[tomcat7] 01/06: Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Jan 11 10:15:53 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.

commit b30bd83baed96195aec5f9facb9a470bce805da9
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Jan 4 12:04:59 2016 +0100

    Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager
---
 debian/changelog                   |   8 +++
 debian/patches/CVE-2014-7810.patch | 110 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 119 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1c997cf..b7aa54e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high
+
+  * Fixed CVE-2014-7810: Malicious web applications could use expression
+    language to bypass the protections of a Security Manager as expressions
+    were evaluated within a privileged code section.
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Mon, 04 Jan 2016 12:03:34 +0100
+
 tomcat7 (7.0.28-4+deb7u2) stable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2014-7810.patch b/debian/patches/CVE-2014-7810.patch
new file mode 100644
index 0000000..c28f8ba
--- /dev/null
+++ b/debian/patches/CVE-2014-7810.patch
@@ -0,0 +1,110 @@
+Description: CVE-2014-7810: Fix potential issue with BeanELresolver when running under a security manager.
+ Some classes may not be accessible but may have accessible interfaces.
+Origin: backport, http://svn.apache.org/r1644019
+                  http://svn.apache.org/r1645644
+
+diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java
+index 223e29c..f70c6a6 100644
+--- a/java/javax/el/BeanELResolver.java
++++ b/java/javax/el/BeanELResolver.java
+@@ -222,15 +222,39 @@
+             try {
+                 BeanInfo info = Introspector.getBeanInfo(this.type);
+                 PropertyDescriptor[] pds = info.getPropertyDescriptors();
+-                for (int i = 0; i < pds.length; i++) {
+-                    this.properties.put(pds[i].getName(), new BeanProperty(
+-                            type, pds[i]));
++                for (PropertyDescriptor pd: pds) {
++                    this.properties.put(pd.getName(), new BeanProperty(type, pd));
++                }
++                if (System.getSecurityManager() != null) {
++                    // When running with SecurityManager, some classes may be
++                    // not accessible, but have accessible interfaces.
++                    populateFromInterfaces(type);
+                 }
+             } catch (IntrospectionException ie) {
+                 throw new ELException(ie);
+             }
+         }
+ 
++        private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException {
++            Class<?> interfaces[] = aClass.getInterfaces();
++            if (interfaces.length > 0) {
++                for (Class<?> ifs : interfaces) {
++                    BeanInfo info = Introspector.getBeanInfo(ifs);
++                    PropertyDescriptor[] pds = info.getPropertyDescriptors();
++                    for (PropertyDescriptor pd : pds) {
++                        if (!this.properties.containsKey(pd.getName())) {
++                            this.properties.put(pd.getName(), new BeanProperty(
++                                    this.type, pd));
++                        }
++                    }
++                }
++            }
++            Class<?> superclass = aClass.getSuperclass();
++            if (superclass != null) {
++                populateFromInterfaces(superclass);
++            }
++        }
++
+         private BeanProperty get(ELContext ctx, String name) {
+             BeanProperty property = this.properties.get(name);
+             if (property == null) {
+diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java b/java/org/apache/jasper/runtime/PageContextImpl.java
+index d722cb6..fe69200 100644
+--- a/java/org/apache/jasper/runtime/PageContextImpl.java
++++ b/java/org/apache/jasper/runtime/PageContextImpl.java
+@@ -955,35 +955,13 @@
+             final Class<?> expectedType, final PageContext pageContext,
+             final ProtectedFunctionMapper functionMap, final boolean escape)
+             throws ELException {
+-        Object retValue;
+         final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
+-        if (SecurityUtil.isPackageProtectionEnabled()) {
+-            try {
+-                retValue = AccessController
+-                        .doPrivileged(new PrivilegedExceptionAction<Object>() {
+ 
+-                            @Override
+-                            public Object run() throws Exception {
+-                                ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+-                                ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+-                                ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+-                                return ve.getValue(ctx);
+-                            }
+-                        });
+-            } catch (PrivilegedActionException ex) {
+-                Exception realEx = ex.getException();
+-                if (realEx instanceof ELException) {
+-                    throw (ELException) realEx;
+-                } else {
+-                    throw new ELException(realEx);
+-                }
+-            }
+-        } else {
+-            ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+-            ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+-            ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+-            retValue = ve.getValue(ctx);
+-        }
++        ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
++        ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
++        ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
++        Object retValue = ve.getValue(ctx);
++
+         if (escape && retValue != null) {
+             retValue = XmlEscape(retValue.toString());
+         }
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java
+index 5f5e56f..a066dfb 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -93,8 +93,6 @@
+                 "runtime.PageContextImpl$11");      
+             loader.loadClass( basePackage +
+                 "runtime.PageContextImpl$12");      
+-            loader.loadClass( basePackage +
+-                "runtime.PageContextImpl$13");      
+ 
+             loader.loadClass( basePackage +
+                 "runtime.JspContextWrapper");   
diff --git a/debian/patches/series b/debian/patches/series
index d647c9b..015b631 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ cve-2012-3439-tests.patch
 0023-CVE-2013-4286.patch
 0024-CVE-2013-4322.patch
 0025-use-tls-in-ssl-unit-tests.patch
+CVE-2014-7810.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list