[tomcat6] 01/01: Prepare new security release for Wheezy

Markus Koschany apo at moszumanska.debian.org
Mon Nov 7 12:58:49 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat6.

commit be6c35620b29bae4d3009808303bbe8f3b76a2b1
Author: Markus Koschany <apo at debian.org>
Date:   Mon Nov 7 13:58:12 2016 +0100

    Prepare new security release for Wheezy
---
 debian/changelog                   |  32 ++++++
 debian/patches/CVE-2016-0762.patch |  85 +++++++++++++++
 debian/patches/CVE-2016-5018.patch |  88 ++++++++++++++++
 debian/patches/CVE-2016-6794.patch | 141 +++++++++++++++++++++++++
 debian/patches/CVE-2016-6796.patch |  78 ++++++++++++++
 debian/patches/CVE-2016-6797.patch | 211 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   5 +
 7 files changed, 640 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 28b5fbc..85928c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,35 @@
+tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high
+
+  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
+    password if the supplied user name did not exist. This made a timing attack
+    possible to determine valid user names.
+  * Fixed CVE-2016-5018: A malicious web application was able to bypass
+    a configured SecurityManager via a Tomcat utility method that was
+    accessible to web applications.
+  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
+    application's ability to read system properties should be controlled by
+    the SecurityManager. Tomcat's system property replacement feature for
+    configuration files could be used by a malicious web application to bypass
+    the SecurityManager and read system properties that should not be visible.
+  * Fixed CVE-2016-6796: A malicious web application was able to bypass
+    a configured SecurityManager via manipulation of the configuration
+    parameters for the JSP Servlet.
+  * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
+    access to global JNDI resources to those resources explicitly linked to the
+    web application. Therefore, it was possible for a web application to access
+    any global JNDI resource whether an explicit ResourceLink had been
+    configured or not.
+  * CVE-2016-1240 follow-up:
+    - The previous init.d fix was vulnerable to a race condition that could
+      be exploited to make any existing file writable by the tomcat user.
+      Thanks to Paul Szabo for the report and the fix.
+    - The catalina.policy file generated on startup was affected by a similar
+      vulnerability that could be exploited to overwrite any file on the system.
+      Thanks to Paul Szabo for the report.
+  * Hardened the init.d script, thanks to Paul Szabo
+
+ -- Markus Koschany <apo at debian.org>  Mon, 07 Nov 2016 13:46:30 +0100
+
 tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high
 
   * Team upload.
diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch
new file mode 100644
index 0000000..1bd0052
--- /dev/null
+++ b/debian/patches/CVE-2016-0762.patch
@@ -0,0 +1,85 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:38:38 +0100
+Subject: CVE-2016-0762
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758506
+---
+ java/org/apache/catalina/realm/MemoryRealm.java | 30 +++++++++++++++----------
+ java/org/apache/catalina/realm/RealmBase.java   | 14 +++++++-----
+ 2 files changed, 27 insertions(+), 17 deletions(-)
+
+diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java
+index 56bc970..8e6bf68 100644
+--- a/java/org/apache/catalina/realm/MemoryRealm.java
++++ b/java/org/apache/catalina/realm/MemoryRealm.java
+@@ -142,23 +142,29 @@ public class MemoryRealm  extends RealmBase {
+      * @param credentials Password or other credentials to use in
+      *  authenticating this username
+      */
++    @Override
+     public Principal authenticate(String username, String credentials) {
+ 
+-        GenericPrincipal principal =
+-            (GenericPrincipal) principals.get(username);
++        // No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++        if (username == null || credentials == null) {
++            return null;
++        }
++        
++        GenericPrincipal principal = principals.get(username);
+ 
+         boolean validated = false;
+-        if (principal != null && credentials != null) {
+-            if (hasMessageDigest()) {
+-                // Hex hashes should be compared case-insensitive
+-                validated = (digest(credentials)
+-                             .equalsIgnoreCase(principal.getPassword()));
+-            } else {
+-                validated =
