[tomcat7] 01/01: Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit b887d2f006e7ead1e23fad7ad1573faa03b8dcb9
Author: Emmanuel Bourg <ebo...@apache.org>
Date:   Fri Dec 18 16:44:02 2015 +0100

    Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under 
a security manager
---
 debian/changelog                   |   8 +++
 debian/patches/CVE-2014-7810.patch | 111 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 120 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6062e4d..de80e87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium
+
+  * Fixed CVE-2014-7810: Malicious web applications could use expression
+    language to bypass the protections of a Security Manager as expressions
+    were evaluated within a privileged code section.
+
+ -- Emmanuel Bourg <ebo...@apache.org>  Fri, 18 Dec 2015 12:42:53 +0100
+
 tomcat7 (7.0.56-3) unstable; urgency=medium
 
   * Provide a fix for #780519 more clear/maintainable and with an approach
diff --git a/debian/patches/CVE-2014-7810.patch 
b/debian/patches/CVE-2014-7810.patch
new file mode 100644
index 0000000..057df70
--- /dev/null
+++ b/debian/patches/CVE-2014-7810.patch
@@ -0,0 +1,111 @@
+Description: CVE-2014-7810: Fix potential issue with BeanELresolver when 
running under a security manager.
+ Some classes may not be accessible but may have accessible interfaces.
+Origin: backport, http://svn.apache.org/r1644019
+                  http://svn.apache.org/r1645644
+
+diff --git a/java/javax/el/BeanELResolver.java 
b/java/javax/el/BeanELResolver.java
+index 223e29c..f70c6a6 100644
+--- a/java/javax/el/BeanELResolver.java
++++ b/java/javax/el/BeanELResolver.java
+@@ -251,15 +251,39 @@ public class BeanELResolver extends ELResolver {
+             try {
+                 BeanInfo info = Introspector.getBeanInfo(this.type);
+                 PropertyDescriptor[] pds = info.getPropertyDescriptors();
+-                for (int i = 0; i < pds.length; i++) {
+-                    this.properties.put(pds[i].getName(), new BeanProperty(
+-                            type, pds[i]));
++                for (PropertyDescriptor pd: pds) {
++                    this.properties.put(pd.getName(), new BeanProperty(type, 
pd));
++                }
++                if (System.getSecurityManager() != null) {
++                    // When running with SecurityManager, some classes may be
++                    // not accessible, but have accessible interfaces.
++                    populateFromInterfaces(type);
+                 }
+             } catch (IntrospectionException ie) {
+                 throw new ELException(ie);
+             }
+         }
+ 
++        private void populateFromInterfaces(Class<?> aClass) throws 
IntrospectionException {
++            Class<?> interfaces[] = aClass.getInterfaces();
++            if (interfaces.length > 0) {
++                for (Class<?> ifs : interfaces) {
++                    BeanInfo info = Introspector.getBeanInfo(ifs);
++                    PropertyDescriptor[] pds = info.getPropertyDescriptors();
++                    for (PropertyDescriptor pd : pds) {
++                        if (!this.properties.containsKey(pd.getName())) {
++                            this.properties.put(pd.getName(), new 
BeanProperty(
++                                    this.type, pd));
++                        }
++                    }
++                }
++            }
++            Class<?> superclass = aClass.getSuperclass();
++            if (superclass != null) {
++                populateFromInterfaces(superclass);
++            }
++        }
++
+         private BeanProperty get(ELContext ctx, String name) {
+             BeanProperty property = this.properties.get(name);
+             if (property == null) {
+diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java 
b/java/org/apache/jasper/runtime/PageContextImpl.java
+index d722cb6..fe69200 100644
+--- a/java/org/apache/jasper/runtime/PageContextImpl.java
++++ b/java/org/apache/jasper/runtime/PageContextImpl.java
+@@ -937,37 +937,11 @@ public class PageContextImpl extends PageContext {
+             final Class<?> expectedType, final PageContext pageContext,
+             final ProtectedFunctionMapper functionMap, final boolean escape)
+             throws ELException {
+-        Object retValue;
+         final ExpressionFactory exprFactory = 
jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
+-        if (SecurityUtil.isPackageProtectionEnabled()) {
+-            try {
+-                retValue = AccessController
+-                        .doPrivileged(new PrivilegedExceptionAction<Object>() 
{
+-
+-                            @Override
+-                            public Object run() throws Exception {
+-                                ELContextImpl ctx = (ELContextImpl) 
pageContext.getELContext();
+-                                ctx.setFunctionMapper(new 
FunctionMapperImpl(functionMap));
+-                                ValueExpression ve = 
exprFactory.createValueExpression(ctx, expression, expectedType);
+-                                return ve.getValue(ctx);
+-                            }
+-                        });
+-            } catch (PrivilegedActionException ex) {
+-                Exception realEx = ex.getException();
+-                if (realEx instanceof ELException) {
+-                    throw (ELException) realEx;
+-                } else {
+-                    throw new ELException(realEx);
+-                }
+-            }
+-        } else {
+-            ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+-            ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+-            ValueExpression ve = exprFactory.createValueExpression(ctx, 
expression, expectedType);
+-            retValue = ve.getValue(ctx);
+-        }
+-
+-        return retValue;
++        ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
++        ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
++        ValueExpression ve = exprFactory.createValueExpression(ctx, 
expression, expectedType);
++        return ve.getValue(ctx);
+     }
+ 
+     @Override
+diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java 
b/java/org/apache/jasper/security/SecurityClassLoad.java
+index 5f5e56f..a066dfb 100644
+--- a/java/org/apache/jasper/security/SecurityClassLoad.java
++++ b/java/org/apache/jasper/security/SecurityClassLoad.java
+@@ -93,8 +93,6 @@ public final class SecurityClassLoad {
+                 "runtime.PageContextImpl$11");      
+             loader.loadClass( basePackage +
+                 "runtime.PageContextImpl$12");      
+-            loader.loadClass( basePackage +
+-                "runtime.PageContextImpl$13");      
+ 
+             loader.loadClass( basePackage +
+                 "runtime.JspContextWrapper");   
diff --git a/debian/patches/series b/debian/patches/series
index d7d2389..ba761f4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@
 0022-use-tls-in-ssl-unit-tests.patch
 0023-update-test-certificates.patch
 0024-disable-unit-tests-depending-on-network-access.path
+CVE-2014-7810.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/tomcat7.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits