[tomcat8] 05/08: Fixed CVE-2016-5018: Security Manager Bypass

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sat Nov 12 01:15:33 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit 4959553844f7545abd0ecdf708d5787a716b3a3e
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sat Nov 12 01:40:08 2016 +0100

    Fixed CVE-2016-5018: Security Manager Bypass
---
 debian/changelog                   |   3 ++
 debian/patches/CVE-2016-5018.patch | 102 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 106 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1fbf09c..90c6fef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium
 
+  * Fixed CVE-2016-5018: A malicious web application was able to bypass
+    a configured SecurityManager via a Tomcat utility method that was
+    accessible to web applications.
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
new file mode 100644
index 0000000..bb39983
--- /dev/null
+++ b/debian/patches/CVE-2016-5018.patch
@@ -0,0 +1,102 @@
+Description: Fixes CVE-2016-5018: A malicious web application was able to bypass
+ a configured SecurityManager via a Tomcat utility method that was accessible to
+ web applications.
+Origin: backport, http://svn.apache.org/r1754901
+diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+index e3b53ca..19d8fa6 100644
+--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+@@ -14,7 +14,6 @@
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+-
+ package org.apache.jasper.runtime;
+ 
+ import java.beans.PropertyEditor;
+@@ -23,9 +22,6 @@
+ import java.io.IOException;
+ import java.io.OutputStreamWriter;
+ import java.lang.reflect.Method;
+-import java.security.AccessController;
+-import java.security.PrivilegedActionException;
+-import java.security.PrivilegedExceptionAction;
+ import java.util.Enumeration;
+ 
+ import javax.servlet.RequestDispatcher;
+@@ -37,7 +33,6 @@
+ import javax.servlet.jsp.PageContext;
+ import javax.servlet.jsp.tagext.BodyContent;
+ 
+-import org.apache.jasper.Constants;
+ import org.apache.jasper.JasperException;
+ import org.apache.jasper.compiler.Localizer;
+ import org.apache.jasper.util.ExceptionUtils;
+@@ -56,36 +51,6 @@
+  */
+ public class JspRuntimeLibrary {
+ 
+-    protected static class PrivilegedIntrospectHelper
+-        implements PrivilegedExceptionAction<Void> {
+-
+-        private final Object bean;
+-        private final String prop;
+-        private final String value;
+-        private final ServletRequest request;
+-        private final String param;
+-        private final boolean ignoreMethodNF;
+-
+-        PrivilegedIntrospectHelper(Object bean, String prop,
+-                                   String value, ServletRequest request,
+-                                   String param, boolean ignoreMethodNF)
+-        {
+-            this.bean = bean;
+-            this.prop = prop;
+-            this.value = value;
+-            this.request = request;
+-            this.param = param;
+-            this.ignoreMethodNF = ignoreMethodNF;
+-        }
+-
+-        @Override
+-        public Void run() throws JasperException {
+-            internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-            return null;
+-        }
+-    }
+-
+     /**
+      * Returns the value of the javax.servlet.error.exception request
+      * attribute value, if present, otherwise the value of the
+@@ -292,29 +257,7 @@ public static void introspect(Object bean, ServletRequest request)
+     public static void introspecthelper(Object bean, String prop,
+                                         String value, ServletRequest request,
+                                         String param, boolean ignoreMethodNF)
+-                                        throws JasperException
+-    {
+-        if( Constants.IS_SECURITY_ENABLED ) {
+-            try {
+-                PrivilegedIntrospectHelper dp =
+-                    new PrivilegedIntrospectHelper(
+-                        bean,prop,value,request,param,ignoreMethodNF);
+-                AccessController.doPrivileged(dp);
+-            } catch( PrivilegedActionException pe) {
+-                Exception e = pe.getException();
+-                throw (JasperException)e;
+-            }
+-        } else {
+-            internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-        }
+-    }
+-
+-    private static void internalIntrospecthelper(Object bean, String prop,
+-                                        String value, ServletRequest request,
+-                                        String param, boolean ignoreMethodNF)
+-                                        throws JasperException
+-    {
++                                        throws JasperException {
+         Method method = null;
+         Class<?> type = null;
+         Class<?> propertyEditorClass = null;
diff --git a/debian/patches/series b/debian/patches/series
index a0d690b..014dab2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,4 +21,5 @@ CVE-2016-0706.patch
 CVE-2016-0714.patch
 CVE-2016-0763.patch
 CVE-2016-3092.patch
+CVE-2016-5018.patch
 CVE-2016-6794.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list