This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 9251ce104b33278a83d911a611d2d709f2adac35 Author: Markus Koschany <[email protected]> Date: Sun Jun 26 19:23:57 2016 +0200 Imported Debian patch 7.0.28-4+deb7u5 --- debian/changelog | 13 ++++++++++ debian/patches/CVE-2016-3092.patch | 50 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) diff --git a/debian/changelog b/debian/changelog index 54448a6..8368244 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2016-3092. + A denial of service vulnerability was identified in Commons FileUpload that + occurred when the length of the multipart boundary was just below the size + of the buffer (4096 bytes) used to read the uploaded file. This caused the + file upload process to take several orders of magnitude longer than if the + boundary was the typical tens of bytes long. Tomcat's internal fork of + Commons File Upload is also affected. + + -- Markus Koschany <[email protected]> Sun, 26 Jun 2016 19:23:57 +0200 + tomcat7 (7.0.28-4+deb7u4) wheezy-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch new file mode 100644 index 0000000..981901b --- /dev/null +++ b/debian/patches/CVE-2016-3092.patch @@ -0,0 +1,50 @@ +From: Markus Koschany <[email protected]> +Date: Sun, 26 Jun 2016 19:14:54 +0200 +Subject: CVE-2016-3092 + +A denial of service vulnerability was identified in Commons FileUpload that +occurred when the length of the multipart boundary was just below the size of +the buffer (4096 bytes) used to read the uploaded file. This caused the file +upload process to take several orders of magnitude longer than if the boundary +was the typical tens of bytes long. + +Upstream advisory: +http://markmail.org/message/oyxfv73jb2g7rjg3 + +Origin: https://svn.apache.org/r1743480 +Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742 +--- + .../apache/tomcat/util/http/fileupload/MultipartStream.java | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java +index ed5c456..a22db76 100644 +--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java ++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java +@@ -293,11 +293,10 @@ public class MultipartStream { + byte[] boundary, + int bufSize, + ProgressNotifier pNotifier) { +- this.input = input; +- this.bufSize = bufSize; +- this.buffer = new byte[bufSize]; +- this.notifier = pNotifier; + ++ if (boundary == null) { ++ throw new IllegalArgumentException("boundary may not be null"); ++ } + // We prepend CR/LF to the boundary to chop trailing CR/LF from + // body-data tokens. + this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; +@@ -305,6 +304,11 @@ public class MultipartStream { + throw new IllegalArgumentException( + "The buffer size specified for the MultipartStream is too small"); + } ++ this.input = input; ++ this.bufSize = Math.max(bufSize, boundaryLength*2); ++ this.buffer = new byte[this.bufSize]; ++ this.notifier = pNotifier; ++ + this.boundary = new byte[this.boundaryLength]; + this.keepRegion = this.boundary.length; + System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, diff --git a/debian/patches/series b/debian/patches/series index 7b17f27..e12269f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -36,3 +36,4 @@ CVE-2015-5351.patch CVE-2016-0706.patch CVE-2016-0714.patch CVE-2016-0763.patch +CVE-2016-3092.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
