This is an automated email from the git hooks/post-receive script. tmancill pushed a commit to branch master in repository tomcat6.
commit c3c427463fa93d87db6c2c9e06d089f466fb53eb Author: tony mancill <[email protected]> Date: Sat Aug 3 21:44:35 2013 -0700 drop CVE-2012-3439 patch --- debian/patches/cve-2012-3439.patch | 362 ------------------------------------ debian/patches/series | 1 - 2 files changed, 363 deletions(-) diff --git a/debian/patches/cve-2012-3439.patch b/debian/patches/cve-2012-3439.patch deleted file mode 100644 index 630ecee..0000000 --- a/debian/patches/cve-2012-3439.patch +++ /dev/null @@ -1,362 +0,0 @@ ---- trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012/09/04 19:47:42 1380828 -+++ trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012/09/04 19:48:27 1380829 -@@ -27,9 +27,9 @@ - import java.util.Map; - import java.util.StringTokenizer; - -+import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - -- - import org.apache.catalina.LifecycleException; - import org.apache.catalina.Realm; - import org.apache.catalina.connector.Request; -@@ -80,6 +80,7 @@ - - public DigestAuthenticator() { - super(); -+ setCache(false); - try { - if (md5Helper == null) - md5Helper = MessageDigest.getInstance("MD5"); -@@ -100,16 +101,16 @@ - - - /** -- * List of client nonce values currently being tracked -+ * List of server nonce values currently being tracked - */ -- protected Map<String,NonceInfo> cnonces; -+ protected Map<String,NonceInfo> nonces; - - - /** -- * Maximum number of client nonces to keep in the cache. If not specified, -+ * Maximum number of server nonces to keep in the cache. If not specified, - * the default value of 1000 is used. - */ -- protected int cnonceCacheSize = 1000; -+ protected int nonceCacheSize = 1000; - - - /** -@@ -150,13 +151,13 @@ - } - - -- public int getCnonceCacheSize() { -- return cnonceCacheSize; -+ public int getNonceCacheSize() { -+ return nonceCacheSize; - } - - -- public void setCnonceCacheSize(int cnonceCacheSize) { -- this.cnonceCacheSize = cnonceCacheSize; -+ public void setNonceCacheSize(int nonceCacheSize) { -+ this.nonceCacheSize = nonceCacheSize; - } - - -@@ -263,18 +264,19 @@ - // Validate any credentials already included with this request - String authorization = request.getHeader("authorization"); - DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(), -- getKey(), cnonces, isValidateUri()); -+ getKey(), nonces, isValidateUri()); - if (authorization != null) { -- if (digestInfo.validate(request, authorization, config)) { -- principal = digestInfo.authenticate(context.getRealm()); -- } -+ if (digestInfo.parse(request, authorization)) { -+ if (digestInfo.validate(request, config)) { -+ principal = digestInfo.authenticate(context.getRealm()); -+ } - -- if (principal != null) { -- String username = parseUsername(authorization); -- register(request, response, principal, -- Constants.DIGEST_METHOD, -- username, null); -- return (true); -+ if (principal != null && !digestInfo.isNonceStale()) { -+ register(request, response, principal, -+ HttpServletRequest.DIGEST_AUTH, -+ digestInfo.getUsername(), null); -+ return true; -+ } - } - } - -@@ -285,10 +287,9 @@ - String nonce = generateNonce(request); - - setAuthenticateHeader(request, response, config, nonce, -- digestInfo.isNonceStale()); -+ principal != null && digestInfo.isNonceStale()); - response.sendError(HttpServletResponse.SC_UNAUTHORIZED); -- // hres.flushBuffer(); -- return (false); -+ return false; - - } - -@@ -301,7 +302,10 @@ - * can be identified, return <code>null</code> - * - * @param authorization