This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat6.
commit be6c35620b29bae4d3009808303bbe8f3b76a2b1 Author: Markus Koschany <[email protected]> Date: Mon Nov 7 13:58:12 2016 +0100 Prepare new security release for Wheezy --- debian/changelog | 32 ++++++ debian/patches/CVE-2016-0762.patch | 85 +++++++++++++++ debian/patches/CVE-2016-5018.patch | 88 ++++++++++++++++ debian/patches/CVE-2016-6794.patch | 141 +++++++++++++++++++++++++ debian/patches/CVE-2016-6796.patch | 78 ++++++++++++++ debian/patches/CVE-2016-6797.patch | 211 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 5 + 7 files changed, 640 insertions(+) diff --git a/debian/changelog b/debian/changelog index 28b5fbc..85928c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,35 @@ +tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high + + * Fixed CVE-2016-0762: The Realm implementations did not process the supplied + password if the supplied user name did not exist. This made a timing attack + possible to determine valid user names. + * Fixed CVE-2016-5018: A malicious web application was able to bypass + a configured SecurityManager via a Tomcat utility method that was + accessible to web applications. + * Fixed CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by + the SecurityManager. Tomcat's system property replacement feature for + configuration files could be used by a malicious web application to bypass + the SecurityManager and read system properties that should not be visible. + * Fixed CVE-2016-6796: A malicious web application was able to bypass + a configured SecurityManager via manipulation of the configuration + parameters for the JSP Servlet. + * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application + access to global JNDI resources to those resources explicitly linked to the + web application. Therefore, it was possible for a web application to access + any global JNDI resource whether an explicit ResourceLink had been + configured or not. + * CVE-2016-1240 follow-up: + - The previous init.d fix was vulnerable to a race condition that could + be exploited to make any existing file writable by the tomcat user. + Thanks to Paul Szabo for the report and the fix. + - The catalina.policy file generated on startup was affected by a similar + vulnerability that could be exploited to overwrite any file on the system. + Thanks to Paul Szabo for the report. + * Hardened the init.d script, thanks to Paul Szabo + + -- Markus Koschany <[email protected]> Mon, 07 Nov 2016 13:46:30 +0100 + tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch new file mode 100644 index 0000000..1bd0052 --- /dev/null +++ b/debian/patches/CVE-2016-0762.patch @@ -0,0 +1,85 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:38:38 +0100 +Subject: CVE-2016-0762 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1758506 +--- + java/org/apache/catalina/realm/MemoryRealm.java | 30 +++++++++++++++---------- + java/org/apache/catalina/realm/RealmBase.java | 14 +++++++----- + 2 files changed, 27 insertions(+), 17 deletions(-) + +diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java +index 56bc970..8e6bf68 100644 +--- a/java/org/apache/catalina/realm/MemoryRealm.java ++++ b/java/org/apache/catalina/realm/MemoryRealm.java +@@ -142,23 +142,29 @@ public class MemoryRealm extends RealmBase { + * @param credentials Password or other credentials to use in + * authenticating this username + */ ++ @Override + public Principal authenticate(String username, String credentials) { + +- GenericPrincipal principal = +- (GenericPrincipal) principals.get(username); ++ // No user or no credentials ++ // Can't possibly authenticate, don't bother the database then ++ if (username == null || credentials == null) { ++ return null; ++ } ++ ++ GenericPrincipal principal = principals.get(username); + + boolean validated = false; +- if (principal != null && credentials != null) { +- if (hasMessageDigest()) { +- // Hex hashes should be compared case-insensitive +- validated = (digest(credentials) +- .equalsIgnoreCase(principal.getPassword())); +- } else { +- validated = +- (digest(credentials).equals(principal.getPassword())); +- } ++ String dbCredentials = null; ++ if (principal != null) { ++ dbCredentials = principal.getPassword(); + } +- ++ if (hasMessageDigest()) { ++ // Hex hashes should be compared case-insensitive ++ validated = (digest(credentials).equalsIgnoreCase(dbCredentials)); ++ } else { ++ validated = (digest(credentials).equals(dbCredentials)); ++ } ++ + if (validated) { + if (log.isDebugEnabled()) + log.debug(sm.getString("memoryRealm.authenticateSuccess", username)); +diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java +index 4f7c27f..cd62bf4 100644 +--- a/java/org/apache/catalina/realm/RealmBase.java ++++ b/java/org/apache/catalina/realm/RealmBase.java +@@ -336,15 +336,19 @@ public abstract class RealmBase + */ + public Principal authenticate(String username, String credentials) { + ++ // No user or no credentials ++ // Can't possibly authenticate, don't bother the database then ++ if (username == null || credentials == null) { ++ return null; ++ } ++ + String serverCredentials = getPassword(username); + + boolean validated ; +- if ( serverCredentials == null ) { +- validated = false; +- } else if(hasMessageDigest()) { +- validated = serverCredentials.equalsIgnoreCase(digest(credentials)); ++ if(hasMessageDigest()) { ++ validated = digest(credentials).equalsIgnoreCase(serverCredentials); + } else { +- validated = serverCredentials.equals(credentials); ++ validated = credentials.equals(serverCredentials); + } + if(! validated ) { + if (containerLog.isTraceEnabled()) { diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch new file mode 100644 index 0000000..5d5d709 --- /dev/null +++ b/debian/patches/CVE-2016-5018.patch @@ -0,0 +1,88 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:31:22 +0100 +Subject: CVE-2016-5018 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1754904 +--- + .../apache/jasper/runtime/JspRuntimeLibrary.java | 54 +--------------------- + 1 file changed, 1 insertion(+), 53 deletions(-) + +diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +index 02d21dd..bdc769f 100644 +--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java ++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +@@ -14,7 +14,6 @@ + * See the License for the specific language governing permissions and + * limitations under the License. + */ +- + package org.apache.jasper.runtime; + + import java.beans.PropertyEditor; +@@ -60,35 +59,6 @@ public class JspRuntimeLibrary { + private static final String JSP_EXCEPTION + = "javax.servlet.jsp.jspException"; + +- protected static class PrivilegedIntrospectHelper +- implements PrivilegedExceptionAction { +- +- private Object bean; +- private String prop; +- private String value; +- private ServletRequest request; +- private String param; +- private boolean ignoreMethodNF; +- +- PrivilegedIntrospectHelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- { +- this.bean = bean; +- this.prop = prop; +- this.value = value; +- this.request = request; +- this.param = param; +- this.ignoreMethodNF = ignoreMethodNF; +- } +- +- public Object run() throws JasperException { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- return null; +- } +- } +- + /** + * Returns the value of the javax.servlet.error.exception request + * attribute value, if present, otherwise the value of the +@@ -292,29 +262,7 @@ public class JspRuntimeLibrary { + public static void introspecthelper(Object bean, String prop, + String value, ServletRequest request, + String param, boolean ignoreMethodNF) +- throws JasperException +- { +- if( Constants.IS_SECURITY_ENABLED ) { +- try { +- PrivilegedIntrospectHelper dp = +- new PrivilegedIntrospectHelper( +- bean,prop,value,request,param,ignoreMethodNF); +- AccessController.doPrivileged(dp); +- } catch( PrivilegedActionException pe) { +- Exception e = pe.getException(); +- throw (JasperException)e; +- } +- } else { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- } +- } +- +- private static void internalIntrospecthelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- throws JasperException +- { ++ throws JasperException { + Method method = null; + Class type = null; + Class propertyEditorClass = null; diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch new file mode 100644 index 0000000..5ad88e7 --- /dev/null +++ b/debian/patches/CVE-2016-6794.patch @@ -0,0 +1,141 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 12:36:03 +0100 +Subject: CVE-2016-6794 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1754733 +--- + .../apache/catalina/loader/WebappClassLoader.java | 27 ++++++++++++-- + java/org/apache/tomcat/util/digester/Digester.java | 10 +++++ + .../tomcat/util/security/PermissionCheck.java | 43 ++++++++++++++++++++++ + 3 files changed, 76 insertions(+), 4 deletions(-) + create mode 100644 java/org/apache/tomcat/util/security/PermissionCheck.java + +diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java +index 528d906..dab7299 100644 +--- a/java/org/apache/catalina/loader/WebappClassLoader.java ++++ b/java/org/apache/catalina/loader/WebappClassLoader.java +@@ -74,6 +74,7 @@ import org.apache.naming.resources.ProxyDirContext; + import org.apache.naming.resources.Resource; + import org.apache.naming.resources.ResourceAttributes; + import org.apache.tomcat.util.IntrospectionUtils; ++import org.apache.tomcat.util.security.PermissionCheck; + + /** + * Specialized web application class loader. +@@ -112,10 +113,8 @@ import org.apache.tomcat.util.IntrospectionUtils; + * @author Craig R. McClanahan + * + */ +-public class WebappClassLoader +- extends URLClassLoader +- implements Reloader, Lifecycle +- { ++public class WebappClassLoader extends URLClassLoader ++ implements Reloader, Lifecycle, PermissionCheck { + + protected static org.apache.juli.logging.Log log= + org.apache.juli.logging.LogFactory.getLog( WebappClassLoader.class ); +@@ -1711,6 +1710,26 @@ public class WebappClassLoader + + } + ++ public boolean check(Permission permission) { ++ if (!Globals.IS_SECURITY_ENABLED) { ++ return true; ++ } ++ Policy currentPolicy = Policy.getPolicy(); ++ if (currentPolicy != null) { ++ ResourceEntry entry = findResourceInternal("/", "/"); ++ if (entry != null) { ++ CodeSource cs = new CodeSource( ++ entry.codeBase, (java.security.cert.Certificate[]) null); ++ PermissionCollection pc = currentPolicy.getPermissions(cs); ++ if (pc.implies(permission)) { ++ return true; ++ } ++ } ++ } ++ return false; ++ ++ } ++ + + /** + * Returns the search path of URLs for loading classes and resources. +diff --git a/java/org/apache/tomcat/util/digester/Digester.java b/java/org/apache/tomcat/util/digester/Digester.java +index ffae93f..afa8f6a 100644 +--- a/java/org/apache/tomcat/util/digester/Digester.java ++++ b/java/org/apache/tomcat/util/digester/Digester.java +@@ -52,6 +52,9 @@ import org.xml.sax.SAXParseException; + import org.xml.sax.XMLReader; + import org.xml.sax.ext.DefaultHandler2; + import org.xml.sax.helpers.AttributesImpl; ++import java.security.Permission; ++import java.util.PropertyPermission; ++import org.apache.tomcat.util.security.PermissionCheck; + + + /** +@@ -80,6 +83,13 @@ public class Digester extends DefaultHandler2 { + private static class SystemPropertySource + implements IntrospectionUtils.PropertySource { + public String getProperty( String key ) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ if (cl instanceof PermissionCheck) { ++ Permission p = new PropertyPermission(key, "read"); ++ if (!((PermissionCheck) cl).check(p)) { ++ return null; ++ } ++ } + return System.getProperty(key); + } + } +diff --git a/java/org/apache/tomcat/util/security/PermissionCheck.java b/java/org/apache/tomcat/util/security/PermissionCheck.java +new file mode 100644 +index 0000000..ba2bdd3 +--- /dev/null ++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java +@@ -0,0 +1,43 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.security; ++ ++import java.security.Permission; ++ ++/** ++ * This interface is implemented by components to enable privileged code to ++ * check whether the component has a given permission. ++ * This is typically used when a privileged component (e.g. the container) is ++ * performing an action on behalf of an untrusted component (e.g. a web ++ * application) without the current thread having passed through a code source ++ * provided by the untrusted component. Because the current thread has not ++ * passed through a code source provided by the untrusted component the ++ * SecurityManager assumes the code is trusted so the standard checking ++ * mechanisms can't be used. ++ */ ++public interface PermissionCheck { ++ ++ /** ++ * Does this component have the given permission? ++ * ++ * @param permission The permission to test ++ * ++ * @return {@code false} if a SecurityManager is enabled and the component ++ * does not have the given permission, otherwise {@code false} ++ */ ++ boolean check(Permission permission); ++} diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch new file mode 100644 index 0000000..1c0668a --- /dev/null +++ b/debian/patches/CVE-2016-6796.patch @@ -0,0 +1,78 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 12:54:08 +0100 +Subject: CVE-2016-6796 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1758496 +--- + conf/web.xml | 4 ++++ + java/org/apache/jasper/EmbeddedServletOptions.java | 4 ++++ + java/org/apache/jasper/resources/LocalStrings.properties | 1 + + java/org/apache/jasper/servlet/JspServlet.java | 6 ++++++ + 4 files changed, 15 insertions(+) + +diff --git a/conf/web.xml b/conf/web.xml +index 2e8815e..7062250 100644 +--- a/conf/web.xml ++++ b/conf/web.xml +@@ -189,6 +189,8 @@ + <!-- engineOptionsClass Allows specifying the Options class used to --> + <!