[tomcat8] 07/08: Fixed CVE-2016-6796: Security Manager Bypass

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sat Nov 12 01:15:33 UTC 2016


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit c030a7c698d998eac33d2cf75b71d5b808facf75
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sat Nov 12 01:56:52 2016 +0100

    Fixed CVE-2016-6796: Security Manager Bypass
---
 debian/changelog                   |  3 ++
 debian/patches/CVE-2016-6796.patch | 81 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 85 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 538452b..516e5cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
+  * Fixed CVE-2016-6796: A malicious web application was able to bypass
+    a configured SecurityManager via manipulation of the configuration
+    parameters for the JSP Servlet.
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch
new file mode 100644
index 0000000..f7ad442
--- /dev/null
+++ b/debian/patches/CVE-2016-6796.patch
@@ -0,0 +1,81 @@
+Description: Fixes CVE-2016-6796: A malicious web application was able to bypass
+ a configured SecurityManager via manipulation of the configuration parameters
+ for the JSP Servlet.
+Origin: backport, https://svn.apache.org/r1758494
+--- a/conf/web.xml
++++ b/conf/web.xml
+@@ -162,6 +162,8 @@
+   <!--   engineOptionsClass  Allows specifying the Options class used to    -->
+   <!--                       configure Jasper. If not present, the default  -->
+   <!--                       EmbeddedServletOptions will be used.           -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   errorOnUseBeanInvalidClassAttribute                                -->
+   <!--                       Should Jasper issue an error when the value of -->
+@@ -223,6 +225,8 @@
+   <!--   scratchdir          What scratch directory should we use when      -->
+   <!--                       compiling JSP pages?  [default work directory  -->
+   <!--                       for the current web application]               -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
+   <!--                       debugging be suppressed?  [false]              -->
+--- a/java/org/apache/jasper/EmbeddedServletOptions.java
++++ b/java/org/apache/jasper/EmbeddedServletOptions.java
+@@ -635,6 +635,10 @@
+          * scratchdir
+          */
+         String dir = config.getInitParameter("scratchdir");
++        if (dir != null && Constants.IS_SECURITY_ENABLED) {
++            log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
++            dir = null;
++        }
+         if (dir != null) {
+             scratchDir = new File(dir);
+         } else {
+--- a/java/org/apache/jasper/resources/LocalStrings.properties
++++ b/java/org/apache/jasper/resources/LocalStrings.properties
+@@ -351,6 +351,7 @@
+ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
+ jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
+ jsp.error.lastModified=Unable to determine last modified date for file [{0}]
++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
+ 
+ jsp.exception=An exception occurred processing JSP page {0} at line {1}
+ 
+--- a/java/org/apache/jasper/servlet/JspServlet.java
++++ b/java/org/apache/jasper/servlet/JspServlet.java
+@@ -90,6 +90,11 @@
+         // Check for a custom Options implementation
+         String engineOptionsName =
+             config.getInitParameter("engineOptionsClass");
++        if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
++            log.info(Localizer.getMessage(
++                    "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
++            engineOptionsName = null;
++        }
+         if (engineOptionsName != null) {
+             // Instantiate the indicated Options implementation
+             try {
+--- a/webapps/docs/jasper-howto.xml
++++ b/webapps/docs/jasper-howto.xml
+@@ -132,7 +132,7 @@
+ 
+ <li><strong>engineOptionsClass</strong> - Allows specifying the Options class
+ used to configure Jasper. If not present, the default EmbeddedServletOptions
+-will be used.
++will be used. This option is ignored if running under a SecurityManager.
+ </li>
+ 
+ <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue
+@@ -185,7 +185,7 @@
+ 
+ <li><strong>scratchdir</strong> - What scratch directory should we use when
+ compiling JSP pages? Default is the work directory for the current web
+-application.</li>
++application. This option is ignored if running under a SecurityManager.</li>
+ 
+ <li><strong>suppressSmap</strong> - Should the generation of SMAP info for JSR45
+ debugging be suppressed? <code>true</code> or <code>false</code>, default
diff --git a/debian/patches/series b/debian/patches/series
index a6925fa..790d923 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,4 +23,5 @@ CVE-2016-0763.patch
 CVE-2016-3092.patch
 CVE-2016-5018.patch
 CVE-2016-6794.patch
+CVE-2016-6796.patch
 CVE-2016-6797.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git



More information about the pkg-java-commits mailing list