallow, since someone else handles the 404
}
+- if (file != null && file instanceof DirContext) {
++ if (file != null && file instanceof DirContext &&
++ contextVersion.mapperDirectoryRedirectEnabled) {
+ // Note: this mutates the path: do not do any processing
+ // after this (since we set the redirectPath, there
+ // shouldn't be any)
+@@ -1503,6 +1526,8 @@ public final class Mapper {
+ public Wrapper[] wildcardWrappers = new Wrapper[0];
+ public Wrapper[] extensionWrappers = new Wrapper[0];
+ public int nesting = 0;
++ public boolean mapperContextRootRedirectEnabled = false;
++ public boolean mapperDirectoryRedirectEnabled = false;
+
+ }
+
diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java
index 33d5fd1..150b4f4 100644
--- a/test/org/apache/catalina/startup/TomcatBaseTest.java
diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch
index 3918897..2e6a888 100644
--- a/debian/patches/CVE-2016-6797-part2.patch
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -1,80 +1,17 @@
From: Markus Koschany <apo at debian.org>
-Date: Thu, 1 Dec 2016 22:09:47 +0100
+Date: Sun, 18 Dec 2016 15:08:38 +0100
Subject: CVE-2016-6797 part2
-Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
-Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
+Debian-Bug: https://bugs.debian.org/845425
---
- .../apache/naming/factory/ResourceLinkFactory.java | 74 ++++++++++++----------
- 1 file changed, 39 insertions(+), 35 deletions(-)
+ java/org/apache/naming/factory/ResourceLinkFactory.java | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 157adfb..4a77d5b 100644
+index 157adfb..feccd6a 100644
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
-@@ -5,17 +5,15 @@
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
-- *
-+ *
- * http://www.apache.org/licenses/LICENSE-2.0
-- *
-+ *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
-- */
--
--
-+ */
- package org.apache.naming.factory;
-
- import java.util.HashMap;
-@@ -31,24 +29,18 @@ import javax.naming.Reference;
- import javax.naming.spi.ObjectFactory;
-
- import org.apache.naming.ResourceLinkRef;
--
-+import org.apache.naming.StringManager;
-
- /**
- * <p>Object factory for resource links.</p>
-- *
-+ *
- * @author Remy Maucherat
-- * @version $Id: ResourceLinkFactory.java 1056946 2011-01-09 14:48:08Z markt $
- */
--
--public class ResourceLinkFactory
-- implements ObjectFactory {
--
--
-- // ----------------------------------------------------------- Constructors
--
-+public class ResourceLinkFactory implements ObjectFactory {
-
- // ------------------------------------------------------- Static Variables
-
-+ private static final StringManager sm = StringManager.getManager(Constants.Package);
-
- /**
- * Global naming context.
-@@ -60,10 +52,9 @@ public class ResourceLinkFactory
-
- // --------------------------------------------------------- Public Methods
-
--
- /**
- * Set the global context (note: can only be used once).
-- *
-+ *
- * @param newGlobalContext new global context value
- */
- public static void setGlobalContext(Context newGlobalContext) {
-@@ -118,9 +109,12 @@ public class ResourceLinkFactory
+@@ -118,9 +118,12 @@ public class ResourceLinkFactory
private static boolean validateGlobalResourceAccess(String globalName) {
ClassLoader cl = Thread.currentThread().getContextClassLoader();
@@ -90,71 +27,3 @@ index 157adfb..4a77d5b 100644
}
return false;
}
-@@ -128,19 +122,18 @@ public class ResourceLinkFactory
-
- // -------------------------------------------------- ObjectFactory Methods
-
--
- /**
- * Create a new DataSource instance.
-- *
-+ *
- * @param obj The reference object describing the DataSource
- */
- @Override
- public Object getObjectInstance(Object obj, Name name, Context nameCtx,
-- Hashtable<?,?> environment)
-- throws NamingException {
--
-- if (!(obj instanceof ResourceLinkRef))
-+ Hashtable<?,?> environment) throws NamingException {
-+
-+ if (!(obj instanceof ResourceLinkRef)) {
- return null;
-+ }
-
- // Can we process this request?
- Reference ref = (Reference) obj;
-@@ -150,22 +143,33 @@ public class ResourceLinkFactory
- RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
- if (refAddr != null) {
- globalName = refAddr.getContent().toString();
-- // When running under a security manager confirm that the current
-- // web application has really been configured to access the specified
-- // global resource
-+ // Confirm that the current web application is currently configured
-+ // to access the specified global resource
- if (!validateGlobalResourceAccess(globalName)) {
- return null;
- }
- Object result = null;
- result = globalContext.lookup(globalName);
-- // FIXME: Check type
-+ // Check the expected type
-+ String expectedClassName = ref.getClassName();
-+ if (expectedClassName == null) {
-+ throw new IllegalArgumentException(
-+ sm.getString("resourceLinkFactory.nullType", name, globalName));
-+ }
-+ try {
-+ Class<?> expectedClazz = Class.forName(
-+ expectedClassName, true, Thread.currentThread().getContextClassLoader());
-+ if (!expectedClazz.isAssignableFrom(result.getClass())) {
-+ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType",
-+ name, globalName, expectedClassName, result.getClass().getName()));
-+ }
-+ } catch (ClassNotFoundException e) {
-+ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType",
-+ name, globalName, expectedClassName), e);
-+ }
- return result;
- }
-
-- return (null);
--
--
-+ return null;
- }
--
--
- }
diff --git a/debian/patches/series b/debian/patches/series
index 26bf020..3c59fa1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,5 +44,5 @@ CVE-2016-6797.patch
CVE-2016-0762.patch
CVE-2016-6816.patch
CVE-2016-8735.patch
-CVE-2016-6797-part2.patch
CVE-2016-5018-part2.patch
+CVE-2016-6797-part2.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list