-- configure Jasper. If not present, the default --> + <!-- EmbeddedServletOptions will be used. --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> +@@ -238,6 +240,8 @@ + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> +diff --git a/java/org/apache/jasper/EmbeddedServletOptions.java b/java/org/apache/jasper/EmbeddedServletOptions.java +index 3399a32..fa3d5f2 100644 +--- a/java/org/apache/jasper/EmbeddedServletOptions.java ++++ b/java/org/apache/jasper/EmbeddedServletOptions.java +@@ -586,6 +586,10 @@ public final class EmbeddedServletOptions implements Options { + * scratchdir + */ + String dir = config.getInitParameter("scratchdir"); ++ if (dir != null && Constants.IS_SECURITY_ENABLED) { ++ log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir)); ++ dir = null; ++ } + if (dir != null) { + scratchDir = new File(dir); + } else { +diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties +index 03532ea..edb02c9 100644 +--- a/java/org/apache/jasper/resources/LocalStrings.properties ++++ b/java/org/apache/jasper/resources/LocalStrings.properties +@@ -448,6 +448,7 @@ jsp.error.nested_jsproot=Nested <jsp:root> + jsp.error.unbalanced.endtag=The end tag \"</{0}\" is unbalanced + jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid. + jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}. ++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled + + jsp.exception=An exception occurred processing JSP page {0} at line {1} + +diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java +index 76ea446..6830093 100644 +--- a/java/org/apache/jasper/servlet/JspServlet.java ++++ b/java/org/apache/jasper/servlet/JspServlet.java +@@ -79,6 +79,12 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener { + // Check for a custom Options implementation + String engineOptionsName = + config.getInitParameter("engineOptionsClass"); ++ if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) { ++ log.info(Localizer.getMessage( ++ "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName)); ++ engineOptionsName = null; ++ } ++ + if (engineOptionsName != null) { + // Instantiate the indicated Options implementation + try { diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch new file mode 100644 index 0000000..9f42f47 --- /dev/null +++ b/debian/patches/CVE-2016-6797.patch @@ -0,0 +1,211 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:20:10 +0100 +Subject: CVE-2016-6797 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1757285 +--- + .../catalina/core/NamingContextListener.java | 78 ++++++++++++++-------- + .../apache/naming/factory/ResourceLinkFactory.java | 60 +++++++++++++++++ + 2 files changed, 112 insertions(+), 26 deletions(-) + +diff --git a/java/org/apache/catalina/core/NamingContextListener.java b/java/org/apache/catalina/core/NamingContextListener.java +index 2b8256a..cfd612f 100644 +--- a/java/org/apache/catalina/core/NamingContextListener.java ++++ b/java/org/apache/catalina/core/NamingContextListener.java +@@ -71,6 +71,7 @@ import org.apache.naming.ResourceRef; + import org.apache.naming.ServiceRef; + import org.apache.naming.TransactionRef; + import org.apache.tomcat.util.modeler.Registry; ++import org.apache.naming.factory.ResourceLinkFactory; + + + /** +@@ -280,37 +281,48 @@ public class NamingContextListener + if (!initialized) + return; + +- // Setting the context in read/write mode +- ContextAccessController.setWritable(getName(), container); +- ContextBindings.unbindContext(container, container); ++ try { ++ // Setting the context in read/write mode ++ ContextAccessController.setWritable(getName(), container); ++ ContextBindings.unbindContext(container, container); ++ ++ if (container instanceof Context) { ++ ContextBindings.unbindClassLoader ++ (container, container, ++ ((Container) container).getLoader().getClassLoader()); ++ } + +- if (container instanceof Context) { +- ContextBindings.unbindClassLoader +- (container, container, +- ((Container) container).getLoader().getClassLoader()); +- } ++ if (container instanceof Server) { ++ namingResources.removePropertyChangeListener(this); ++ ContextBindings.unbindClassLoader ++ (container, container, ++ this.getClass().getClassLoader()); ++ } + +- if (container instanceof Server) { +- namingResources.removePropertyChangeListener(this); +- ContextBindings.unbindClassLoader +- (container, container, +- this.getClass().getClassLoader()); +- } ++ ContextAccessController.unsetSecurityToken(getName(), container); ++ ContextAccessController.unsetSecurityToken(container, container); + +- ContextAccessController.unsetSecurityToken(getName(), container); +- ContextAccessController.unsetSecurityToken(container, container); ++ // unregister mbeans. ++ if (!objectNames.isEmpty()) { ++ Collection<ObjectName> names = objectNames.values(); ++ Registry registry = Registry.getRegistry(null, null); ++ for (ObjectName objectName : names) { ++ registry.unregisterComponent(objectName); ++ } ++ } + +- // unregister mbeans. +- Collection<ObjectName> names = objectNames.values(); +- for (ObjectName objectName : names) { +- Registry.getRegistry(null, null).unregisterComponent(objectName); +- } +- objectNames.clear(); ++ javax.naming.Context global = getGlobalNamingContext(); ++ if (global != null) { ++ ResourceLinkFactory.deregisterGlobalResourceAccess(global); ++ } ++ } finally { ++ objectNames.clear(); + +- namingContext = null; +- envCtx = null; +- compCtx = null; +- initialized = false; ++ namingContext = null; ++ envCtx = null; ++ compCtx = null; ++ initialized = false; ++ } + + } + +@@ -1096,6 +1108,20 @@ public class NamingContextListener + logger.error(sm.getString("naming.bindFailed", e)); + } + ++ ResourceLinkFactory.registerGlobalResourceAccess( ++ getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal()); ++ } ++ ++ private javax.naming.Context getGlobalNamingContext() { ++ if (container instanceof Context) { ++ Engine e = (Engine) ((Context) container).getParent().getParent(); ++ Server s = e.getService().getServer(); ++ if (s instanceof StandardServer) { ++ return ((StandardServer) s).getGlobalNamingContext(); ++ } ++ } ++ return null; ++ + } + + +diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java +index 6df82dd..56b1423 100644 +--- a/java/org/apache/naming/factory/ResourceLinkFactory.java ++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java +@@ -18,7 +18,10 @@ + + package org.apache.naming.factory; + ++import java.util.HashMap; + import java.util.Hashtable; ++import java.util.Map; ++import java.util.concurrent.ConcurrentHashMap; + + import javax.naming.Context; + import javax.naming.Name; +@@ -52,6 +55,8 @@ public class ResourceLinkFactory + */ + private static Context globalContext = null; + ++ private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations = ++ new ConcurrentHashMap<ClassLoader,Map<String,String>>(); + + // --------------------------------------------------------- Public Methods + +@@ -71,6 +76,56 @@ public class ResourceLinkFactory + } + + ++ public static void registerGlobalResourceAccess(Context globalContext, String localName, ++ String globalName) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations == null) { ++ // Web application initialization is single threaded so this is ++ // safe. ++ registrations = new HashMap<String,String>(); ++ globalResourceRegistrations.put(cl, registrations); ++ } ++ registrations.put(localName, globalName); ++ } ++ ++ ++ public static void deregisterGlobalResourceAccess(Context globalContext, String localName) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null) { ++ registrations.remove(localName); ++ } ++ } ++ ++ ++ public static void deregisterGlobalResourceAccess(Context globalContext) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ globalResourceRegistrations.remove(cl); ++ } ++ ++ ++ private static void validateGlobalContext(Context globalContext) { ++ if (ResourceLinkFactory.globalContext != null && ++ ResourceLinkFactory.globalContext != globalContext) { ++ throw new SecurityException("Caller provided invalid global context"); ++ } ++ } ++ ++ ++ private static boolean validateGlobalResourceAccess(String globalName) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null && registrations.containsValue(globalName)) { ++ return true; ++ } ++ return false; ++ } ++ ++ + // -------------------------------------------------- ObjectFactory Methods + + +@@ -96,6 +151,11 @@ public class ResourceLinkFactory + RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); + if (refAddr != null) { + globalName = refAddr.getContent().toString(); ++ // Confirm that the current web application is currently configured ++ // to access the specified global resource ++ if (!validateGlobalResourceAccess(globalName)) { ++ return null; ++ } + Object result = null; + result = globalContext.lookup(globalName); + // FIXME: Check type diff --git a/debian/patches/series b/debian/patches/series index f4fb4ad..5aa3fc5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,8 @@ 0007-add-OSGi-headers-to-servlet-api.patch 0008-add-OSGI-headers-to-jsp-api.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch +CVE-2016-0762.patch +CVE-2016-6794.patch +CVE-2016-6797.patch +CVE-2016-5018.patch +CVE-2016-6796.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
