This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository tomcat7.
commit c63dfaed281a15defcccb3823e9866a60466a894 Author: Emmanuel Bourg <[email protected]> Date: Mon Feb 17 17:32:15 2014 +0100 Fix CVE-2012-3544: Denial of service --- debian/changelog | 8 +- debian/patches/0021-CVE-2012-3544.patch | 156 ++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 163 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index a497314..73f4914 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,10 +7,14 @@ tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed - using the victim's credentials. - * Fix for CVE-2013-2071: A runtime exception in AsyncListener.onComplete() + using the victim's credentials. (Closes: #707704) + * Fix CVE-2013-2071: A runtime exception in AsyncListener.onComplete() prevents the request from being recycled. This may expose elements of a previous request to a current request. + * Fix CVE-2012-3544: When processing a request submitted using the chunked + transfer encoding, Tomcat ignored but did not limit any extensions that + were included. This allows a client to perform a limited denial of service + by streaming an unlimited amount of data to the server. -- Emmanuel Bourg <[email protected]> Sun, 09 Feb 2014 01:09:12 +0100 diff --git a/debian/patches/0021-CVE-2012-3544.patch b/debian/patches/0021-CVE-2012-3544.patch new file mode 100644 index 0000000..96eaa17 --- /dev/null +++ b/debian/patches/0021-CVE-2012-3544.patch @@ -0,0 +1,156 @@ +Description: Fix for CVE-2012-3544: When processing a request submitted using + the chunked transfer encoding, Tomcat ignored but did not limit any extensions + that were included. This allows a client to perform a limited DOS by streaming + an unlimited amount of data to the server. +Origin: backport from Tomcat 7.0.30, http://svn.apache.org/r1378702 and http://svn.apache.org/r1378921 +--- a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java ++++ b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +@@ -144,7 +144,7 @@ + + if(needCRLFParse) { + needCRLFParse = false; +- parseCRLF(); ++ parseCRLF(false); + } + + if (remaining <= 0) { +@@ -179,7 +179,7 @@ + //so we defer it to the next call BZ 11117 + needCRLFParse = true; + } else { +- parseCRLF(); //parse the CRLF immediately ++ parseCRLF(false); //parse the CRLF immediately + } + } + +@@ -303,9 +303,8 @@ + return false; + } + +- if (buf[pos] == Constants.CR) { +- // FIXME: Improve parsing to check for CRLF +- } else if (buf[pos] == Constants.LF) { ++ if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) { ++ parseCRLF(false); + eol = true; + } else if (buf[pos] == Constants.SEMI_COLON) { + trailer = true; +@@ -322,7 +321,10 @@ + } + } + +- pos++; ++ // Parsing the CRLF increments pos ++ if (!eol) { ++ pos++; ++ } + + } + +@@ -343,9 +345,22 @@ + + /** + * Parse CRLF at end of chunk. ++ * @deprecated Use {@link #parseCRLF(boolean)} + */ +- protected boolean parseCRLF() +- throws IOException { ++ @Deprecated ++ protected boolean parseCRLF() throws IOException { ++ parseCRLF(false); ++ return true; ++ } ++ ++ /** ++ * Parse CRLF at end of chunk. ++ * ++ * @param tolerant Should tolerant parsing (LF and CRLF) be used? This ++ * is recommended (RFC2616, section 19.3) for message ++ * headers. ++ */ ++ protected void parseCRLF(boolean tolerant) throws IOException { + + boolean eol = false; + boolean crfound = false; +@@ -361,7 +376,9 @@ + if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered."); + crfound = true; + } else if (buf[pos] == Constants.LF) { +- if (!crfound) throw new IOException("Invalid CRLF, no CR character encountered."); ++ if (!tolerant && !crfound) { ++ throw new IOException("Invalid CRLF, no CR character encountered."); ++ } + eol = true; + } else { + throw new IOException("Invalid CRLF"); +@@ -370,9 +387,6 @@ + pos++; + + } +- +- return true; +- + } + + +@@ -393,26 +407,19 @@ + MimeHeaders headers = request.getMimeHeaders(); + + byte chr = 0; +- while (true) { +- // Read new bytes if needed +- if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); +- } + +- chr = buf[pos]; +- +- if ((chr == Constants.CR) || (chr == Constants.LF)) { +- if (chr == Constants.LF) { +- pos++; +- return false; +- } +- } else { +- break; +- } ++ // Read new bytes if needed ++ if (pos >= lastValid) { ++ if (readBytes() <0) ++ throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ } + +- pos++; ++ chr = buf[pos]; + ++ // CRLF terminates the request ++ if (chr == Constants.CR || chr == Constants.LF) { ++ parseCRLF(false); ++ return false; + } + + // Mark the current buffer position +@@ -492,9 +499,8 @@ + } + + chr = buf[pos]; +- if (chr == Constants.CR) { +- // Skip +- } else if (chr == Constants.LF) { ++ if (chr == Constants.CR || chr == Constants.LF) { ++ parseCRLF(true); + eol = true; + } else if (chr == Constants.SP) { + trailingHeaders.append(chr); +@@ -503,8 +509,9 @@ + lastSignificantChar = trailingHeaders.getEnd(); + } + +- pos++; +- ++ if (!eol) { ++ pos++; ++ } + } + + // Checking the first character of the new line. If the character diff --git a/debian/patches/series b/debian/patches/series index e4650e5..d62c03a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -16,3 +16,4 @@ cve-2012-3439-tests.patch 0018-CVE-2014-0050.patch 0019-CVE-2013-2067.patch 0020-CVE-2013-2071.patch +0021-CVE-2012-3544.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
