[tomcat7] 01/02: Import Debian patch 7.0.28-4+deb7u9
Markus Koschany
apo at moszumanska.debian.org
Tue Jan 10 22:16:06 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit bd5f1b19f454fcec850ff7eb1416993b5f1d67df
Author: Markus Koschany <apo at debian.org>
Date: Tue Jan 10 22:09:47 2017 +0100
Import Debian patch 7.0.28-4+deb7u9
---
debian/changelog | 15 ++++++
debian/patches/CVE-2016-6816.patch | 99 +++++++++++++++++++++++++++++++++++++-
debian/patches/CVE-2016-8745.patch | 39 +++++++++++++++
debian/patches/series | 1 +
4 files changed, 153 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 4ca8873..d5d03a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+tomcat7 (7.0.28-4+deb7u9) wheezy-security; urgency=high
+
+ * Fix CVE-2016-8745:
+ A bug in the error handling of the send file code for the NIO HTTP
+ connector resulted in the current Processor object being added to the
+ Processor cache multiple times. This in turn meant that the same Processor
+ could be used for concurrent requests. Sharing a Processor can result in
+ information leakage between requests including, not not limited to, session
+ ID and the response body.
+ * Update CVE-2016-6816.patch and backport changes to SecurityClassLoad.java
+ as well. This fixes ClassNotFoundException when running with
+ SecurityManager enabled. (Closes: #849949)
+
+ -- Markus Koschany <apo at debian.org> Tue, 10 Jan 2017 22:09:47 +0100
+
tomcat7 (7.0.28-4+deb7u8) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff --git a/debian/patches/CVE-2016-6816.patch b/debian/patches/CVE-2016-6816.patch
index 5bf6a04..fb89f9b 100644
--- a/debian/patches/CVE-2016-6816.patch
+++ b/debian/patches/CVE-2016-6816.patch
@@ -7,6 +7,7 @@ Backport new HttpParser implementation to Wheezy and fix CVE-2016-6816.
Origin: http://svn.apache.org/r1767675
---
java/org/apache/catalina/connector/Response.java | 19 +-
+ .../catalina/security/SecurityClassLoad.java | 41 +-
java/org/apache/coyote/Response.java | 13 +-
.../apache/coyote/http11/AbstractInputBuffer.java | 56 +-
.../coyote/http11/InternalAprInputBuffer.java | 52 +-
@@ -36,7 +37,7 @@ Origin: http://svn.apache.org/r1767675
.../tomcat/util/http/parser/TokenMgrError.java | 148 ----
.../util/http/parser/TestAuthorizationDigest.java | 324 ++++++++
.../tomcat/util/http/parser/TestMediaType.java | 190 ++---
- 30 files changed, 1323 insertions(+), 2779 deletions(-)
+ 31 files changed, 1340 insertions(+), 2803 deletions(-)
create mode 100644 java/org/apache/tomcat/util/collections/ConcurrentCache.java
delete mode 100644 java/org/apache/tomcat/util/http/parser/AstAttribute.java
delete mode 100644 java/org/apache/tomcat/util/http/parser/AstMediaType.java
@@ -115,6 +116,102 @@ index b4b5b95..72d183e 100644
isCharacterEncodingSet = true;
}
}
+diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java b/java/org/apache/catalina/security/SecurityClassLoad.java
+index d39d251..ba0dda0 100644
+--- a/java/org/apache/catalina/security/SecurityClassLoad.java
++++ b/java/org/apache/catalina/security/SecurityClassLoad.java
+@@ -25,9 +25,7 @@ package org.apache.catalina.security;
+ *
+ * @author Glenn L. Nielsen
+ * @author Jean-Francois Arcand
+- * @version $Id: SecurityClassLoad.java 1347036 2012-06-06 18:32:43Z markt $
+ */
+-
+ public final class SecurityClassLoad {
+
+ public static void securityClassLoad(ClassLoader loader)
+@@ -44,6 +42,7 @@ public final class SecurityClassLoad {
+ loadServletsPackage(loader);
+ loadSessionPackage(loader);
+ loadUtilPackage(loader);
++ loadValvesPackage(loader);
+ loadJavaxPackage(loader);
+ loadConnectorPackage(loader);
+ loadTomcatPackage(loader);
+@@ -55,6 +54,9 @@ public final class SecurityClassLoad {
+ final String basePackage = "org.apache.catalina.core.";
+ loader.loadClass
+ (basePackage +
++ "AccessLogAdapter");
++ loader.loadClass
++ (basePackage +
+ "ApplicationContextFacade$1");
+ loader.loadClass
+ (basePackage +
+@@ -133,8 +135,6 @@ public final class SecurityClassLoad {
+ loader.loadClass
+ (basePackage + "StandardSession");
+ loader.loadClass
+- (basePackage + "StandardSession$PrivilegedSetTccl");
+- loader.loadClass
+ (basePackage + "StandardSession$1");
+ loader.loadClass
+ (basePackage + "StandardManager$PrivilegedDoUnload");
+@@ -149,6 +149,13 @@ public final class SecurityClassLoad {
+ }
+
+
++ private static final void loadValvesPackage(ClassLoader loader)
++ throws Exception {
