[tomcat7] 02/06: Fixed CVE-2014-0099: Check for overflow when parsing the request content length header
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Jan 11 10:15:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.
commit 04b149da51a82cb64b9e570b5592839a3bd2af53
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Jan 4 12:23:34 2016 +0100
Fixed CVE-2014-0099: Check for overflow when parsing the request content length header
---
debian/changelog | 4 ++
debian/patches/CVE-2014-0099.patch | 109 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 114 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b7aa54e..da1df8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,10 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high
* Fixed CVE-2014-7810: Malicious web applications could use expression
language to bypass the protections of a Security Manager as expressions
were evaluated within a privileged code section.
+ * Fixed CVE-2014-0099: Check for overflow when parsing the request content
+ length header. This exposed a request smuggling vulnerability when Tomcat
+ was located behind a reverse proxy that correctly processed the content
+ length header.
-- Emmanuel Bourg <ebourg at apache.org> Mon, 04 Jan 2016 12:03:34 +0100
diff --git a/debian/patches/CVE-2014-0099.patch b/debian/patches/CVE-2014-0099.patch
new file mode 100644
index 0000000..9fe94c6
--- /dev/null
+++ b/debian/patches/CVE-2014-0099.patch
@@ -0,0 +1,109 @@
+Description: CVE-2014-0099: Check for overflow when parsing the request content length header.
+Origin: backport, http://svn.apache.org/r1578814
+--- a/java/org/apache/tomcat/util/buf/Ascii.java
++++ b/java/org/apache/tomcat/util/buf/Ascii.java
+@@ -40,10 +40,11 @@
+ private static final boolean[] isWhite = new boolean[256];
+ private static final boolean[] isDigit = new boolean[256];
+
++ private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10;
++
+ /*
+ * Initialize character translation and type tables.
+ */
+-
+ static {
+ for (int i = 0; i < 256; i++) {
+ toUpper[i] = (byte)i;
+@@ -206,19 +207,12 @@
+ }
+
+ long n = c - '0';
+- long m;
+-
+ while (--len > 0) {
+- if (!isDigit(c = b[off++])) {
+- throw new NumberFormatException();
+- }
+- m = n * 10 + c - '0';
+-
+- if (m < n) {
+- // Overflow
+- throw new NumberFormatException();
++ if (isDigit(c = b[off++]) &&
++ (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) {
++ n = n * 10 + c - '0';
+ } else {
+- n = m;
++ throw new NumberFormatException();
+ }
+ }
+
+--- /dev/null
++++ b/test/org/apache/tomcat/util/buf/TestAscii.java
+@@ -0,0 +1,65 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.buf;
++
++import java.math.BigInteger;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++public class TestAscii {
++
++ @Test
++ public void testParseLong1() {
++ String value = "9223372036854775807"; // Long.MAX_VALUE
++ byte[] bytes = value.getBytes();
++ long result = Ascii.parseLong(bytes, 0, bytes.length);
++ Assert.assertEquals(value, String.valueOf(result));
++ }
++
++ @Test(expected = NumberFormatException.class)
++ public void testParseLong2() {
++ byte[] bytes = "9223372036854775808".getBytes(); // Long.MAX_VALUE + 1
++ long result = Ascii.parseLong(bytes, 0, bytes.length);
++ Assert.fail("NumberFormatException expected, got: " + result);
++ }
++
++ @Test(expected = NumberFormatException.class)
++ public void testParseLong3() {
++ byte[] bytes = "9223372036854775810".getBytes(); // Long.MAX_VALUE + 3
++ long result = Ascii.parseLong(bytes, 0, bytes.length);
++ Assert.fail("NumberFormatException expected, got: " + result);
++ }
++
++ @Test(expected = NumberFormatException.class)
++ public void testParseLong4() {
++ BigInteger x = BigInteger.valueOf(5000000000L).shiftLeft(32);
++ byte[] bytes = String.valueOf(x).getBytes();
++ long result = Ascii.parseLong(bytes, 0, bytes.length);
++ Assert.fail("NumberFormatException expected, got: " + result);
++ }
++
++ @Test
++ public void testParseLong5() {
++ String value = "9223372036854775806"; // Long.MAX_VALUE - 1
++ byte[] bytes = value.getBytes();
++ long result = Ascii.parseLong(bytes, 0, bytes.length);
++ Assert.assertEquals(value, String.valueOf(result));
++ }
++
++
++}
diff --git a/debian/patches/series b/debian/patches/series
index 015b631..c4c4ff8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ cve-2012-3439-tests.patch
0024-CVE-2013-4322.patch
0025-use-tls-in-ssl-unit-tests.patch
CVE-2014-7810.patch
+CVE-2014-0099.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list