This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat7.
commit 1f7d198d5d8ea64a565f55011d80416902b6505f Author: Emmanuel Bourg <[email protected]> Date: Sun Oct 30 15:24:45 2016 +0100 Fixed CVE-2016-6794: System Property Disclosure --- debian/changelog | 5 ++ debian/patches/CVE-2016-6794.patch | 137 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 143 insertions(+) diff --git a/debian/changelog b/debian/changelog index e9d2746..bebc993 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,10 @@ tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high + * Fixed CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by + the SecurityManager. Tomcat's system property replacement feature for + configuration files could be used by a malicious web application to bypass + the SecurityManager and read system properties that should not be visible. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch new file mode 100644 index 0000000..b8326b1 --- /dev/null +++ b/debian/patches/CVE-2016-6794.patch @@ -0,0 +1,137 @@ +Description: Fixes CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by the + SecurityManager. Tomcat's system property replacement feature for configuration + files could be used by a malicious web application to bypass the SecurityManager + and read system properties that should not be visible. +Origin: backport, https://svn.apache.org/r1754728 +--- a/java/org/apache/catalina/loader/WebappClassLoader.java ++++ b/java/org/apache/catalina/loader/WebappClassLoader.java +@@ -79,6 +79,7 @@ + import org.apache.tomcat.util.ExceptionUtils; + import org.apache.tomcat.util.IntrospectionUtils; + import org.apache.tomcat.util.res.StringManager; ++import org.apache.tomcat.util.security.PermissionCheck; + + /** + * Specialized web application class loader. +@@ -123,7 +124,7 @@ + */ + public class WebappClassLoader + extends URLClassLoader +- implements Lifecycle ++ implements Lifecycle, PermissionCheck + { + + private static final org.apache.juli.logging.Log log= +@@ -1753,6 +1754,27 @@ + } + + ++ @Override ++ public boolean check(Permission permission) { ++ if (!Globals.IS_SECURITY_ENABLED) { ++ return true; ++ } ++ Policy currentPolicy = Policy.getPolicy(); ++ if (currentPolicy != null) { ++ ResourceEntry entry = findResourceInternal("/", "/"); ++ if (entry != null) { ++ CodeSource cs = new CodeSource( ++ entry.codeBase, (java.security.cert.Certificate[]) null); ++ PermissionCollection pc = currentPolicy.getPermissions(cs); ++ if (pc.implies(permission)) { ++ return true; ++ } ++ } ++ } ++ return false; ++ } ++ ++ + /** + * Returns the search path of URLs for loading classes and resources. + * This includes the original list of URLs specified to the constructor, +--- a/java/org/apache/tomcat/util/digester/Digester.java ++++ b/java/org/apache/tomcat/util/digester/Digester.java +@@ -26,11 +26,13 @@ + import java.lang.reflect.InvocationTargetException; + import java.net.URI; + import java.net.URISyntaxException; ++import java.security.Permission; + import java.util.EmptyStackException; + import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + import java.util.Map; ++import java.util.PropertyPermission; + + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.parsers.SAXParser; +@@ -40,6 +42,7 @@ + import org.apache.juli.logging.LogFactory; + import org.apache.tomcat.util.ExceptionUtils; + import org.apache.tomcat.util.IntrospectionUtils; ++import org.apache.tomcat.util.security.PermissionCheck; + import org.xml.sax.Attributes; + import org.xml.sax.EntityResolver; + import org.xml.sax.ErrorHandler; +@@ -81,6 +84,13 @@ + implements IntrospectionUtils.PropertySource { + @Override + public String getProperty( String key ) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ if (cl instanceof PermissionCheck) { ++ Permission p = new PropertyPermission(key, "read"); ++ if (!((PermissionCheck) cl).check(p)) { ++ return null; ++ } ++ } + return System.getProperty(key); + } + } +--- /dev/null ++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java +@@ -0,0 +1,43 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.security; ++ ++import java.security.Permission; ++ ++/** ++ * This interface is implemented by components to enable privileged code to ++ * check whether the component has a given permission. ++ * This is typically used when a privileged component (e.g. the container) is ++ * performing an action on behalf of an untrusted component (e.g. a web ++ * application) without the current thread having passed through a code source ++ * provided by the untrusted component. Because the current thread has not ++ * passed through a code source provided by the untrusted component the ++ * SecurityManager assumes the code is trusted so the standard checking ++ * mechanisms can't be used. ++ */ ++public interface PermissionCheck { ++ ++ /** ++ * Does this component have the given permission? ++ * ++ * @param permission The permission to test ++ * ++ * @return {@code false} if a SecurityManager is enabled and the component ++ * does not have the given permission, otherwise {@code false} ++ */ ++ boolean check(Permission permission); ++} diff --git a/debian/patches/series b/debian/patches/series index da20b83..5e47fd9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -27,3 +27,4 @@ CVE-2016-0706.patch CVE-2016-0714.patch CVE-2016-0763.patch CVE-2016-3092.patch +CVE-2016-6794.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