++ final String basePackage = "org.apache.catalina.valves.";
++ loader.loadClass(basePackage + "AccessLogValve$3");
++ }
++
++
+ private static final void loadCoyotePackage(ClassLoader loader)
+ throws Exception {
+ final String basePackage = "org.apache.coyote.";
+@@ -264,23 +271,10 @@ public final class SecurityClassLoad {
+ basePackage + "util.http.FastHttpDateFormat");
+ clazz.newInstance();
+ loader.loadClass(basePackage + "util.http.HttpMessages");
+- loader.loadClass(basePackage + "util.http.parser.AstAttribute");
+- loader.loadClass(basePackage + "util.http.parser.AstMediaType");
+- loader.loadClass(basePackage + "util.http.parser.AstParameter");
+- loader.loadClass(basePackage + "util.http.parser.AstSubType");
+- loader.loadClass(basePackage + "util.http.parser.AstType");
+- loader.loadClass(basePackage + "util.http.parser.AstValue");
+ loader.loadClass(basePackage + "util.http.parser.HttpParser");
+- loader.loadClass(basePackage + "util.http.parser.HttpParserConstants");
+- loader.loadClass(basePackage + "util.http.parser.HttpParserTokenManager");
+- loader.loadClass(basePackage + "util.http.parser.HttpParserTreeConstants");
+- loader.loadClass(basePackage + "util.http.parser.JJTHttpParserState");
+- loader.loadClass(basePackage + "util.http.parser.Node");
+- loader.loadClass(basePackage + "util.http.parser.ParseException");
+- loader.loadClass(basePackage + "util.http.parser.SimpleCharStream");
+- loader.loadClass(basePackage + "util.http.parser.SimpleNode");
+- loader.loadClass(basePackage + "util.http.parser.Token");
+- loader.loadClass(basePackage + "util.http.parser.TokenMgrError");
++ loader.loadClass(basePackage + "util.http.parser.HttpParser$SkipConstantResult");
++ loader.loadClass(basePackage + "util.http.parser.MediaType");
++ loader.loadClass(basePackage + "util.http.parser.MediaTypeCache");
+ // net
+ loader.loadClass(basePackage + "util.net.Constants");
+ loader.loadClass(basePackage +
+@@ -290,10 +284,9 @@ public final class SecurityClassLoad {
+ loader.loadClass(basePackage +
+ "util.net.NioBlockingSelector$BlockPoller$3");
+ loader.loadClass(basePackage + "util.net.SSLSupport$CipherData");
+- loader.loadClass
+- (basePackage + "util.net.JIoEndpoint$PrivilegedSetTccl");
+- loader.loadClass
+- (basePackage + "util.net.AprEndpoint$PrivilegedSetTccl");
++ // security
++ loader.loadClass(basePackage + "util.security.PrivilegedGetTccl");
++ loader.loadClass(basePackage + "util.security.PrivilegedSetTccl");
+ }
+ }
+
diff --git a/java/org/apache/coyote/Response.java b/java/org/apache/coyote/Response.java
index df35070..e9f1a61 100644
--- a/java/org/apache/coyote/Response.java
diff --git a/debian/patches/CVE-2016-8745.patch b/debian/patches/CVE-2016-8745.patch
new file mode 100644
index 0000000..448c52a
--- /dev/null
+++ b/debian/patches/CVE-2016-8745.patch
@@ -0,0 +1,39 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 10 Jan 2017 22:05:28 +0100
+Subject: CVE-2016-8745
+
+A bug in the error handling of the send file code for the NIO HTTP
+connector resulted in the current Processor object being added to the
+Processor cache multiple times. This in turn meant that the same
+Processor could be used for concurrent requests. Sharing a Processor can
+result in information leakage between requests including, not not
+limited to, session ID and the response body.
+
+Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1777471
+---
+ java/org/apache/tomcat/util/net/NioEndpoint.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
+index 3c10bf3..a2f7a12 100644
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -1369,11 +1369,15 @@ public class NioEndpoint extends AbstractEndpoint {
+ }
+ }catch ( IOException x ) {
+ if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x);
+- cancelledKey(sk,SocketStatus.ERROR,false);
++ if (!event) {
++ cancelledKey(sk,SocketStatus.ERROR,false);
++ }
+ return false;
+ }catch ( Throwable t ) {
+ log.error("",t);
+- cancelledKey(sk, SocketStatus.ERROR, false);
++ if (!event) {
++ cancelledKey(sk, SocketStatus.ERROR, false);
++ }
+ return false;
+ }finally {
+ if (sc!=null) sc.setSendFile(false);
diff --git a/debian/patches/series b/debian/patches/series
index 3c59fa1..df71d34 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,3 +46,4 @@ CVE-2016-6816.patch
CVE-2016-8735.patch
CVE-2016-5018-part2.patch
CVE-2016-6797-part2.patch
+CVE-2016-8745.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list