[tomcat7] 01/01: Import Debian changes 7.0.28-4+deb7u14

Markus Koschany apo at moszumanska.debian.org
Tue Jun 20 22:04:28 UTC 2017 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository tomcat7.

commit 1ebcd5b2c822cf677b59a875172344c80d1d1ee4
Author: Markus Koschany <apo at debian.org>
Date:   Tue Jun 20 22:23:35 2017 +0200

    Import Debian changes 7.0.28-4+deb7u14
    
    tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
    
      * Team upload.
      * Fix CVE-2017-5664.
        The error page mechanism of the Java Servlet Specification requires that,
        when an error occurs and an error page is configured for the error that
        occurred, the original request and response are forwarded to the error
        page. This means that the request is presented to the error page with the
        original HTTP method. If the error page is a static file, expected
        behaviour is to serve content of the file as if processing a GET request,
        regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
        did not do this. Depending on the original request this could lead to
        unexpected and undesirable results for static error pages including, if the
        DefaultServlet is configured to permit writes, the replacement or removal
        of the custom error page. (Closes: #864447)
---
 debian/changelog                   |  18 ++++++
 debian/patches/CVE-2017-5664.patch | 122 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 141 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4cc7b97..3b5bb48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-5664.
+    The error page mechanism of the Java Servlet Specification requires that,
+    when an error occurs and an error page is configured for the error that
+    occurred, the original request and response are forwarded to the error
+    page. This means that the request is presented to the error page with the
+    original HTTP method. If the error page is a static file, expected
+    behaviour is to serve content of the file as if processing a GET request,
+    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
+    did not do this. Depending on the original request this could lead to
+    unexpected and undesirable results for static error pages including, if the
+    DefaultServlet is configured to permit writes, the replacement or removal
+    of the custom error page. (Closes: #864447)
+
+ -- Markus Koschany <apo at debian.org>  Tue, 20 Jun 2017 22:23:35 +0200
+
 tomcat7 (7.0.28-4+deb7u13) wheezy-security; urgency=high
 
   * Team upload.
diff --git a/debian/patches/CVE-2017-5664.patch b/debian/patches/CVE-2017-5664.patch
new file mode 100644
index 0000000..8275316
--- /dev/null
+++ b/debian/patches/CVE-2017-5664.patch
@@ -0,0 +1,122 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 9 Jun 2017 23:25:05 +0200
+Subject: CVE-2017-5664
+
+Origin: http://svn.apache.org/r1793491
+Origin: http://svn.apache.org/r1793471
+---
+ .../apache/catalina/servlets/DefaultServlet.java   | 28 ++++++++++++++++------
+ .../apache/catalina/servlets/WebdavServlet.java    |  6 +++++
+ 2 files changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 0850ad4..7bff461 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -43,6 +43,7 @@ import javax.naming.NameClassPair;
+ import javax.naming.NamingEnumeration;
+ import javax.naming.NamingException;
+ import javax.naming.directory.DirContext;
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -241,7 +242,7 @@ public class DefaultServlet
+         urlEncoder.addSafeCharacter('.');
+         urlEncoder.addSafeCharacter('*');
+         urlEncoder.addSafeCharacter('/');
+-        
++
+         if (Globals.IS_SECURITY_ENABLED) {
+             factory = DocumentBuilderFactory.newInstance();
+             factory.setNamespaceAware(true);
+@@ -415,6 +416,18 @@ public class DefaultServlet
+     }
+ 
+ 
++    @Override
++    protected void service(HttpServletRequest req, HttpServletResponse resp)
++            throws ServletException, IOException {
++
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++        } else {
++            super.service(req, resp);
++        }
++    }
++
++
+     /**
+      * Process a GET request for the specified resource.
+      *
+@@ -829,8 +842,7 @@ public class DefaultServlet
+             }
+         }
+ 
+-        boolean isError =
+-            response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
++        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+ 
+         // Check if the conditions specified in the optional If headers are
+         // satisfied.
+@@ -1295,7 +1307,7 @@ public class DefaultServlet
+ 
+     }
+ 
+-    
++
+     /**
+      * Return an InputStream to an HTML representation of the contents
+      * of this directory.
+@@ -1710,15 +1722,15 @@ public class DefaultServlet
+ 
+ 
+     private File validateGlobalXsltFile() {
+-        
++
+         File result = null;
+         String base = System.getProperty(Globals.CATALINA_BASE_PROP);
+-        
++
+         if (base != null) {
+             File baseConf = new File(base, "conf");
+             result = validateGlobalXsltFile(baseConf);
+         }
+-        
++
+         if (result == null) {
+             String home = System.getProperty(Globals.CATALINA_HOME_PROP);
+             if (home != null && !home.equals(base)) {
+@@ -2302,6 +2314,8 @@ public class DefaultServlet
+ 
+         /**
+          * Validate range.
++         *
++         * @return true if the range is valid, otherwise false
+          */
+         public boolean validate() {
+             if (end >= length)
+diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
+index 70204fa..0a6efbe 100644
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -40,6 +40,7 @@ import javax.naming.NameClassPair;
+ import javax.naming.NamingEnumeration;
+ import javax.naming.NamingException;
+ import javax.naming.directory.DirContext;
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -352,6 +353,11 @@ public class WebdavServlet
+             return;
+         }
+ 
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++            return;
++        }
++
+         final String method = req.getMethod();
+ 
+         if (debug > 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 4664e69..7d5f339 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,3 +51,4 @@ BZ57544-infinite-loop.patch
 BZ57544-infinite-loop-part2.patch
 CVE-2017-5647.patch
 CVE-2017-5648.patch
+CVE-2017-5664.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list