+-                    (digest(credentials).equals(principal.getPassword()));
+-            }
++        String dbCredentials = null;
++        if (principal != null) {
++            dbCredentials = principal.getPassword();
+         }
+-
++        if (hasMessageDigest()) {
++            // Hex hashes should be compared case-insensitive
++            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
++        } else {
++            validated = (digest(credentials).equals(dbCredentials));
++        }
++    
+         if (validated) {
+             if (log.isDebugEnabled())
+                 log.debug(sm.getString("memoryRealm.authenticateSuccess", username));
+diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
+index 4f7c27f..cd62bf4 100644
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -336,15 +336,19 @@ public abstract class RealmBase
+      */
+     public Principal authenticate(String username, String credentials) {
+ 
++        // No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++        if (username == null || credentials == null) {
++            return null;
++        }
++
+         String serverCredentials = getPassword(username);
+ 
+         boolean validated ;
+-        if ( serverCredentials == null ) {
+-            validated = false;
+-        } else if(hasMessageDigest()) {
+-            validated = serverCredentials.equalsIgnoreCase(digest(credentials));
++        if(hasMessageDigest()) {
++            validated = digest(credentials).equalsIgnoreCase(serverCredentials);
+         } else {
+-            validated = serverCredentials.equals(credentials);
++            validated = credentials.equals(serverCredentials);
+         }
+         if(! validated ) {
+             if (containerLog.isTraceEnabled()) {
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
new file mode 100644
index 0000000..5d5d709
--- /dev/null
+++ b/debian/patches/CVE-2016-5018.patch
@@ -0,0 +1,88 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:31:22 +0100
+Subject: CVE-2016-5018
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1754904
+---
+ .../apache/jasper/runtime/JspRuntimeLibrary.java   | 54 +---------------------
+ 1 file changed, 1 insertion(+), 53 deletions(-)
+
+diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+index 02d21dd..bdc769f 100644
+--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+@@ -14,7 +14,6 @@
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+-
+ package org.apache.jasper.runtime;
+ 
+ import java.beans.PropertyEditor;
+@@ -60,35 +59,6 @@ public class JspRuntimeLibrary {
+     private static final String JSP_EXCEPTION
+ 	= "javax.servlet.jsp.jspException";
+ 
+-    protected static class PrivilegedIntrospectHelper
+-	implements PrivilegedExceptionAction {
+-
+-	private Object bean;
+-	private String prop;
+-	private String value;
+-	private ServletRequest request;
+-	private String param;
+-	private boolean ignoreMethodNF;
+-
+-        PrivilegedIntrospectHelper(Object bean, String prop,
+-                                   String value, ServletRequest request,
+-                                   String param, boolean ignoreMethodNF)
+-        {
+-	    this.bean = bean;
+-	    this.prop = prop;
+-	    this.value = value;
+-            this.request = request;
+-	    this.param = param;
+-	    this.ignoreMethodNF = ignoreMethodNF;
+-        }
+-         
+-        public Object run() throws JasperException {
+-	    internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-            return null;
+-        }
+-    }
+-
+     /**
+      * Returns the value of the javax.servlet.error.exception request
+      * attribute value, if present, otherwise the value of the
+@@ -292,29 +262,7 @@ public class JspRuntimeLibrary {
+     public static void introspecthelper(Object bean, String prop,
+                                         String value, ServletRequest request,
+                                         String param, boolean ignoreMethodNF)
+-                                        throws JasperException
+-    {
+-        if( Constants.IS_SECURITY_ENABLED ) {
+-            try {
+-                PrivilegedIntrospectHelper dp =
+-		    new PrivilegedIntrospectHelper(
+-			bean,prop,value,request,param,ignoreMethodNF);
+-                AccessController.doPrivileged(dp);
+-            } catch( PrivilegedActionException pe) {
+-                Exception e = pe.getException();
+-                throw (JasperException)e;
+-            }
+-        } else {
+-            internalIntrospecthelper(
+-		bean,prop,value,request,param,ignoreMethodNF);
+-        }
+-    }
+-
