[tomcat8] 08/08: Fixed CVE-2016-0762: Timing Attack

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sat Nov 12 01:15:33 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit d62e614e2dcc4ccdcf956ae1f4757052ac461563
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sat Nov 12 02:12:00 2016 +0100

    Fixed CVE-2016-0762: Timing Attack
---
 debian/changelog                   |  3 +++
 debian/patches/CVE-2016-0762.patch | 28 ++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 32 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 516e5cd..c2bef91 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium
 
+  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
+    password if the supplied user name did not exist. This made a timing attack
+    possible to determine valid user names.
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications.
diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch
new file mode 100644
index 0000000..be1ef27
--- /dev/null
+++ b/debian/patches/CVE-2016-0762.patch
@@ -0,0 +1,28 @@
+Description: Fixes CVE-2016-0762: The Realm implementations did not process
+ the supplied password if the supplied user name did not exist. This made
+ a timing attack possible to determine valid user names.
+Origin: backport, https://svn.apache.org/r1758502
+--- a/java/org/apache/catalina/realm/MemoryRealm.java
++++ b/java/org/apache/catalina/realm/MemoryRealm.java
+@@ -115,6 +115,9 @@
+ 
+         boolean validated;
+         if (principal == null) {
++            // User was not found in the database
++            // Waste a bit of time as not to reveal that the user does not exist.
++            compareCredentials(credentials, getClass().getName());
+             validated = false;
+         } else {
+             validated = compareCredentials(credentials, principal.getPassword());
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -500,6 +500,9 @@
+             String serverCredentials) {
+ 
+         if (serverCredentials == null) {
++            // User was not found
++            // Waste a bit of time as not to reveal that the user does not exist.
++            compareCredentials(userCredentials, getClass().getName());
+             return false;
+         }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 790d923..e68070d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,6 +19,7 @@ CVE-2015-5346.patch
 CVE-2015-5351.patch
 CVE-2016-0706.patch
 CVE-2016-0714.patch
+CVE-2016-0762.patch
 CVE-2016-0763.patch
 CVE-2016-3092.patch
 CVE-2016-5018.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list