Bug#845425: DataSource no longer accessible since jessie security update
Arne Nordmark
nordmark at mech.kth.se
Sun Dec 4 14:39:31 UTC 2016
Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
> On 04.12.2016 09:22, Arne Nordmark wrote:
>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>> also suffers from this problem.
>>
>> Can it be so that the important part missing is the loop traversing the
>> class loaders in validateGlobalResourceAccess():
>>
>> while (cl != null) {
>> ...
>> cl = cl.getParent();
>> }
>
> Hello,
>
> I have prepared the update for Wheezy. Since you confirmed that using the ResourceLinkFactory class
> from 7.x trunk works for you, we have replaced the current version with this one. At the moment I
> fail to understand what we are missing because upstream's fix for CVE-2016-6797 is relatively
> straightforward [1] and we have already taken your bug report into account.
>
> Could you elaborate in which file the code from above is missing?
Sorry if I was unclear. In the ResourceLinkFactory class,
CVE-2016-6797.patch adds among other things the new method
private static boolean validateGlobalResourceAccess(String globalName)
However, the upstream version 7.0.73 there is another change to this new
method, which is the loop over the parent class loaders I was referring
to above.
It seems that when preparing CVE-2016-6797-part2.patch, this change was
left out, but it may be the change that actually makes things work.
I can build and run Debian tomcat7 on both wheezy and jessie, so if you
would like me to make any further tests, please let me know.
Thanks,
Arne
>
> Thanks,
>
> Markus
>
>
> [1] https://svn.apache.org/viewvc?view=revision&revision=1757275
>
>
>
>
>
More information about the pkg-java-maintainers
mailing list