[tomcat8] 07/08: Fixed CVE-2016-6796: Security Manager Bypass
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Sat Nov 12 01:15:33 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat8.
commit c030a7c698d998eac33d2cf75b71d5b808facf75
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Sat Nov 12 01:56:52 2016 +0100
Fixed CVE-2016-6796: Security Manager Bypass
---
debian/changelog | 3 ++
debian/patches/CVE-2016-6796.patch | 81 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 85 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 538452b..516e5cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium
the SecurityManager. Tomcat's system property replacement feature for
configuration files could be used by a malicious web application to bypass
the SecurityManager and read system properties that should not be visible.
+ * Fixed CVE-2016-6796: A malicious web application was able to bypass
+ a configured SecurityManager via manipulation of the configuration
+ parameters for the JSP Servlet.
* Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
access to global JNDI resources to those resources explicitly linked to the
web application. Therefore, it was possible for a web application to access
diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch
new file mode 100644
index 0000000..f7ad442
--- /dev/null
+++ b/debian/patches/CVE-2016-6796.patch
@@ -0,0 +1,81 @@
+Description: Fixes CVE-2016-6796: A malicious web application was able to bypass
+ a configured SecurityManager via manipulation of the configuration parameters
+ for the JSP Servlet.
+Origin: backport, https://svn.apache.org/r1758494
+--- a/conf/web.xml
++++ b/conf/web.xml
+@@ -162,6 +162,8 @@
+ <!-- engineOptionsClass Allows specifying the Options class used to -->
+ <!-- configure Jasper. If not present, the default -->
+ <!-- EmbeddedServletOptions will be used. -->
++ <!-- This option is ignored when running under a -->
++ <!-- SecurityManager. -->
+ <!-- -->
+ <!-- errorOnUseBeanInvalidClassAttribute -->
+ <!-- Should Jasper issue an error when the value of -->
+@@ -223,6 +225,8 @@
+ <!-- scratchdir What scratch directory should we use when -->
+ <!-- compiling JSP pages? [default work directory -->
+ <!-- for the current web application] -->
++ <!-- This option is ignored when running under a -->
++ <!-- SecurityManager. -->
+ <!-- -->
+ <!-- suppressSmap Should the generation of SMAP info for JSR45 -->
+ <!-- debugging be suppressed? [false] -->
+--- a/java/org/apache/jasper/EmbeddedServletOptions.java
++++ b/java/org/apache/jasper/EmbeddedServletOptions.java
+@@ -635,6 +635,10 @@
+ * scratchdir
+ */
+ String dir = config.getInitParameter("scratchdir");
++ if (dir != null && Constants.IS_SECURITY_ENABLED) {
++ log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
++ dir = null;
++ }
+ if (dir != null) {
+ scratchDir = new File(dir);
+ } else {
+--- a/java/org/apache/jasper/resources/LocalStrings.properties
++++ b/java/org/apache/jasper/resources/LocalStrings.properties
+@@ -351,6 +351,7 @@
+ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
+ jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
+ jsp.error.lastModified=Unable to determine last modified date for file [{0}]
++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
+
+ jsp.exception=An exception occurred processing JSP page {0} at line {1}
+
+--- a/java/org/apache/jasper/servlet/JspServlet.java
++++ b/java/org/apache/jasper/servlet/JspServlet.java
+@@ -90,6 +90,11 @@
+ // Check for a custom Options implementation
+ String engineOptionsName =
+ config.getInitParameter("engineOptionsClass");
++ if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
++ log.info(Localizer.getMessage(
++ "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
++ engineOptionsName = null;
++ }
+ if (engineOptionsName != null) {
+ // Instantiate the indicated Options implementation
+ try {
+--- a/webapps/docs/jasper-howto.xml
++++ b/webapps/docs/jasper-howto.xml
+@@ -132,7 +132,7 @@
+
+ <li><strong>engineOptionsClass</strong> - Allows specifying the Options class
+ used to configure Jasper. If not present, the default EmbeddedServletOptions
+-will be used.
++will be used. This option is ignored if running under a SecurityManager.
+ </li>
+
+ <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue
+@@ -185,7 +185,7 @@
+
+ <li><strong>scratchdir</strong> - What scratch directory should we use when
+ compiling JSP pages? Default is the work directory for the current web
+-application.</li>
++application. This option is ignored if running under a SecurityManager.</li>
+
+ <li><strong>suppressSmap</strong> - Should the generation of SMAP info for JSR45
+ debugging be suppressed? <code>true</code> or <code>false</code>, default
diff --git a/debian/patches/series b/debian/patches/series
index a6925fa..790d923 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,4 +23,5 @@ CVE-2016-0763.patch
CVE-2016-3092.patch
CVE-2016-5018.patch
CVE-2016-6794.patch
+CVE-2016-6796.patch
CVE-2016-6797.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list