[tomcat8] 01/11: Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit 60434de15dea7a8e4bb266b5fb0f9320d5f1dc43
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Jun 22 18:17:32 2016 +0200

    Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads
---
 debian/changelog                   |  5 +++++
 debian/patches/CVE-2016-3092.patch | 29 +++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 35 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b05f5b7..bf5c2df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,11 @@
 tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
 
   * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads
+
+  [ Markus Koschany ]
   * Fix CVE-2015-5174:
     Directory traversal vulnerability in RequestUtil.java allows remote
     authenticated users to bypass intended SecurityManager restrictions and
diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch
new file mode 100644
index 0000000..09f88c1
--- /dev/null
+++ b/debian/patches/CVE-2016-3092.patch
@@ -0,0 +1,29 @@
+Description: Fixes CVE-2016-3092: Denial-of-Service vulnerability
+Origin: backport, https://svn.apache.org/r1743480
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -289,11 +289,6 @@
+             throw new IllegalArgumentException("boundary may not be null");
+         }
+ 
+-        this.input = input;
+-        this.bufSize = bufSize;
+-        this.buffer = new byte[bufSize];
+-        this.notifier = pNotifier;
+-
+         // We prepend CR/LF to the boundary to chop trailing CR/LF from
+         // body-data tokens.
+         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -301,6 +296,12 @@
+             throw new IllegalArgumentException(
+                     "The buffer size specified for the MultipartStream is too small");
+         }
++
++        this.input = input;
++        this.bufSize = Math.max(bufSize, boundaryLength*2);
++        this.buffer = new byte[this.bufSize];
++        this.notifier = pNotifier;
++
+         this.boundary = new byte[this.boundaryLength];
+         this.keepRegion = this.boundary.length;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 3b86510..47a5947 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@ CVE-2016-0706.patch
 CVE-2016-0763.patch
 CVE-2016-0714.patch
 CVE-2015-5345.patch
+CVE-2016-3092.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git