This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository tomcat7.
commit be95450c254d159d1cce31c03c8d8e41a91516f0 Author: Emmanuel Bourg <[email protected]> Date: Fri Jan 8 10:14:32 2016 +0100 Fixed CVE-2014-0075: DoS caused by malformed chunk size --- debian/changelog | 4 ++++ debian/patches/CVE-2014-0075.patch | 38 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 43 insertions(+) diff --git a/debian/changelog b/debian/changelog index d3549c1..769891d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,10 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high length header. * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent a remote code execution vulnerablity in very limited circumstances. + * Fixed CVE-2014-0075: Malformed chunk size as part of a chuncked request + could enable the streaming of an unlimited amount of data to the server, + bypassing the various size limits enforced on a request. This enabled + a denial of service attack. -- Emmanuel Bourg <[email protected]> Mon, 04 Jan 2016 12:03:34 +0100 diff --git a/debian/patches/CVE-2014-0075.patch b/debian/patches/CVE-2014-0075.patch new file mode 100644 index 0000000..6e08c60 --- /dev/null +++ b/debian/patches/CVE-2014-0075.patch @@ -0,0 +1,38 @@ +Description: CVE-2014-0075: Improve processing of chuck size from chunked headers. + Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. +Origin: backport, https://svn.apache.org/r1578341 +--- a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java ++++ b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +@@ -315,7 +315,7 @@ + + int result = 0; + boolean eol = false; +- boolean readDigit = false; ++ int readDigit = 0; + boolean extension = false; + + while (!eol) { +@@ -336,10 +336,10 @@ + extensionSize++; + } else if (!extension) { + //don't read data after the trailer +- if (HexUtils.getDec(buf[pos]) != -1) { +- readDigit = true; +- result *= 16; +- result += HexUtils.getDec(buf[pos]); ++ int charValue = HexUtils.getDec(buf[pos]); ++ if (charValue != -1 && readDigit < 8) { ++ readDigit++; ++ result = (result << 4) | charValue; + } else { + //we shouldn't allow invalid, non hex characters + //in the chunked header +@@ -362,7 +362,7 @@ + + } + +- if (!readDigit) ++ if (readDigit == 0 || result < 0) + return false; + + if (result == 0) diff --git a/debian/patches/series b/debian/patches/series index d0b872d..b0add1f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,4 @@ cve-2012-3439-tests.patch CVE-2014-7810.patch CVE-2014-0099.patch CVE-2013-4444.patch +CVE-2014-0075.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
