On 04.12.2016 15:39, Arne Nordmark wrote:
> Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
>> On 04.12.2016 09:22, Arne Nordmark wrote:
>>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>>> also suffers from this problem.
>>>
>>> Can it be so that the important part missing is the loop traversing the
>>> class loaders in validateGlobalResourceAccess():
>>>
>>> while (cl != null) {
>>> ...
>>> cl = cl.getParent();
>>> }
>>
>> Hello,
>>
>> I have prepared the update for Wheezy. Since you confirmed that using the
>> ResourceLinkFactory class
>> from 7.x trunk works for you, we have replaced the current version with this
>> one. At the moment I
>> fail to understand what we are missing because upstream's fix for
>> CVE-2016-6797 is relatively
>> straightforward [1] and we have already taken your bug report into account.
>>
>> Could you elaborate in which file the code from above is missing?
>
> Sorry if I was unclear. In the ResourceLinkFactory class,
> CVE-2016-6797.patch adds among other things the new method
>
> private static boolean validateGlobalResourceAccess(String globalName)
>
> However, the upstream version 7.0.73 there is another change to this new
> method, which is the loop over the parent class loaders I was referring
> to above.
>
> It seems that when preparing CVE-2016-6797-part2.patch, this change was
> left out, but it may be the change that actually makes things work.
>
> I can build and run Debian tomcat7 on both wheezy and jessie, so if you
> would like me to make any further tests, please let me know.My bad. It seems I have copied ResourceLinkFactory from another branch which is not equivalent to 7.0.73. https://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/factory/?pathrev=1757275 Looking at Apache's github repository for Tomcat 7, the loop is indeed present. https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java I will use this version when I prepare a regression update. Since you have already confirmed that this fixes #845425 further tests won't be necessary. Thanks for your help!
signature.asc
Description: OpenPGP digital signature
