[tomcat8] 01/02: Fixed CVE-2016-1240: Local Root Privilege Escalation

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Thu Sep 15 18:52:10 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository tomcat8.

commit ed788f784c8cba28253f5be4453cc0fb6b284cdb
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Sep 14 10:19:59 2016 +0200

    Fixed CVE-2016-1240: Local Root Privilege Escalation
---
 debian/changelog    | 8 +++++++-
 debian/tomcat8.init | 6 ++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 3e0d79c..151fe54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
-tomcat8 (8.0.36-3) UNRELEASED; urgency=medium
+tomcat8 (8.0.36-3) UNRELEASED; urgency=high
 
   * Team upload.
+  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
+    attackers who have gained access to the server in the context of the
+    tomcat user through a vulnerability in a web application to replace
+    the catalina.out file with a symlink to an arbitrary file on the system,
+    potentially leading to a root privilege escalation.
+    Thanks to Dawid Golunski for the report.
   * Removed the default 128M heap limit (LP: #568823)
   * Depend on taglibs-standard instead of jakarta-taglibs-standard
 
diff --git a/debian/tomcat8.init b/debian/tomcat8.init
index a14e191..0cffa37 100644
--- a/debian/tomcat8.init
+++ b/debian/tomcat8.init
@@ -169,8 +169,10 @@ catalina_sh() {
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT8_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \
 		-c "$TOMCAT8_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list