Authorization string to be parsed -+ * -+ * @deprecated Unused. Will be removed in Tomcat 8.0.x - */ -+ @Deprecated - protected String parseUsername(String authorization) { - - // Validate the authorization credentials format -@@ -345,7 +349,7 @@ - } else if (quotedString.length() > 2) { - return quotedString.substring(1, quotedString.length() - 1); - } else { -- return new String(); -+ return ""; - } - } - -@@ -376,7 +380,14 @@ - buffer = md5Helper.digest(ipTimeKey.getBytes()); - } - -- return currentTime + ":" + md5Encoder.encode(buffer); -+ String nonce = currentTime + ":" + md5Encoder.encode(buffer); -+ -+ NonceInfo info = new NonceInfo(currentTime, 100); -+ synchronized (nonces) { -+ nonces.put(nonce, info); -+ } -+ -+ return nonce; - } - - -@@ -450,7 +461,7 @@ - setOpaque(generateSessionId()); - } - -- cnonces = new LinkedHashMap<String, DigestAuthenticator.NonceInfo>() { -+ nonces = new LinkedHashMap<String, DigestAuthenticator.NonceInfo>() { - - private static final long serialVersionUID = 1L; - private static final long LOG_SUPPRESS_TIME = 5 * 60 * 1000; -@@ -462,7 +473,7 @@ - Map.Entry<String,NonceInfo> eldest) { - // This is called from a sync so keep it simple - long currentTime = System.currentTimeMillis(); -- if (size() > getCnonceCacheSize()) { -+ if (size() > getNonceCacheSize()) { - if (lastLog < currentTime && - currentTime - eldest.getValue().getTimestamp() < - getNonceValidity()) { -@@ -480,10 +491,10 @@ - - private static class DigestInfo { - -- private String opaque; -- private long nonceValidity; -- private String key; -- private Map<String,NonceInfo> cnonces; -+ private final String opaque; -+ private final long nonceValidity; -+ private final String key; -+ private final Map<String,NonceInfo> nonces; - private boolean validateUri = true; - - private String userName = null; -@@ -495,21 +506,27 @@ - private String cnonce = null; - private String realmName = null; - private String qop = null; -+ private String opaqueReceived = null; - - private boolean nonceStale = false; - - - public DigestInfo(String opaque, long nonceValidity, String key, -- Map<String,NonceInfo> cnonces, boolean validateUri) { -+ Map<String,NonceInfo> nonces, boolean validateUri) { - this.opaque = opaque; - this.nonceValidity = nonceValidity; - this.key = key; -- this.cnonces = cnonces; -+ this.nonces = nonces; - this.validateUri = validateUri; - } - -- public boolean validate(Request request, String authorization, -- LoginConfig config) { -+ -+ public String getUsername() { -+ return userName; -+ } -+ -+ -+ public boolean parse(Request request, String authorization) { - // Validate the authorization credentials format - if (authorization == null) { - return false; -@@ -523,7 +540,6 @@ - String[] tokens = authorization.split(",(?=(?:[^\"]*\"[^\"]*\")+$)"); - - method = request.getMethod(); -- String opaque = null; - - for (int i = 0; i < tokens.length; i++) { - String currentToken = tokens[i]; -@@ -555,9 +571,13 @@ - if ("response".equals(currentTokenName)) - response = removeQuotes(currentTokenValue); - if ("opaque".equals(currentTokenName)) -- opaque = removeQuotes(currentTokenValue); -+ opaqueReceived = removeQuotes(currentTokenValue); - } - -+ return true; -+ } -+ -+ public boolean validate(Request request, LoginConfig config) { - if ( (userName == null) || (realmName == null) || (nonce == null) - || (uri == null) || (response == null) ) { - return false; -@@ -573,7 +593,23 @@ - uriQuery = request.getRequestURI() + "?" + query; - } - if (!uri.equals(uriQuery)) { -- return false; -+ // Some clients (older Android) use an absolute URI for -+ // DIGEST but a relative URI in the request line. -+ // request. 