[tomcat7] 01/01: Fixed CVE-2016-8745: Information Disclosure

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to annotated tag debian/7.0.56-3+deb8u7
in repository tomcat7.

commit 26f85f42b07b059b9dc8d7509fddedf0f2827941
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Jan 6 10:58:03 2017 +0100

    Fixed CVE-2016-8745: Information Disclosure
---
 debian/changelog                   | 11 +++++++++++
 debian/patches/CVE-2016-8745.patch | 29 +++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 41 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index dacd802..86aaa97 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high
+
+  * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
+    the NIO HTTP connector resulted in the current Processor object being added
+    to the Processor cache multiple times. This in turn meant that the same
+    Processor could be used for concurrent requests. Sharing a Processor can
+    result in information leakage between requests including, not not limited
+    to, session ID and the response body.
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Thu, 05 Jan 2017 18:15:56 +0100
+
 tomcat7 (7.0.56-3+deb8u6) jessie-security; urgency=high
 
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
diff --git a/debian/patches/CVE-2016-8745.patch b/debian/patches/CVE-2016-8745.patch
new file mode 100644
index 0000000..3582c43
--- /dev/null
+++ b/debian/patches/CVE-2016-8745.patch
@@ -0,0 +1,29 @@
+Description: Fixes: CVE-2016-8745: When unable to complete sendfile request,
+ ensure the Processor will be added to the cache only once.
+ This bug in the error handling of the send file code for the NIO HTTP connector
+ resulted in the current Processor object being added to the Processor cache
+ multiple times. This in turn meant that the same Processor could be used for
+ concurrent requests. Sharing a Processor can result in information leakage
+ between requests including, not not limited to, session ID and the response
+ body.
+Origin: backport, https://svn.apache.org/r1777471
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -1396,10 +1396,15 @@
+             }catch ( IOException x ) {
+                 if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x);
+                 cancelledKey(sk,SocketStatus.ERROR,false);
++                if (!event) {
++                    cancelledKey(sk,SocketStatus.ERROR,false);
++                }
+                 return false;
+             }catch ( Throwable t ) {
+                 log.error("",t);
+-                cancelledKey(sk, SocketStatus.ERROR, false);
++                if (!event) {
++                    cancelledKey(sk, SocketStatus.ERROR, false);
++                }
+                 return false;
+             }finally {
+                 if (sc!=null) sc.setSendFile(false);
diff --git a/debian/patches/series b/debian/patches/series
index 26a94e4..9f0ed04 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ CVE-2016-6797.patch
 CVE-2016-6816.patch
 BZ-57377.patch
 CVE-2016-8735.patch
+CVE-2016-8745.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git