On 04.12.2016 15:39, Arne Nordmark wrote: > Den 2016-12-04 kl. 15:00, skrev Markus Koschany: >> On 04.12.2016 09:22, Arne Nordmark wrote: >>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7 >>> also suffers from this problem. >>> >>> Can it be so that the important part missing is the loop traversing the >>> class loaders in validateGlobalResourceAccess(): >>> >>> while (cl != null) { >>> ... >>> cl = cl.getParent(); >>> } >> >> Hello, >> >> I have prepared the update for Wheezy. Since you confirmed that using the >> ResourceLinkFactory class >> from 7.x trunk works for you, we have replaced the current version with this >> one. At the moment I >> fail to understand what we are missing because upstream's fix for >> CVE-2016-6797 is relatively >> straightforward [1] and we have already taken your bug report into account. >> >> Could you elaborate in which file the code from above is missing? > > Sorry if I was unclear. In the ResourceLinkFactory class, > CVE-2016-6797.patch adds among other things the new method > > private static boolean validateGlobalResourceAccess(String globalName) > > However, the upstream version 7.0.73 there is another change to this new > method, which is the loop over the parent class loaders I was referring > to above. > > It seems that when preparing CVE-2016-6797-part2.patch, this change was > left out, but it may be the change that actually makes things work. > > I can build and run Debian tomcat7 on both wheezy and jessie, so if you > would like me to make any further tests, please let me know.
My bad. It seems I have copied ResourceLinkFactory from another branch which is not equivalent to 7.0.73. https://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/factory/?pathrev=1757275 Looking at Apache's github repository for Tomcat 7, the loop is indeed present. https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java I will use this version when I prepare a regression update. Since you have already confirmed that this fixes #845425 further tests won't be necessary. Thanks for your help!
signature.asc
Description: OpenPGP digital signature