[tomcat7] 01/01: Imported Debian patch 7.0.28-4+deb7u5
Markus Koschany
apo at moszumanska.debian.org
Sun Jun 26 22:07:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 9251ce104b33278a83d911a611d2d709f2adac35
Author: Markus Koschany <apo at debian.org>
Date: Sun Jun 26 19:23:57 2016 +0200
Imported Debian patch 7.0.28-4+deb7u5
---
debian/changelog | 13 ++++++++++
debian/patches/CVE-2016-3092.patch | 50 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 64 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 54448a6..8368244 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2016-3092.
+ A denial of service vulnerability was identified in Commons FileUpload that
+ occurred when the length of the multipart boundary was just below the size
+ of the buffer (4096 bytes) used to read the uploaded file. This caused the
+ file upload process to take several orders of magnitude longer than if the
+ boundary was the typical tens of bytes long. Tomcat's internal fork of
+ Commons File Upload is also affected.
+
+ -- Markus Koschany <apo at debian.org> Sun, 26 Jun 2016 19:23:57 +0200
+
tomcat7 (7.0.28-4+deb7u4) wheezy-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch
new file mode 100644
index 0000000..981901b
--- /dev/null
+++ b/debian/patches/CVE-2016-3092.patch
@@ -0,0 +1,50 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 26 Jun 2016 19:14:54 +0200
+Subject: CVE-2016-3092
+
+A denial of service vulnerability was identified in Commons FileUpload that
+occurred when the length of the multipart boundary was just below the size of
+the buffer (4096 bytes) used to read the uploaded file. This caused the file
+upload process to take several orders of magnitude longer than if the boundary
+was the typical tens of bytes long.
+
+Upstream advisory:
+http://markmail.org/message/oyxfv73jb2g7rjg3
+
+Origin: https://svn.apache.org/r1743480
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742
+---
+ .../apache/tomcat/util/http/fileupload/MultipartStream.java | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+index ed5c456..a22db76 100644
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -293,11 +293,10 @@ public class MultipartStream {
+ byte[] boundary,
+ int bufSize,
+ ProgressNotifier pNotifier) {
+- this.input = input;
+- this.bufSize = bufSize;
+- this.buffer = new byte[bufSize];
+- this.notifier = pNotifier;
+
++ if (boundary == null) {
++ throw new IllegalArgumentException("boundary may not be null");
++ }
+ // We prepend CR/LF to the boundary to chop trailing CR/LF from
+ // body-data tokens.
+ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -305,6 +304,11 @@ public class MultipartStream {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
++ this.input = input;
++ this.bufSize = Math.max(bufSize, boundaryLength*2);
++ this.buffer = new byte[this.bufSize];
++ this.notifier = pNotifier;
++
+ this.boundary = new byte[this.boundaryLength];
+ this.keepRegion = this.boundary.length;
+ System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
diff --git a/debian/patches/series b/debian/patches/series
index 7b17f27..e12269f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,3 +36,4 @@ CVE-2015-5351.patch
CVE-2016-0706.patch
CVE-2016-0714.patch
CVE-2016-0763.patch
+CVE-2016-3092.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list