This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit c030a7c698d998eac33d2cf75b71d5b808facf75 Author: Emmanuel Bourg <[email protected]> Date: Sat Nov 12 01:56:52 2016 +0100 Fixed CVE-2016-6796: Security Manager Bypass --- debian/changelog | 3 ++ debian/patches/CVE-2016-6796.patch | 81 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 85 insertions(+) diff --git a/debian/changelog b/debian/changelog index 538452b..516e5cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,9 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. + * Fixed CVE-2016-6796: A malicious web application was able to bypass + a configured SecurityManager via manipulation of the configuration + parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch new file mode 100644 index 0000000..f7ad442 --- /dev/null +++ b/debian/patches/CVE-2016-6796.patch @@ -0,0 +1,81 @@ +Description: Fixes CVE-2016-6796: A malicious web application was able to bypass + a configured SecurityManager via manipulation of the configuration parameters + for the JSP Servlet. +Origin: backport, https://svn.apache.org/r1758494 +--- a/conf/web.xml ++++ b/conf/web.xml +@@ -162,6 +162,8 @@ + <!-- engineOptionsClass Allows specifying the Options class used to --> + <!-- configure Jasper. If not present, the default --> + <!-- EmbeddedServletOptions will be used. --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> +@@ -223,6 +225,8 @@ + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> +--- a/java/org/apache/jasper/EmbeddedServletOptions.java ++++ b/java/org/apache/jasper/EmbeddedServletOptions.java +@@ -635,6 +635,10 @@ + * scratchdir + */ + String dir = config.getInitParameter("scratchdir"); ++ if (dir != null && Constants.IS_SECURITY_ENABLED) { ++ log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir)); ++ dir = null; ++ } + if (dir != null) { + scratchDir = new File(dir); + } else { +--- a/java/org/apache/jasper/resources/LocalStrings.properties ++++ b/java/org/apache/jasper/resources/LocalStrings.properties +@@ -351,6 +351,7 @@ + jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid. + jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}. + jsp.error.lastModified=Unable to determine last modified date for file [{0}] ++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled + + jsp.exception=An exception occurred processing JSP page {0} at line {1} + +--- a/java/org/apache/jasper/servlet/JspServlet.java ++++ b/java/org/apache/jasper/servlet/JspServlet.java +@@ -90,6 +90,11 @@ + // Check for a custom Options implementation + String engineOptionsName = + config.getInitParameter("engineOptionsClass"); ++ if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) { ++ log.info(Localizer.getMessage( ++ "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName)); ++ engineOptionsName = null; ++ } + if (engineOptionsName != null) { + // Instantiate the indicated Options implementation + try { +--- a/webapps/docs/jasper-howto.xml ++++ b/webapps/docs/jasper-howto.xml +@@ -132,7 +132,7 @@ + + <li><strong>engineOptionsClass</strong> - Allows specifying the Options class + used to configure Jasper. If not present, the default EmbeddedServletOptions +-will be used. ++will be used. This option is ignored if running under a SecurityManager. + </li> + + <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue +@@ -185,7 +185,7 @@ + + <li><strong>scratchdir</strong> - What scratch directory should we use when + compiling JSP pages? Default is the work directory for the current web +-application.</li> ++application. This option is ignored if running under a SecurityManager.</li> + + <li><strong>suppressSmap</strong> - Should the generation of SMAP info for JSR45 + debugging be suppressed? <code>true</code> or <code>false</code>, default diff --git a/debian/patches/series b/debian/patches/series index a6925fa..790d923 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -23,4 +23,5 @@ CVE-2016-0763.patch CVE-2016-3092.patch CVE-2016-5018.patch CVE-2016-6794.patch +CVE-2016-6796.patch CVE-2016-6797.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
