This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat6.
commit 2ba2276118ee692afef76c0cd82deca15f107e4b Author: Markus Koschany <a...@debian.org> Date: Thu Dec 1 20:01:25 2016 +0000 Import Debian patch 6.0.45+dfsg-1~deb7u3 --- debian/changelog | 6 +- debian/patches/CVE-2016-6797-part2.patch | 131 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + debian/tomcat6.postrm | 2 +- 4 files changed, 137 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5ecc7a3..fbc761d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high +tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack @@ -37,8 +37,10 @@ tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo + * Fix possible privilege escalation via package purge by removing the chown + command in postrm maintainer script. See #845385 for more information. - -- Markus Koschany <a...@debian.org> Fri, 25 Nov 2016 22:04:20 +0100 + -- Markus Koschany <a...@debian.org> Thu, 01 Dec 2016 20:01:25 +0000 tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch new file mode 100644 index 0000000..eac0cb1 --- /dev/null +++ b/debian/patches/CVE-2016-6797-part2.patch @@ -0,0 +1,131 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 1 Dec 2016 15:02:31 +0100 +Subject: CVE-2016-6797 part2 + +Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425. +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 +--- + .../apache/naming/factory/ResourceLinkFactory.java | 54 +++++++++------------- + 1 file changed, 23 insertions(+), 31 deletions(-) + +diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java +index 56b1423..4a13b10 100644 +--- a/java/org/apache/naming/factory/ResourceLinkFactory.java ++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java +@@ -5,17 +5,15 @@ + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at +- * ++ * + * http://www.apache.org/licenses/LICENSE-2.0 +- * ++ * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +- */ +- +- ++ */ + package org.apache.naming.factory; + + import java.util.HashMap; +@@ -32,24 +30,16 @@ import javax.naming.spi.ObjectFactory; + + import org.apache.naming.ResourceLinkRef; + +- + /** + * <p>Object factory for resource links.</p> +- * ++ * + * @author Remy Maucherat + * + */ +- +-public class ResourceLinkFactory +- implements ObjectFactory { +- +- +- // ----------------------------------------------------------- Constructors +- ++public class ResourceLinkFactory implements ObjectFactory { + + // ------------------------------------------------------- Static Variables + +- + /** + * Global naming context. + */ +@@ -60,10 +50,9 @@ public class ResourceLinkFactory + + // --------------------------------------------------------- Public Methods + +- + /** + * Set the global context (note: can only be used once). +- * ++ * + * @param newGlobalContext new global context value + */ + public static void setGlobalContext(Context newGlobalContext) { +@@ -128,24 +117,21 @@ public class ResourceLinkFactory + + // -------------------------------------------------- ObjectFactory Methods + +- + /** + * Create a new DataSource instance. +- * ++ * + * @param obj The reference object describing the DataSource + */ + public Object getObjectInstance(Object obj, Name name, Context nameCtx, +- Hashtable environment) +- throws NamingException { +- +- if (!(obj instanceof ResourceLinkRef)) ++ Hashtable<?,?> environment) throws NamingException { ++ ++ if (!(obj instanceof ResourceLinkRef)) { + return null; ++ } + + // Can we process this request? + Reference ref = (Reference) obj; + +- String type = ref.getClassName(); +- + // Read the global ref addr + String globalName = null; + RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); +@@ -158,14 +144,20 @@ public class ResourceLinkFactory + } + Object result = null; + result = globalContext.lookup(globalName); +- // FIXME: Check type ++ // Check the expected type ++ String expectedClassName = ref.getClassName(); ++ try { ++ Class<?> expectedClazz = Class.forName( ++ expectedClassName, true, Thread.currentThread().getContextClassLoader()); ++ if (!expectedClazz.isAssignableFrom(result.getClass())) { ++ throw new IllegalArgumentException(); ++ } ++ } catch (ClassNotFoundException e) { ++ throw new IllegalStateException(e); ++ } + return result; + } + +- return (null); +- +- ++ return null; + } +- +- + } diff --git a/debian/patches/series b/debian/patches/series index e2c4068..d5bde93 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,3 +14,4 @@ CVE-2016-5018.patch CVE-2016-6796.patch CVE-2016-6816.patch CVE-2016-8735.patch +CVE-2016-6797-part2.patch diff --git a/debian/tomcat6.postrm b/debian/tomcat6.postrm index 359ca31..d210343 100644 --- a/debian/tomcat6.postrm +++ b/debian/tomcat6.postrm @@ -60,7 +60,7 @@ case "$1" in rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind # Put all files owned by group tomcat6 back into root group before deleting # the tomcat6 user and group - chown -Rhf root:root /etc/tomcat6/ || true + #chown -Rhf root:root /etc/tomcat6/ || true # Remove user/group and log files (don't remove everything under # /var/lib/tomcat6 because there might be user-installed webapps) db_get tomcat6/username && TOMCAT6_USER="$RET" || TOMCAT6_USER="tomcat6" -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list pkg-java-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits