[tomcat7] 01/02: Import Debian changes 7.0.28-4+deb7u15
Markus Koschany
apo at moszumanska.debian.org
Mon Oct 23 20:06:00 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 184246a2ae9062609e009c1973b768c74580966d
Author: Markus Koschany <apo at debian.org>
Date: Sun Sep 24 16:35:16 2017 +0200
Import Debian changes 7.0.28-4+deb7u15
tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high
* Team upload.
* Fix CVE-2017-12616.
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served by the
VirtualDirContext using a specially crafted request.
---
debian/changelog | 10 ++
debian/patches/CVE-2017-12616.patch | 257 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 268 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3b5bb48..8e8522b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-12616.
+ When using a VirtualDirContext it was possible to bypass security
+ constraints and/or view the source code of JSPs for resources served by the
+ VirtualDirContext using a specially crafted request.
+
+ -- Markus Koschany <apo at debian.org> Sun, 24 Sep 2017 16:35:16 +0200
+
tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2017-12616.patch b/debian/patches/CVE-2017-12616.patch
new file mode 100644
index 0000000..4cc7fc2
--- /dev/null
+++ b/debian/patches/CVE-2017-12616.patch
@@ -0,0 +1,257 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 24 Sep 2017 16:24:01 +0200
+Subject: CVE-2017-12616
+
+Origin: http://svn.apache.org/viewvc?view=rev&rev=1804729
+---
+ .../apache/naming/resources/FileDirContext.java | 48 +++++++++++++++++-----
+ .../apache/naming/resources/VirtualDirContext.java | 37 ++++++++++++-----
+ 2 files changed, 64 insertions(+), 21 deletions(-)
+
+diff --git a/java/org/apache/naming/resources/FileDirContext.java b/java/org/apache/naming/resources/FileDirContext.java
+index 7e28948..119f132 100644
+--- a/java/org/apache/naming/resources/FileDirContext.java
++++ b/java/org/apache/naming/resources/FileDirContext.java
+@@ -197,7 +197,7 @@ public class FileDirContext extends BaseDirContext {
+ @Override
+ protected Object doLookup(String name) {
+ Object result = null;
+- File file = file(name);
++ File file = file(name, true);
+
+ if (file == null)
+ return null;
+@@ -234,7 +234,7 @@ public class FileDirContext extends BaseDirContext {
+ public void unbind(String name)
+ throws NamingException {
+
+- File file = file(name);
++ File file = file(name, true);
+
+ if (file == null)
+ throw new NameNotFoundException(
+@@ -262,13 +262,16 @@ public class FileDirContext extends BaseDirContext {
+ public void rename(String oldName, String newName)
+ throws NamingException {
+
+- File file = file(oldName);
++ File file = file(oldName, true);
+
+ if (file == null)
+ throw new NameNotFoundException
+ (sm.getString("resources.notFound", oldName));
+
+- File newFile = new File(base, newName);
++ File newFile = file(newName, false);
++ if (newFile == null) {
++ throw new NamingException(sm.getString("resources.renameFail", oldName, newName));
++ }
+
+ if (!file.renameTo(newFile)) {
+ throw new NamingException(sm.getString("resources.renameFail",
+@@ -323,7 +326,7 @@ public class FileDirContext extends BaseDirContext {
+ protected List<NamingEntry> doListBindings(String name)
+ throws NamingException {
+
+- File file = file(name);
++ File file = file(name, true);
+
+ if (file == null)
+ return null;
+@@ -427,7 +430,7 @@ public class FileDirContext extends BaseDirContext {
+ throws NamingException {
+
+ // Building attribute list
+- File file = file(name);
++ File file = file(name, true);
+
+ if (file == null)
+ return null;
+@@ -500,7 +503,7 @@ public class FileDirContext extends BaseDirContext {
+
+ // Note: No custom attributes allowed
+
+- File file = new File(base, name);
++ File file = file(name, false);
+ if (file.exists())
+ throw new NameAlreadyBoundException
+ (sm.getString("resources.alreadyBound", name));
+@@ -535,7 +538,10 @@ public class FileDirContext extends BaseDirContext {
+ // Note: No custom attributes allowed
+ // Check obj type
+
+- File file = new File(base, name);
++ File file = file(name, false);
++ if (file == null) {
++ throw new NamingException(sm.getString("resources.bindFailed", name));
++ }
+
+ InputStream is = null;
+ if (obj instanceof Resource) {
+@@ -610,7 +616,10 @@ public class FileDirContext extends BaseDirContext {
+ public DirContext createSubcontext(String name, Attributes attrs)
+ throws NamingException {
+
+- File file = new File(base, name);
++ File file = file(name, false);
++ if (file == null) {
++ throw new NamingException(sm.getString("resources.bindFailed", name));
++ }
+ if (file.exists())
+ throw new NameAlreadyBoundException
+ (sm.getString("resources.alreadyBound", name));
+@@ -785,6 +794,7 @@ public class FileDirContext extends BaseDirContext {
+
+ }
+
++
+ /**
+ * Return a File object representing the specified normalized
+ * context-relative path if it exists and is readable. Otherwise,
+@@ -793,9 +803,27 @@ public class FileDirContext extends BaseDirContext {
+ * @param name Normalized context-relative path (with leading '/')
+ */
+ protected File file(String name) {
++ return file(name, true);
++ }
+
++
++ /**
++ * Return a File object representing the specified normalized
++ * context-relative path if it exists and is readable. Otherwise,
++ * return <code>null</code>.
