[tomcat7] 03/06: Fixed CVE-2013-4444: Remove serialization support from FileItem

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Jan 11 10:15:57 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.

commit e04961069c17dbb08ca1e55037172b52a239b16e
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Tue Jan 5 01:03:07 2016 +0100

    Fixed CVE-2013-4444: Remove serialization support from FileItem
---
 debian/changelog                   |   2 +
 debian/patches/CVE-2013-4444.patch | 114 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 117 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index da1df8f..d3549c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high
     length header. This exposed a request smuggling vulnerability when Tomcat
     was located behind a reverse proxy that correctly processed the content
     length header.
+  * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent
+    a remote code execution vulnerablity in very limited circumstances.
 
  -- Emmanuel Bourg <ebourg at apache.org>  Mon, 04 Jan 2016 12:03:34 +0100
 
diff --git a/debian/patches/CVE-2013-4444.patch b/debian/patches/CVE-2013-4444.patch
new file mode 100644
index 0000000..39ce26e
--- /dev/null
+++ b/debian/patches/CVE-2013-4444.patch
@@ -0,0 +1,114 @@
+Description: CVE-2013-4444: Remove serialization support from FileItem to prevent
+ a remote code execution vulnerablity in very limited circumstances.
+Origin: backport, http://svn.apache.org/r1470437
+--- a/java/org/apache/tomcat/util/http/fileupload/FileItem.java
++++ b/java/org/apache/tomcat/util/http/fileupload/FileItem.java
+@@ -20,7 +20,6 @@
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+-import java.io.Serializable;
+ import java.io.UnsupportedEncodingException;
+ 
+ /**
+@@ -50,7 +49,7 @@
+  *
+  * @version $Id: FileItem.java 981816 2010-08-03 10:44:58Z markt $
+  */
+-public interface FileItem extends Serializable {
++public interface FileItem {
+ 
+ 
+     // ------------------------------- Methods from javax.activation.DataSource
+--- a/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
++++ b/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
+@@ -24,8 +24,6 @@
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+-import java.io.ObjectInputStream;
+-import java.io.ObjectOutputStream;
+ import java.io.OutputStream;
+ import java.io.UnsupportedEncodingException;
+ import java.util.Map;
+@@ -84,11 +82,6 @@
+ 
+     // ----------------------------------------------------- Manifest constants
+ 
+-    /**
+-     * The UID to use when serializing this instance.
+-     */
+-    private static final long serialVersionUID = 2237570099615271025L;
+-
+ 
+     /**
+      * Default content charset to be used when no explicit charset
+@@ -176,11 +169,6 @@
+     private transient File tempFile;
+ 
+     /**
+-     * File to allow for serialization of the content of this item.
+-     */
+-    private File dfosFile;
+-
+-    /**
+      * The file items headers.
+      */
+     private FileItemHeaders headers;
+@@ -690,56 +678,6 @@
+     }
+ 
+ 
+-    // -------------------------------------------------- Serialization methods
+-
+-
+-    /**
+-     * Writes the state of this object during serialization.
+-     *
+-     * @param out The stream to which the state should be written.
+-     *
+-     * @throws IOException if an error occurs.
+-     */
+-    private void writeObject(ObjectOutputStream out) throws IOException {
+-        // Read the data
+-        if (dfos.isInMemory()) {
+-            cachedContent = get();
+-        } else {
+-            cachedContent = null;
+-            dfosFile = dfos.getFile();
+-        }
+-
+-        // write out values
+-        out.defaultWriteObject();
+-    }
+-
+-    /**
+-     * Reads the state of this object during deserialization.
+-     *
+-     * @param in The stream from which the state should be read.
+-     *
+-     * @throws IOException if an error occurs.
+-     * @throws ClassNotFoundException if class cannot be found.
+-     */
+-    private void readObject(ObjectInputStream in)
+-            throws IOException, ClassNotFoundException {
+-        // read values
+-        in.defaultReadObject();
+-
+-        OutputStream output = getOutputStream();
+-        if (cachedContent != null) {
+-            output.write(cachedContent);
+-        } else {
+-            FileInputStream input = new FileInputStream(dfosFile);
+-            IOUtils.copy(input, output);
+-            dfosFile.delete();
+-            dfosFile = null;
+-        }
+-        output.close();
+-
+-        cachedContent = null;
+-    }
+-
+     /**
+      * Returns the file item headers.
+      * @return The file items headers.
diff --git a/debian/patches/series b/debian/patches/series
index c4c4ff8..d0b872d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ cve-2012-3439-tests.patch
 0025-use-tls-in-ssl-unit-tests.patch
 CVE-2014-7810.patch
 CVE-2014-0099.patch
+CVE-2013-4444.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list