This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository tomcat7.
commit b30bd83baed96195aec5f9facb9a470bce805da9 Author: Emmanuel Bourg <[email protected]> Date: Mon Jan 4 12:04:59 2016 +0100 Fixed CVE-2014-7810: Potential issue with BeanELresolver when running under a security manager --- debian/changelog | 8 +++ debian/patches/CVE-2014-7810.patch | 110 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 119 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1c997cf..b7aa54e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high + + * Fixed CVE-2014-7810: Malicious web applications could use expression + language to bypass the protections of a Security Manager as expressions + were evaluated within a privileged code section. + + -- Emmanuel Bourg <[email protected]> Mon, 04 Jan 2016 12:03:34 +0100 + tomcat7 (7.0.28-4+deb7u2) stable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2014-7810.patch b/debian/patches/CVE-2014-7810.patch new file mode 100644 index 0000000..c28f8ba --- /dev/null +++ b/debian/patches/CVE-2014-7810.patch @@ -0,0 +1,110 @@ +Description: CVE-2014-7810: Fix potential issue with BeanELresolver when running under a security manager. + Some classes may not be accessible but may have accessible interfaces. +Origin: backport, http://svn.apache.org/r1644019 + http://svn.apache.org/r1645644 + +diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java +index 223e29c..f70c6a6 100644 +--- a/java/javax/el/BeanELResolver.java ++++ b/java/javax/el/BeanELResolver.java +@@ -222,15 +222,39 @@ + try { + BeanInfo info = Introspector.getBeanInfo(this.type); + PropertyDescriptor[] pds = info.getPropertyDescriptors(); +- for (int i = 0; i < pds.length; i++) { +- this.properties.put(pds[i].getName(), new BeanProperty( +- type, pds[i])); ++ for (PropertyDescriptor pd: pds) { ++ this.properties.put(pd.getName(), new BeanProperty(type, pd)); ++ } ++ if (System.getSecurityManager() != null) { ++ // When running with SecurityManager, some classes may be ++ // not accessible, but have accessible interfaces. ++ populateFromInterfaces(type); + } + } catch (IntrospectionException ie) { + throw new ELException(ie); + } + } + ++ private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException { ++ Class<?> interfaces[] = aClass.getInterfaces(); ++ if (interfaces.length > 0) { ++ for (Class<?> ifs : interfaces) { ++ BeanInfo info = Introspector.getBeanInfo(ifs); ++ PropertyDescriptor[] pds = info.getPropertyDescriptors(); ++ for (PropertyDescriptor pd : pds) { ++ if (!this.properties.containsKey(pd.getName())) { ++ this.properties.put(pd.getName(), new BeanProperty( ++ this.type, pd)); ++ } ++ } ++ } ++ } ++ Class<?> superclass = aClass.getSuperclass(); ++ if (superclass != null) { ++ populateFromInterfaces(superclass); ++ } ++ } ++ + private BeanProperty get(ELContext ctx, String name) { + BeanProperty property = this.properties.get(name); + if (property == null) { +diff --git a/java/org/apache/jasper/runtime/PageContextImpl.java b/java/org/apache/jasper/runtime/PageContextImpl.java +index d722cb6..fe69200 100644 +--- a/java/org/apache/jasper/runtime/PageContextImpl.java ++++ b/java/org/apache/jasper/runtime/PageContextImpl.java +@@ -955,35 +955,13 @@ + final Class<?> expectedType, final PageContext pageContext, + final ProtectedFunctionMapper functionMap, final boolean escape) + throws ELException { +- Object retValue; + final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory(); +- if (SecurityUtil.isPackageProtectionEnabled()) { +- try { +- retValue = AccessController +- .doPrivileged(new PrivilegedExceptionAction<Object>() { + +- @Override +- public Object run() throws Exception { +- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); +- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); +- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); +- return ve.getValue(ctx); +- } +- }); +- } catch (PrivilegedActionException ex) { +- Exception realEx = ex.getException(); +- if (realEx instanceof ELException) { +- throw (ELException) realEx; +- } else { +- throw new ELException(realEx); +- } +- } +- } else { +- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); +- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); +- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); +- retValue = ve.getValue(ctx); +- } ++ ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); ++ ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); ++ ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); ++ Object retValue = ve.getValue(ctx); ++ + if (escape && retValue != null) { + retValue = XmlEscape(retValue.toString()); + } +diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java +index 5f5e56f..a066dfb 100644 +--- a/java/org/apache/jasper/security/SecurityClassLoad.java ++++ b/java/org/apache/jasper/security/SecurityClassLoad.java +@@ -93,8 +93,6 @@ + "runtime.PageContextImpl$11"); + loader.loadClass( basePackage + + "runtime.PageContextImpl$12"); +- loader.loadClass( basePackage + +- "runtime.PageContextImpl$13"); + + loader.loadClass( basePackage + + "runtime.JspContextWrapper"); diff --git a/debian/patches/series b/debian/patches/series index d647c9b..015b631 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -21,3 +21,4 @@ cve-2012-3439-tests.patch 0023-CVE-2013-4286.patch 0024-CVE-2013-4322.patch 0025-use-tls-in-ssl-unit-tests.patch +CVE-2014-7810.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
