This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit d9ad4207c503a5057058f367b72ed1d5b959ba13 Author: Emmanuel Bourg <[email protected]> Date: Sat Nov 12 00:49:34 2016 +0100 Fixed CVE-2016-6794: System Property Disclosure --- debian/changelog | 5 ++ debian/patches/CVE-2016-6794.patch | 137 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 143 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7b052bf..1fbf09c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,10 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium + * Fixed CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by + the SecurityManager. Tomcat's system property replacement feature for + configuration files could be used by a malicious web application to bypass + the SecurityManager and read system properties that should not be visible. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch new file mode 100644 index 0000000..ebe5a11 --- /dev/null +++ b/debian/patches/CVE-2016-6794.patch @@ -0,0 +1,137 @@ +Description: Fixes CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by the + SecurityManager. Tomcat's system property replacement feature for configuration + files could be used by a malicious web application to bypass the SecurityManager + and read system properties that should not be visible. +Origin: backport, https://svn.apache.org/r1754727 +--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java ++++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java +@@ -77,6 +77,7 @@ + import org.apache.tomcat.util.ExceptionUtils; + import org.apache.tomcat.util.IntrospectionUtils; + import org.apache.tomcat.util.res.StringManager; ++import org.apache.tomcat.util.security.PermissionCheck; + + /** + * Specialized web application class loader. +@@ -123,7 +124,7 @@ + * @author Craig R. McClanahan + */ + public abstract class WebappClassLoaderBase extends URLClassLoader +- implements Lifecycle, InstrumentableClassLoader { ++ implements Lifecycle, InstrumentableClassLoader, PermissionCheck { + + private static final org.apache.juli.logging.Log log = + org.apache.juli.logging.LogFactory.getLog(WebappClassLoaderBase.class); +@@ -1339,6 +1340,27 @@ + } + + ++ @Override ++ public boolean check(Permission permission) { ++ if (!Globals.IS_SECURITY_ENABLED) { ++ return true; ++ } ++ Policy currentPolicy = Policy.getPolicy(); ++ if (currentPolicy != null) { ++ ResourceEntry entry = findResourceInternal("/", "/"); ++ if (entry != null) { ++ CodeSource cs = new CodeSource( ++ entry.codeBase, (java.security.cert.Certificate[]) null); ++ PermissionCollection pc = currentPolicy.getPermissions(cs); ++ if (pc.implies(permission)) { ++ return true; ++ } ++ } ++ } ++ return false; ++ } ++ ++ + /** + * {@inheritDoc} + * <p> +--- a/java/org/apache/tomcat/util/digester/Digester.java ++++ b/java/org/apache/tomcat/util/digester/Digester.java +@@ -23,11 +23,13 @@ + import java.lang.reflect.InvocationTargetException; + import java.net.URI; + import java.net.URISyntaxException; ++import java.security.Permission; + import java.util.EmptyStackException; + import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + import java.util.Map; ++import java.util.PropertyPermission; + + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.parsers.SAXParser; +@@ -37,6 +39,7 @@ + import org.apache.juli.logging.LogFactory; + import org.apache.tomcat.util.ExceptionUtils; + import org.apache.tomcat.util.IntrospectionUtils; ++import org.apache.tomcat.util.security.PermissionCheck; + import org.xml.sax.Attributes; + import org.xml.sax.EntityResolver; + import org.xml.sax.ErrorHandler; +@@ -78,6 +81,13 @@ + implements IntrospectionUtils.PropertySource { + @Override + public String getProperty( String key ) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ if (cl instanceof PermissionCheck) { ++ Permission p = new PropertyPermission(key, "read"); ++ if (!((PermissionCheck) cl).check(p)) { ++ return null; ++ } ++ } + return System.getProperty(key); + } + } +--- /dev/null ++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java +@@ -0,0 +1,43 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.security; ++ ++import java.security.Permission; ++ ++/** ++ * This interface is implemented by components to enable privileged code to ++ * check whether the component has a given permission. ++ * This is typically used when a privileged component (e.g. the container) is ++ * performing an action on behalf of an untrusted component (e.g. a web ++ * application) without the current thread having passed through a code source ++ * provided by the untrusted component. Because the current thread has not ++ * passed through a code source provided by the untrusted component the ++ * SecurityManager assumes the code is trusted so the standard checking ++ * mechanisms can't be used. ++ */ ++public interface PermissionCheck { ++ ++ /** ++ * Does this component have the given permission? ++ * ++ * @param permission The permission to test ++ * ++ * @return {@code false} if a SecurityManager is enabled and the component ++ * does not have the given permission, otherwise {@code false} ++ */ ++ boolean check(Permission permission); ++} diff --git a/debian/patches/series b/debian/patches/series index d69cdee..a0d690b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -21,3 +21,4 @@ CVE-2016-0706.patch CVE-2016-0714.patch CVE-2016-0763.patch CVE-2016-3092.patch +CVE-2016-6794.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
