This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit 4959553844f7545abd0ecdf708d5787a716b3a3e Author: Emmanuel Bourg <[email protected]> Date: Sat Nov 12 01:40:08 2016 +0100 Fixed CVE-2016-5018: Security Manager Bypass --- debian/changelog | 3 ++ debian/patches/CVE-2016-5018.patch | 102 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 106 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1fbf09c..90c6fef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium + * Fixed CVE-2016-5018: A malicious web application was able to bypass + a configured SecurityManager via a Tomcat utility method that was + accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch new file mode 100644 index 0000000..bb39983 --- /dev/null +++ b/debian/patches/CVE-2016-5018.patch @@ -0,0 +1,102 @@ +Description: Fixes CVE-2016-5018: A malicious web application was able to bypass + a configured SecurityManager via a Tomcat utility method that was accessible to + web applications. +Origin: backport, http://svn.apache.org/r1754901 +diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +index e3b53ca..19d8fa6 100644 +--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java ++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +@@ -14,7 +14,6 @@ + * See the License for the specific language governing permissions and + * limitations under the License. + */ +- + package org.apache.jasper.runtime; + + import java.beans.PropertyEditor; +@@ -23,9 +22,6 @@ + import java.io.IOException; + import java.io.OutputStreamWriter; + import java.lang.reflect.Method; +-import java.security.AccessController; +-import java.security.PrivilegedActionException; +-import java.security.PrivilegedExceptionAction; + import java.util.Enumeration; + + import javax.servlet.RequestDispatcher; +@@ -37,7 +33,6 @@ + import javax.servlet.jsp.PageContext; + import javax.servlet.jsp.tagext.BodyContent; + +-import org.apache.jasper.Constants; + import org.apache.jasper.JasperException; + import org.apache.jasper.compiler.Localizer; + import org.apache.jasper.util.ExceptionUtils; +@@ -56,36 +51,6 @@ + */ + public class JspRuntimeLibrary { + +- protected static class PrivilegedIntrospectHelper +- implements PrivilegedExceptionAction<Void> { +- +- private final Object bean; +- private final String prop; +- private final String value; +- private final ServletRequest request; +- private final String param; +- private final boolean ignoreMethodNF; +- +- PrivilegedIntrospectHelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- { +- this.bean = bean; +- this.prop = prop; +- this.value = value; +- this.request = request; +- this.param = param; +- this.ignoreMethodNF = ignoreMethodNF; +- } +- +- @Override +- public Void run() throws JasperException { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- return null; +- } +- } +- + /** + * Returns the value of the javax.servlet.error.exception request + * attribute value, if present, otherwise the value of the +@@ -292,29 +257,7 @@ public static void introspect(Object bean, ServletRequest request) + public static void introspecthelper(Object bean, String prop, + String value, ServletRequest request, + String param, boolean ignoreMethodNF) +- throws JasperException +- { +- if( Constants.IS_SECURITY_ENABLED ) { +- try { +- PrivilegedIntrospectHelper dp = +- new PrivilegedIntrospectHelper( +- bean,prop,value,request,param,ignoreMethodNF); +- AccessController.doPrivileged(dp); +- } catch( PrivilegedActionException pe) { +- Exception e = pe.getException(); +- throw (JasperException)e; +- } +- } else { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- } +- } +- +- private static void internalIntrospecthelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- throws JasperException +- { ++ throws JasperException { + Method method = null; + Class<?> type = null; + Class<?> propertyEditorClass = null; diff --git a/debian/patches/series b/debian/patches/series index a0d690b..014dab2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -21,4 +21,5 @@ CVE-2016-0706.patch CVE-2016-0714.patch CVE-2016-0763.patch CVE-2016-3092.patch +CVE-2016-5018.patch CVE-2016-6794.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