+-    private static void internalIntrospecthelper(Object bean, String prop,
+-					String value, ServletRequest request,
+-					String param, boolean ignoreMethodNF) 
+-					throws JasperException
+-    {
++                                        throws JasperException {
+         Method method = null;
+         Class type = null;
+         Class propertyEditorClass = null;
diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch
new file mode 100644
index 0000000..5ad88e7
--- /dev/null
+++ b/debian/patches/CVE-2016-6794.patch
@@ -0,0 +1,141 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 12:36:03 +0100
+Subject: CVE-2016-6794
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1754733
+---
+ .../apache/catalina/loader/WebappClassLoader.java  | 27 ++++++++++++--
+ java/org/apache/tomcat/util/digester/Digester.java | 10 +++++
+ .../tomcat/util/security/PermissionCheck.java      | 43 ++++++++++++++++++++++
+ 3 files changed, 76 insertions(+), 4 deletions(-)
+ create mode 100644 java/org/apache/tomcat/util/security/PermissionCheck.java
+
+diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
+index 528d906..dab7299 100644
+--- a/java/org/apache/catalina/loader/WebappClassLoader.java
++++ b/java/org/apache/catalina/loader/WebappClassLoader.java
+@@ -74,6 +74,7 @@ import org.apache.naming.resources.ProxyDirContext;
+ import org.apache.naming.resources.Resource;
+ import org.apache.naming.resources.ResourceAttributes;
+ import org.apache.tomcat.util.IntrospectionUtils;
++import org.apache.tomcat.util.security.PermissionCheck;
+ 
+ /**
+  * Specialized web application class loader.
+@@ -112,10 +113,8 @@ import org.apache.tomcat.util.IntrospectionUtils;
+  * @author Craig R. McClanahan
+  *
+  */
+-public class WebappClassLoader
+-    extends URLClassLoader
+-    implements Reloader, Lifecycle
+- {
++public class WebappClassLoader extends URLClassLoader
++    implements Reloader, Lifecycle, PermissionCheck {
+ 
+     protected static org.apache.juli.logging.Log log=
+         org.apache.juli.logging.LogFactory.getLog( WebappClassLoader.class );
+@@ -1711,6 +1710,26 @@ public class WebappClassLoader
+ 
+     }
+ 
++    public boolean check(Permission permission) {
++        if (!Globals.IS_SECURITY_ENABLED) {
++            return true;
++        }
++        Policy currentPolicy = Policy.getPolicy();
++        if (currentPolicy != null) {
++            ResourceEntry entry = findResourceInternal("/", "/");
++            if (entry != null) {
++                CodeSource cs = new CodeSource(
++                        entry.codeBase, (java.security.cert.Certificate[]) null);
++                PermissionCollection pc = currentPolicy.getPermissions(cs);
++                if (pc.implies(permission)) {
++                    return true;
++                }
++            }
++        }
++        return false;
++
++    }
++
+ 
+     /**
+      * Returns the search path of URLs for loading classes and resources.
+diff --git a/java/org/apache/tomcat/util/digester/Digester.java b/java/org/apache/tomcat/util/digester/Digester.java
+index ffae93f..afa8f6a 100644
+--- a/java/org/apache/tomcat/util/digester/Digester.java
++++ b/java/org/apache/tomcat/util/digester/Digester.java
+@@ -52,6 +52,9 @@ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.DefaultHandler2;
+ import org.xml.sax.helpers.AttributesImpl;
++import java.security.Permission;
++import java.util.PropertyPermission;
++import org.apache.tomcat.util.security.PermissionCheck;
+ 
+ 
+ /**
+@@ -80,6 +83,13 @@ public class Digester extends DefaultHandler2 {
+     private static class SystemPropertySource
+         implements IntrospectionUtils.PropertySource {
+         public String getProperty( String key ) {
++            ClassLoader cl = Thread.currentThread().getContextClassLoader();
++            if (cl instanceof PermissionCheck) {
++                Permission p = new PropertyPermission(key, "read");
++                if (!((PermissionCheck) cl).check(p)) {
++                    return null;
++                }
++            }
+             return System.getProperty(key);
+         }
+     }
+diff --git a/java/org/apache/tomcat/util/security/PermissionCheck.java b/java/org/apache/tomcat/util/security/PermissionCheck.java
+new file mode 100644
+index 0000000..ba2bdd3
+--- /dev/null
++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java
+@@ -0,0 +1,43 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.security;
++
++import java.security.Permission;
++
++/**
++ * This interface is implemented by components to enable privileged code to
++ * check whether the component has a given permission.