++ *
++ * @param name Normalized context-relative path (with leading '/')
++ * @param mustExist Must the specified resource exist?
++ */
++ protected File file(String name, boolean mustExist) {
+ File file = new File(base, name);
+- if (file.exists() && file.canRead()) {
++ return validate(file, mustExist, absoluteBase);
++ }
++
++
++ protected File validate(File file, boolean mustExist, String absoluteBase) {
++
++ if (!mustExist || file.exists() && file.canRead()) {
+
+ if (allowLinking)
+ return file;
+diff --git a/java/org/apache/naming/resources/VirtualDirContext.java b/java/org/apache/naming/resources/VirtualDirContext.java
+index 39942af..fd7eccd 100644
+--- a/java/org/apache/naming/resources/VirtualDirContext.java
++++ b/java/org/apache/naming/resources/VirtualDirContext.java
+@@ -77,7 +77,8 @@ public class VirtualDirContext extends FileDirContext {
+ * be listed twice.
+ * </p>
+ *
+- * @param path
++ * @param path The set of file system paths and virtual paths to map them to
++ * in the required format
+ */
+ public void setExtraResourcePaths(String path) {
+ extraResourcePaths = path;
+@@ -107,13 +108,13 @@ public class VirtualDirContext extends FileDirContext {
+ }
+ path = resSpec.substring(0, idx);
+ }
+- String dir = resSpec.substring(idx + 1);
++ File dir = new File(resSpec.substring(idx + 1));
+ List<String> resourcePaths = mappedResourcePaths.get(path);
+ if (resourcePaths == null) {
+ resourcePaths = new ArrayList<String>();
+ mappedResourcePaths.put(path, resourcePaths);
+ }
+- resourcePaths.add(dir);
++ resourcePaths.add(dir.getAbsolutePath());
+ }
+ }
+ if (mappedResourcePaths.isEmpty()) {
+@@ -152,7 +153,8 @@ public class VirtualDirContext extends FileDirContext {
+ String resourcesDir = dirList.get(0);
+ if (name.equals(path)) {
+ File f = new File(resourcesDir);
+- if (f.exists() && f.canRead()) {
++ f = validate(f, true, resourcesDir);
++ if (f != null) {
+ return new FileResourceAttributes(f);
+ }
+ }
+@@ -160,7 +162,8 @@ public class VirtualDirContext extends FileDirContext {
+ if (name.startsWith(path)) {
+ String res = name.substring(path.length());
+ File f = new File(resourcesDir + "/" + res);
+- if (f.exists() && f.canRead()) {
++ f = validate(f, true, resourcesDir);
++ if (f != null) {
+ return new FileResourceAttributes(f);
+ }
+ }
+@@ -169,9 +172,16 @@ public class VirtualDirContext extends FileDirContext {
+ throw initialException;
+ }
+
++
+ @Override
+ protected File file(String name) {
+- File file = super.file(name);
++ return file(name, true);
++ }
++
++
++ @Override
++ protected File file(String name, boolean mustExist) {
++ File file = super.file(name, true);
+ if (file != null || mappedResourcePaths == null) {
+ return file;
+ }
+@@ -186,7 +196,8 @@ public class VirtualDirContext extends FileDirContext {
+ if (name.equals(path)) {
+ for (String resourcesDir : dirList) {
+ file = new File(resourcesDir);
+- if (file.exists() && file.canRead()) {
++ file = validate(file, true, resourcesDir);
++ if (file != null) {
+ return file;
+ }
+ }
+@@ -195,7 +206,8 @@ public class VirtualDirContext extends FileDirContext {
+ String res = name.substring(path.length());
+ for (String resourcesDir : dirList) {
+ file = new File(resourcesDir, res);
+- if (file.exists() && file.canRead()) {
++ file = validate(file, true, resourcesDir);
++ if (file != null) {
+ return file;
+ }
+ }
+@@ -230,7 +242,8 @@ public class VirtualDirContext extends FileDirContext {
+ if (res != null) {
+ for (String resourcesDir : dirList) {
+ File f = new File(resourcesDir, res);
+- if (f.exists() && f.canRead() && f.isDirectory()) {
++ f = validate(f, true, resourcesDir);
++ if (f != null && f.isDirectory()) {
+ List<NamingEntry> virtEntries = super.list(f);
+ for (NamingEntry entry : virtEntries) {
+ // filter duplicate
+@@ -265,7 +278,8 @@ public class VirtualDirContext extends FileDirContext {
+ if (name.equals(path)) {
+ for (String resourcesDir : dirList) {
+ File f = new File(resourcesDir);
+- if (f.exists() && f.canRead()) {
++ f = validate(f, true, resourcesDir);
++ if (f != null) {
+ if (f.isFile()) {
+ return new FileResource(f);
+ }
+@@ -281,7 +295,8 @@ public class VirtualDirContext extends FileDirContext {
+ String res = name.substring(path.length());
+ for (String resourcesDir : dirList) {
+ File f = new File(resourcesDir + "/" + res);
+- if (f.exists() && f.canRead()) {
++ f = validate(f, true, resourcesDir);
++ if (f != null) {
+ if (f.isFile()) {
+ return new FileResource(f);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 7d5f339..d959268 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@ BZ57544-infinite-loop-part2.patch
CVE-2017-5647.patch
CVE-2017-5648.patch
CVE-2017-5664.patch
+CVE-2017-12616.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list