[tomcat7] 05/05: Fixed CVE-2016-0762: Timing Attack

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sun Oct 30 21:03:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit 888ac66e0d8e84ecea08d14675226e5f9db07bd0
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sun Oct 30 21:59:58 2016 +0100

    Fixed CVE-2016-0762: Timing Attack
---
 debian/changelog                   |  3 +++
 debian/patches/CVE-2016-0762.patch | 28 ++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 32 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2527535..b6e9301 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 
+  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
+    password if the supplied user name did not exist. This made a timing attack
+    possible to determine valid user names.
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications.
diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch
new file mode 100644
index 0000000..5222e26
--- /dev/null
+++ b/debian/patches/CVE-2016-0762.patch
@@ -0,0 +1,28 @@
+Description: Fixes CVE-2016-0762: The Realm implementations did not process
+ the supplied password if the supplied user name did not exist. This made
+ a timing attack possible to determine valid user names.
+Origin: backport, https://svn.apache.org/r1758502
+--- a/java/org/apache/catalina/realm/MemoryRealm.java
++++ b/java/org/apache/catalina/realm/MemoryRealm.java
+@@ -142,6 +142,9 @@
+ 
+         boolean validated;
+         if (principal == null) {
++            // User was not found in the database
++            // Waste a bit of time as not to reveal that the user does not exist.
++            compareCredentials(credentials, getClass().getName());
+             validated = false;
+         } else {
+             validated = compareCredentials(credentials, principal.getPassword());
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -523,6 +523,9 @@
+             String serverCredentials) {
+ 
+         if (serverCredentials == null) {
++            // User was not found
++            // Waste a bit of time as not to reveal that the user does not exist.
++            compareCredentials(userCredentials, getClass().getName());
+             return false;
+         }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 47e1378..52f7d70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,6 +25,7 @@ CVE-2015-5345.patch
 CVE-2015-5351.patch
 CVE-2016-0706.patch
 CVE-2016-0714.patch
+CVE-2016-0762.patch
 CVE-2016-0763.patch
 CVE-2016-3092.patch
 CVE-2016-5018.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list