[tomcat7] 04/06: Fixed CVE-2014-0075: DoS caused by malformed chunk size

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Jan 11 10:15:58 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.

commit be95450c254d159d1cce31c03c8d8e41a91516f0
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Jan 8 10:14:32 2016 +0100

    Fixed CVE-2014-0075: DoS caused by malformed chunk size
---
 debian/changelog                   |  4 ++++
 debian/patches/CVE-2014-0075.patch | 38 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 43 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d3549c1..769891d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,10 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high
     length header.
   * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent
     a remote code execution vulnerablity in very limited circumstances.
+  * Fixed CVE-2014-0075: Malformed chunk size as part of a chuncked request
+    could enable the streaming of an unlimited amount of data to the server,
+    bypassing the various size limits enforced on a request. This enabled
+    a denial of service attack.
 
  -- Emmanuel Bourg <ebourg at apache.org>  Mon, 04 Jan 2016 12:03:34 +0100
 
diff --git a/debian/patches/CVE-2014-0075.patch b/debian/patches/CVE-2014-0075.patch
new file mode 100644
index 0000000..6e08c60
--- /dev/null
+++ b/debian/patches/CVE-2014-0075.patch
@@ -0,0 +1,38 @@
+Description: CVE-2014-0075: Improve processing of chuck size from chunked headers.
+ Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster.
+Origin: backport, https://svn.apache.org/r1578341
+--- a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
++++ b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
+@@ -315,7 +315,7 @@
+ 
+         int result = 0;
+         boolean eol = false;
+-        boolean readDigit = false;
++        int readDigit = 0;
+         boolean extension = false;
+ 
+         while (!eol) {
+@@ -336,10 +336,10 @@
+                 extensionSize++;
+             } else if (!extension) {
+                 //don't read data after the trailer
+-                if (HexUtils.getDec(buf[pos]) != -1) {
+-                    readDigit = true;
+-                    result *= 16;
+-                    result += HexUtils.getDec(buf[pos]);
++                int charValue = HexUtils.getDec(buf[pos]);
++                if (charValue != -1 && readDigit < 8) {
++                    readDigit++;
++                    result = (result << 4) | charValue;
+                 } else {
+                     //we shouldn't allow invalid, non hex characters
+                     //in the chunked header
+@@ -362,7 +362,7 @@
+ 
+         }
+ 
+-        if (!readDigit)
++        if (readDigit == 0 || result < 0)
+             return false;
+ 
+         if (result == 0)
diff --git a/debian/patches/series b/debian/patches/series
index d0b872d..b0add1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ cve-2012-3439-tests.patch
 CVE-2014-7810.patch
 CVE-2014-0099.patch
 CVE-2013-4444.patch
+CVE-2014-0075.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list