++ * This is typically used when a privileged component (e.g. the container) is
++ * performing an action on behalf of an untrusted component (e.g. a web
++ * application) without the current thread having passed through a code source
++ * provided by the untrusted component. Because the current thread has not
++ * passed through a code source provided by the untrusted component the
++ * SecurityManager assumes the code is trusted so the standard checking
++ * mechanisms can't be used.
++ */
++public interface PermissionCheck {
++
++    /**
++     * Does this component have the given permission?
++     *
++     * @param permission The permission to test
++     *
++     * @return {@code false} if a SecurityManager is enabled and the component
++     *         does not have the given permission, otherwise {@code false}
++     */
++    boolean check(Permission permission);
++}
diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch
new file mode 100644
index 0000000..1c0668a
--- /dev/null
+++ b/debian/patches/CVE-2016-6796.patch
@@ -0,0 +1,78 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 12:54:08 +0100
+Subject: CVE-2016-6796
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758496
+---
+ conf/web.xml                                             | 4 ++++
+ java/org/apache/jasper/EmbeddedServletOptions.java       | 4 ++++
+ java/org/apache/jasper/resources/LocalStrings.properties | 1 +
+ java/org/apache/jasper/servlet/JspServlet.java           | 6 ++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/conf/web.xml b/conf/web.xml
+index 2e8815e..7062250 100644
+--- a/conf/web.xml
++++ b/conf/web.xml
+@@ -189,6 +189,8 @@
+   <!--   engineOptionsClass  Allows specifying the Options class used to    -->
+   <!--                       configure Jasper. If not present, the default  -->
+   <!--                       EmbeddedServletOptions will be used.           -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   errorOnUseBeanInvalidClassAttribute                                -->
+   <!--                       Should Jasper issue an error when the value of -->
+@@ -238,6 +240,8 @@
+   <!--   scratchdir          What scratch directory should we use when      -->
+   <!--                       compiling JSP pages?  [default work directory  -->
+   <!--                       for the current web application]               -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
+   <!--                       debugging be suppressed?  [false]              -->
+diff --git a/java/org/apache/jasper/EmbeddedServletOptions.java b/java/org/apache/jasper/EmbeddedServletOptions.java
+index 3399a32..fa3d5f2 100644
+--- a/java/org/apache/jasper/EmbeddedServletOptions.java
++++ b/java/org/apache/jasper/EmbeddedServletOptions.java
+@@ -586,6 +586,10 @@ public final class EmbeddedServletOptions implements Options {
+          * scratchdir
+          */
+         String dir = config.getInitParameter("scratchdir");
++        if (dir != null && Constants.IS_SECURITY_ENABLED) {
++            log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
++            dir = null;
++        }
+         if (dir != null) {
+             scratchDir = new File(dir);
+         } else {
+diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties
+index 03532ea..edb02c9 100644
+--- a/java/org/apache/jasper/resources/LocalStrings.properties
++++ b/java/org/apache/jasper/resources/LocalStrings.properties
+@@ -448,6 +448,7 @@ jsp.error.nested_jsproot=Nested <jsp:root>
+ jsp.error.unbalanced.endtag=The end tag \"</{0}\" is unbalanced
+ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
+ jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
+ 
+ jsp.exception=An exception occurred processing JSP page {0} at line {1}
+ 
+diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java
+index 76ea446..6830093 100644
+--- a/java/org/apache/jasper/servlet/JspServlet.java
++++ b/java/org/apache/jasper/servlet/JspServlet.java
+@@ -79,6 +79,12 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener {
+         // Check for a custom Options implementation
+         String engineOptionsName = 
+             config.getInitParameter("engineOptionsClass");
++        if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
++            log.info(Localizer.getMessage(
++                "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
++            engineOptionsName = null;
++        }
++
+         if (engineOptionsName != null) {
+             // Instantiate the indicated Options implementation
+             try {
diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch
new file mode 100644
index 0000000..9f42f47
--- /dev/null
+++ b/debian/patches/CVE-2016-6797.patch
@@ -0,0 +1,211 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:20:10 +0100
+Subject: CVE-2016-6797
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1757285
+---
+ .../catalina/core/NamingContextListener.java       | 78 ++++++++++++++--------
+ .../apache/naming/factory/ResourceLinkFactory.java | 60 +++++++++++++++++
+ 2 files changed, 112 insertions(+), 26 deletions(-)
+
+diff --git a/java/org/apache/catalina/core/NamingContextListener.java b/java/org/apache/catalina/core/NamingContextListener.java
+index 2b8256a..cfd612f 100644
+--- a/java/org/apache/catalina/core/NamingContextListener.java
++++ b/java/org/apache/catalina/core/NamingContextListener.java
+@@ -71,6 +71,7 @@ import org.apache.naming.ResourceRef;
+ import org.apache.naming.ServiceRef;
+ import org.apache.naming.TransactionRef;
+ import org.apache.tomcat.util.modeler.Registry;
++import org.apache.naming.factory.ResourceLinkFactory;
+ 
+ 
+ /**
+@@ -280,37 +281,48 @@ public class NamingContextListener
+             if (!initialized)
+                 return;
+ 
+-            // Setting the context in read/write mode
+-            ContextAccessController.setWritable(getName(), container);
+-            ContextBindings.unbindContext(container, container);
++            try {
++                // Setting the context in read/write mode
++                ContextAccessController.setWritable(getName(), container);
++                ContextBindings.unbindContext(container, container);
++
++                if (container instanceof Context) {
++                    ContextBindings.unbindClassLoader
++                         (container, container,
++                          ((Container) container).getLoader().getClassLoader());
++                }
+ 
+-            if (container instanceof Context) {
+-                ContextBindings.unbindClassLoader
+-                    (container, container, 
+-                     ((Container) container).getLoader().getClassLoader());
+-            }
++                if (container instanceof Server) {
++                    namingResources.removePropertyChangeListener(this);
++                    ContextBindings.unbindClassLoader
++                        (container, container,
++                         this.getClass().getClassLoader());
++                }
+ 
+-            if (container instanceof Server) {
+-                namingResources.removePropertyChangeListener(this);
+-                ContextBindings.unbindClassLoader
+-                    (container, container, 
+-                     this.getClass().getClassLoader());
+-            }
++                ContextAccessController.unsetSecurityToken(getName(), container);
++                ContextAccessController.unsetSecurityToken(container, container);
+ 
+-            ContextAccessController.unsetSecurityToken(getName(), container);
+-            ContextAccessController.unsetSecurityToken(container, container);
++                // unregister mbeans.
++                if (!objectNames.isEmpty()) {
++                    Collection<ObjectName> names = objectNames.values();
++                    Registry registry = Registry.getRegistry(null, null);
++                    for (ObjectName objectName : names) {
++                        registry.unregisterComponent(objectName);
++                    }
++                }
+ 
+-            // unregister mbeans.
