Package: tomcat6
Version: 6.0.35-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmpQZSwrL/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression
from the CVE-2012-0022 security fix that went into 6.0.35.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog
diff -Nru tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch
--- tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch 1969-12-31 19:00:00.000000000 -0500
+++ tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch 2012-02-13 09:04:42.000000000 -0500
@@ -0,0 +1,83 @@
+Description: fix regression from the CVE-2012-0022 security fix that
+ went into 6.0.35.
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1229027
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=52384
+
+Index: tomcat6-6.0.35/java/org/apache/tomcat/util/http/LocalStrings.properties
+===================================================================
+--- tomcat6-6.0.35.orig/java/org/apache/tomcat/util/http/LocalStrings.properties 2011-11-12 03:36:55.000000000 -0500
++++ tomcat6-6.0.35/java/org/apache/tomcat/util/http/LocalStrings.properties 2012-02-13 09:03:10.865891860 -0500
+@@ -17,6 +17,7 @@
+ parameters.copyFail=Failed to create copy of original parameter values for debug logging purposes
+ parameters.decodeFail.debug=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored.
+ parameters.decodeFail.info=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
++parameters.emptyChunk=Empty parameter chunk ignored
+ parameters.invalidChunk=Invalid chunk starting at byte [{0}] and ending at byte [{1}] with a value of [{2}] ignored
+ parameters.maxCountFail=More than the maximum number of request parameters (GET plus POST) for a single request ([{0}]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector.
+ parameters.multipleDecodingFail=Character decoding failed. A total of [{0}] failures were detected but only the first was logged. Enable debug level logging for this logger to log all failures.
+Index: tomcat6-6.0.35/java/org/apache/tomcat/util/http/Parameters.java
+===================================================================
+--- tomcat6-6.0.35.orig/java/org/apache/tomcat/util/http/Parameters.java 2011-11-25 16:11:35.000000000 -0500
++++ tomcat6-6.0.35/java/org/apache/tomcat/util/http/Parameters.java 2012-02-13 09:03:10.889891861 -0500
+@@ -314,6 +314,15 @@
+ }
+
+ if (nameEnd <= nameStart ) {
++ if (valueStart == -1) {
++ // &&
++ if (log.isDebugEnabled()) {
++ log.debug(sm.getString("parameters.emptyChunk"));
++ }
++ // Do not flag as error
++ continue;
++ }
++ // &=foo&
+ if (log.isInfoEnabled()) {
+ if (valueEnd >= nameStart && log.isDebugEnabled()) {
+ String extract = null;
+@@ -341,7 +350,11 @@
+ }
+
+ tmpName.setBytes(bytes, nameStart, nameEnd - nameStart);
+- tmpValue.setBytes(bytes, valueStart, valueEnd - valueStart);
++ if (valueStart >= 0) {
++ tmpValue.setBytes(bytes, valueStart, valueEnd - valueStart);
++ } else {
++ tmpValue.setBytes(bytes, 0, 0);
++ }
+
+ // Take copies as if anything goes wrong originals will be
+ // corrupted. This means original values can be logged.
+@@ -349,7 +362,11 @@
+ if (log.isDebugEnabled()) {
+ try {
+ origName.append(bytes, nameStart, nameEnd - nameStart);
+- origValue.append(bytes, valueStart, valueEnd - valueStart);
++ if (valueStart >= 0) {
++ origValue.append(bytes, valueStart, valueEnd - valueStart);
++ } else {
++ origValue.append(bytes, 0, 0);
++ }
+ } catch (IOException ioe) {
+ // Should never happen...
+ log.error(sm.getString("parameters.copyFail"), ioe);
+@@ -366,11 +383,15 @@
+ tmpName.setCharset(charset);
+ name = tmpName.toString();
+
+- if (decodeValue) {
+- urlDecode(tmpValue);
++ if (valueStart >= 0) {
++ if (decodeValue) {
++ urlDecode(tmpValue);
++ }
++ tmpValue.setCharset(charset);
++ value = tmpValue.toString();
++ } else {
++ value = "";
+ }
+- tmpValue.setCharset(charset);
+- value = tmpValue.toString();
+
+ addParam(name, value);
+ } catch (IOException e) {
diff -Nru tomcat6-6.0.35/debian/patches/series tomcat6-6.0.35/debian/patches/series
--- tomcat6-6.0.35/debian/patches/series 2011-12-13 01:47:05.000000000 -0500
+++ tomcat6-6.0.35/debian/patches/series 2012-02-13 09:01:30.000000000 -0500
@@ -7,3 +7,4 @@
0007-add-OSGi-headers-to-servlet-api.patch
0008-add-OSGI-headers-to-jsp-api.patch
0010-Use-java.security.policy-file-in-catalina.sh.patch
+0011-CVE-2012-0022-regression-fix.patch