2.3.5 < fixed Android version <= 4.0.3 -+ String host = request.getHeader("host"); -+ String scheme = request.getScheme(); -+ if (host != null && !uriQuery.startsWith(scheme)) { -+ StringBuilder absolute = new StringBuilder(); -+ absolute.append(scheme); -+ absolute.append("://"); -+ absolute.append(host); -+ absolute.append(uriQuery); -+ if (!uri.equals(absolute.toString())) { -+ return false; -+ } -+ } else { -+ return false; -+ } - } - } - -@@ -587,7 +623,7 @@ - } - - // Validate the opaque string -- if (!this.opaque.equals(opaque)) { -+ if (!opaque.equals(opaqueReceived)) { - return false; - } - -@@ -606,7 +642,9 @@ - long currentTime = System.currentTimeMillis(); - if ((currentTime - nonceTime) > nonceValidity) { - nonceStale = true; -- return false; -+ synchronized (nonces) { -+ nonces.remove(nonce); -+ } - } - String serverIpTimeKey = - request.getRemoteAddr() + ":" + nonceTime + ":" + key; -@@ -625,7 +663,7 @@ - } - - // Validate cnonce and nc -- // Check if presence of nc and nonce is consistent with presence of qop -+ // Check if presence of nc and Cnonce is consistent with presence of qop - if (qop == null) { - if (cnonce != null || nc != null) { - return false; -@@ -634,7 +672,9 @@ - if (cnonce == null || nc == null) { - return false; - } -- if (nc.length() != 8) { -+ // RFC 2617 says nc must be 8 digits long. Older Android clients -+ // use 6. 2.3.5 < fixed Android version <= 4.0.3 -+ if (nc.length() < 6 || nc.length() > 8) { - return false; - } - long count; -@@ -644,21 +684,18 @@ - return false; - } - NonceInfo info; -- synchronized (cnonces) { -- info = cnonces.get(cnonce); -+ synchronized (nonces) { -+ info = nonces.get(nonce); - } - if (info == null) { -- info = new NonceInfo(); -+ // Nonce is valid but not in cache. It must have dropped out -+ // of the cache - force a re-authentication -+ nonceStale = true; - } else { -- if (count <= info.getCount()) { -+ if (!info.nonceCountValid(count)) { - return false; - } - } -- info.setCount(count); -- info.setTimestamp(currentTime); -- synchronized (cnonces) { -- cnonces.put(cnonce, info); -- } - } - return true; - } -@@ -685,19 +722,31 @@ - } - - private static class NonceInfo { -- private volatile long count; - private volatile long timestamp; -- -- public void setCount(long l) { -- count = l; -+ private volatile boolean seen[]; -+ private volatile int offset; -+ private volatile int count = 0; -+ -+ public NonceInfo(long currentTime, int seenWindowSize) { -+ this.timestamp = currentTime; -+ seen = new boolean[seenWindowSize]; -+ offset = seenWindowSize / 2; - } - -- public long getCount() { -- return count; -- } -- -- public void setTimestamp(long l) { -- timestamp = l; -+ public synchronized boolean nonceCountValid(long nonceCount) { -+ if ((count - offset) >= nonceCount || -+ (nonceCount > count - offset + seen.length)) { -+ return false; -+ } -+ int checkIndex = (int) ((nonceCount + offset) % seen.length); -+ if (seen[checkIndex]) { -+ return false; -+ } else { -+ seen[checkIndex] = true; -+ seen[count % seen.length] = false; -+ count++; -+ return true; -+ } - } - - public long getTimestamp() { diff --git a/debian/patches/series b/debian/patches/series index e49f51c..d01b43c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,5 +7,4 @@ 0007-add-OSGi-headers-to-servlet-api.patch 0008-add-OSGI-headers-to-jsp-api.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch -cve-2012-3439.patch 0017-eclipse-compiler-update.patch -- Alioth's hooks/post-receive on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