+-            Collection<ObjectName> names = objectNames.values();
+-            for (ObjectName objectName : names) {
+-                Registry.getRegistry(null, null).unregisterComponent(objectName);
+-            }
+-            objectNames.clear();
++                javax.naming.Context global = getGlobalNamingContext();
++                if (global != null) {
++                    ResourceLinkFactory.deregisterGlobalResourceAccess(global);
++                }
++            } finally {
++                objectNames.clear();
+ 
+-            namingContext = null;
+-            envCtx = null;
+-            compCtx = null;
+-            initialized = false;
++                namingContext = null;
++                envCtx = null;
++                compCtx = null;
++                initialized = false;
++            }
+ 
+         }
+ 
+@@ -1096,6 +1108,20 @@ public class NamingContextListener
+             logger.error(sm.getString("naming.bindFailed", e));
+         }
+ 
++        ResourceLinkFactory.registerGlobalResourceAccess(
++                getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal());
++    }
++
++    private javax.naming.Context getGlobalNamingContext() {
++         if (container instanceof Context) {
++              Engine e = (Engine) ((Context) container).getParent().getParent();
++              Server s = e.getService().getServer();
++              if (s instanceof StandardServer) {
++                  return ((StandardServer) s).getGlobalNamingContext();
++              }
++        }
++        return null;
++
+     }
+ 
+ 
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 6df82dd..56b1423 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -18,7 +18,10 @@
+ 
+ package org.apache.naming.factory;
+ 
++import java.util.HashMap;
+ import java.util.Hashtable;
++import java.util.Map;
++import java.util.concurrent.ConcurrentHashMap;
+ 
+ import javax.naming.Context;
+ import javax.naming.Name;
+@@ -52,6 +55,8 @@ public class ResourceLinkFactory
+      */
+     private static Context globalContext = null;
+ 
++    private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations =
++            new ConcurrentHashMap<ClassLoader,Map<String,String>>();
+ 
+     // --------------------------------------------------------- Public Methods
+ 
+@@ -71,6 +76,56 @@ public class ResourceLinkFactory
+     }
+ 
+ 
++    public static void registerGlobalResourceAccess(Context globalContext, String localName,
++            String globalName) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations == null) {
++            // Web application initialization is single threaded so this is
++            // safe.
++            registrations = new HashMap<String,String>();
++            globalResourceRegistrations.put(cl, registrations);
++        }
++        registrations.put(localName, globalName);
++    }
++
++
++    public static void deregisterGlobalResourceAccess(Context globalContext, String localName) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations != null) {
++            registrations.remove(localName);
++        }
++    }
++
++
++    public static void deregisterGlobalResourceAccess(Context globalContext) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        globalResourceRegistrations.remove(cl);
++    }
++
++
++    private static void validateGlobalContext(Context globalContext) {
++        if (ResourceLinkFactory.globalContext != null &&
++                ResourceLinkFactory.globalContext != globalContext) {
++            throw new SecurityException("Caller provided invalid global context");
++        }
++    }
++
++
++    private static boolean validateGlobalResourceAccess(String globalName) {
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations != null && registrations.containsValue(globalName)) {
++            return true;
++        }
++        return false;
++    }
++
++
+     // -------------------------------------------------- ObjectFactory Methods
+ 
+ 
+@@ -96,6 +151,11 @@ public class ResourceLinkFactory
+         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+         if (refAddr != null) {
+             globalName = refAddr.getContent().toString();
++            // Confirm that the current web application is currently configured
++            // to access the specified global resource
++            if (!validateGlobalResourceAccess(globalName)) {
++                return null;
++            }
+             Object result = null;
+             result = globalContext.lookup(globalName);
+             // FIXME: Check type
diff --git a/debian/patches/series b/debian/patches/series
index f4fb4ad..5aa3fc5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,8 @@
 0007-add-OSGi-headers-to-servlet-api.patch
 0008-add-OSGI-headers-to-jsp-api.patch
 0010-Use-java.security.policy-file-in-catalina.sh.patch
+CVE-2016-0762.patch
+CVE-2016-6794.patch
+CVE-2016-6797.patch
+CVE-2016-5018.patch
+CVE-2016-6796.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git



More information about the pkg-java-commits mailing list