[tomcat7] 01/06: Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Jan 11 10:15:53 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.
commit b30bd83baed96195aec5f9facb9a470bce805da9
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Jan 4 12:04:59 2016 +0100
Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
---
debian/changelog | 8 +++
debian/patches/CVE-2014-7810.patch | 110 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 119 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1c997cf..b7aa54e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high
+
+ * Fixed CVE-2014-7810: Malicious web applications could use expression
+ language to bypass the protections of a Security Manager as expressions
+ were evaluated within a privileged code section.
+
+ -- Emmanuel Bourg <ebourg at apache.org> Mon, 04 Jan 2016 12:03:34 +0100
+
tomcat7 (7.0.28-4+deb7u2) stable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2014-7810.patch b/debian/patches/CVE-2014-7810.patch
new file mode 100644
index 0000000..c28f8ba
--- /dev/null
+++ b/debian/patches/CVE-2014-7810.patch
@@ -0,0 +1,110 @@
+Description: CVE-2014-7810: Fix potential issue with BeanELresolver when running under a security manager.
+ Some classes may not be accessible but may have accessible interfaces.
+Origin: backport, http://svn.apache.org/r1644019
+ http://svn.apache.org/r1645644
+
+diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java
+index 223e29c..f70c6a6 100644
+--- a/java/javax/el/BeanELResolver.java
++++ b/java/javax/el/BeanELResolver.java
+@@ -222,15 +222,39 @@
+ try {
+ BeanInfo info = Introspector.getBeanInfo(this.type);
+ PropertyDescriptor[] pds = info.getPropertyDescriptors();
+- for (int i = 0; i < pds.length; i++) {
+- this.properties.put(pds[i].getName(), new BeanProperty(
+- type, pds[i]));
++ for (PropertyDescriptor pd: pds) {
++ this.properties.put(pd.getName(), new BeanProperty(type, pd));
++ }
++ if (System.getSecurityManager() != null) {
++ // When running with SecurityManager, some classes may be
++ // not accessible, but have accessible interfaces.
++ populateFromInterfaces(type);
+ }
+ } catch (IntrospectionException ie) {
+ throw new ELException(ie);
+ }
+ }
+
++ private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException {
++ Class<?> interfaces[] = aClass.getInterfaces();
++ if (interfaces.length > 0) {
++ for (Class<?> ifs : interfaces) {
++ BeanInfo info = Introspector.getBeanInfo(ifs);
++ PropertyDescriptor[] pds = info.getPropertyDescriptors();
++ for (PropertyDescriptor pd : pds) {
++ if (!this.properties.containsKey(pd.getName())) {
++ this.properties.put(pd.getName(), new BeanProperty(
++ this.type, pd));
++ }
++ }
++ }
++ }
++ Class<?> superclass = aClass.getSuperclass();
++ if (superclass != null) {
++ populateFromInterfaces(superclass);
++ }
++ }
++
+ private BeanProperty get(ELContext ctx, String name) {
+ BeanProperty property = this.properties.get(name);
+ if (property == null) {
+diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java b/java/org/apache/jasper/runtime/PageContextImpl.java
+index d722cb6..fe69200 100644
+--- a/java/org/apache/jasper/runtime/PageContextImpl.java
++++ b/java/org/apache/jasper/runtime/PageContextImpl.java
+@@ -955,35 +955,13 @@
+ final Class<?> expectedType, final PageContext pageContext,
+ final ProtectedFunctionMapper functionMap, final boolean escape)
+ throws ELException {
+- Object retValue;
+ final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
+- if (SecurityUtil.isPackageProtectionEnabled()) {
+- try {
+- retValue = AccessController
+- .doPrivileged(new PrivilegedExceptionAction<Object>() {
+
+- @Override
+- public Object run() throws Exception {
+- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+- return ve.getValue(ctx);
+- }
+- });
+- } catch (PrivilegedActionException ex) {
+- Exception realEx = ex.getException();
+- if (realEx instanceof ELException) {
+- throw (ELException) realEx;
+- } else {
+- throw new ELException(realEx);
+- }
+- }
+- } else {
+- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+- retValue = ve.getValue(ctx);
+- }
++ ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
++ ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
++ ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
++ Object retValue = ve.getValue(ctx);
++
+ if (escape && retValue != null) {
+ retValue = XmlEscape(retValue.toString());
+ }
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index 5f5e56f..a066dfb 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -93,8 +93,6 @@
+ "runtime.PageContextImpl$11");
+ loader.loadClass( basePackage +
+ "runtime.PageContextImpl$12");
+- loader.loadClass( basePackage +
+- "runtime.PageContextImpl$13");
+
+ loader.loadClass( basePackage +
+ "runtime.JspContextWrapper");
diff --git a/debian/patches/series b/debian/patches/series
index d647c9b..015b631 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ cve-2012-3439-tests.patch
0023-CVE-2013-4286.patch
0024-CVE-2013-4322.patch
0025-use-tls-in-ssl-unit-tests.patch
+CVE-2014-7810.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list