This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat6.
commit a9f88cb720c30a4327c7adf288827b1cbf5b6c54 Author: Markus Koschany <[email protected]> Date: Tue Dec 6 13:57:24 2016 +0100 Import Debian patch 6.0.45+dfsg-1~deb7u4 --- debian/changelog | 11 ++++++++ debian/patches/CVE-2016-5018-part2.patch | 36 ++++++++++++++++++++++++ debian/patches/CVE-2016-6797-part2.patch | 48 ++++++++++++++++++++++++-------- debian/patches/series | 1 + debian/rules | 6 ++++ debian/tomcat6.postinst | 2 +- 6 files changed, 91 insertions(+), 13 deletions(-) diff --git a/debian/changelog b/debian/changelog index fbc761d..1e8d57c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +tomcat6 (6.0.45+dfsg-1~deb7u4) UNRELEASED; urgency=medium + + * Non-maintainer upload by the LTS team. + * Fix CVE-2016-9774: Privilege escalation when the package is upgraded. + * Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with + SecurityManager enabled. + * Update CVE-2016-6797-part2.patch and fix a regression in + ResourceLinkFactory.java. + + -- Markus Koschany <[email protected]> Tue, 06 Dec 2016 13:57:24 +0100 + tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high * Fixed CVE-2016-0762: The Realm implementations did not process the supplied diff --git a/debian/patches/CVE-2016-5018-part2.patch b/debian/patches/CVE-2016-5018-part2.patch new file mode 100644 index 0000000..84e26ae --- /dev/null +++ b/debian/patches/CVE-2016-5018-part2.patch @@ -0,0 +1,36 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 6 Dec 2016 13:52:09 +0100 +Subject: CVE-2016-5018-part2 + +--- + java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 -- + java/org/apache/jasper/security/SecurityClassLoad.java | 3 --- + 2 files changed, 5 deletions(-) + +diff --git a/java/org/apache/jasper/compiler/JspRuntimeContext.java b/java/org/apache/jasper/compiler/JspRuntimeContext.java +index 254ad87..8cbda92 100644 +--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java ++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java +@@ -82,8 +82,6 @@ public final class JspRuntimeContext { + factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + factory.getClass().getClassLoader().loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + factory.getClass().getClassLoader().loadClass( basePackage + + "servlet.JspServletWrapper"); +diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java +index a25431f..652d749 100644 +--- a/java/org/apache/jasper/security/SecurityClassLoad.java ++++ b/java/org/apache/jasper/security/SecurityClassLoad.java +@@ -47,9 +47,6 @@ public final class SecurityClassLoad { + loader.loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + loader.loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- +- loader.loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + loader.loadClass( basePackage + + "runtime.TagHandlerPool"); diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch index eac0cb1..3e6e7a4 100644 --- a/debian/patches/CVE-2016-6797-part2.patch +++ b/debian/patches/CVE-2016-6797-part2.patch @@ -5,11 +5,11 @@ Subject: CVE-2016-6797 part2 Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425. Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 --- - .../apache/naming/factory/ResourceLinkFactory.java | 54 +++++++++------------- - 1 file changed, 23 insertions(+), 31 deletions(-) + .../apache/naming/factory/ResourceLinkFactory.java | 70 ++++++++++++---------- + 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java -index 56b1423..4a13b10 100644 +index 56b1423..51b5a1e 100644 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java @@ -5,17 +5,15 @@ @@ -33,11 +33,13 @@ index 56b1423..4a13b10 100644 package org.apache.naming.factory; import java.util.HashMap; -@@ -32,24 +30,16 @@ import javax.naming.spi.ObjectFactory; +@@ -31,24 +29,19 @@ import javax.naming.Reference; + import javax.naming.spi.ObjectFactory; import org.apache.naming.ResourceLinkRef; - - ++import org.apache.naming.StringManager; + /** * <p>Object factory for resource links.</p> - * @@ -56,11 +58,11 @@ index 56b1423..4a13b10 100644 // ------------------------------------------------------- Static Variables -- ++ private static final StringManager sm = StringManager.getManager(Constants.Package); + /** * Global naming context. - */ -@@ -60,10 +50,9 @@ public class ResourceLinkFactory +@@ -60,10 +53,9 @@ public class ResourceLinkFactory // --------------------------------------------------------- Public Methods @@ -72,7 +74,23 @@ index 56b1423..4a13b10 100644 * @param newGlobalContext new global context value */ public static void setGlobalContext(Context newGlobalContext) { -@@ -128,24 +117,21 @@ public class ResourceLinkFactory +@@ -118,9 +110,12 @@ public class ResourceLinkFactory + + private static boolean validateGlobalResourceAccess(String globalName) { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); +- Map<String,String> registrations = globalResourceRegistrations.get(cl); +- if (registrations != null && registrations.containsValue(globalName)) { +- return true; ++ while (cl != null) { ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null && registrations.containsValue(globalName)) { ++ return true; ++ } ++ cl = cl.getParent(); + } + return false; + } +@@ -128,24 +123,21 @@ public class ResourceLinkFactory // -------------------------------------------------- ObjectFactory Methods @@ -102,21 +120,27 @@ index 56b1423..4a13b10 100644 // Read the global ref addr String globalName = null; RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); -@@ -158,14 +144,20 @@ public class ResourceLinkFactory +@@ -158,14 +150,26 @@ public class ResourceLinkFactory } Object result = null; result = globalContext.lookup(globalName); - // FIXME: Check type + // Check the expected type + String expectedClassName = ref.getClassName(); ++ if (expectedClassName == null) { ++ throw new IllegalArgumentException( ++ sm.getString("resourceLinkFactory.nullType", name, globalName)); ++ } + try { + Class<?> expectedClazz = Class.forName( + expectedClassName, true, Thread.currentThread().getContextClassLoader()); + if (!expectedClazz.isAssignableFrom(result.getClass())) { -+ throw new IllegalArgumentException(); ++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType", ++ name, globalName, expectedClassName, result.getClass().getName())); + } + } catch (ClassNotFoundException e) { -+ throw new IllegalStateException(e); ++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType", ++ name, globalName, expectedClassName), e); + } return result; } diff --git a/debian/patches/series b/debian/patches/series index d5bde93..05ba616 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,4 @@ CVE-2016-6796.patch CVE-2016-6816.patch CVE-2016-8735.patch CVE-2016-6797-part2.patch +CVE-2016-5018-part2.patch diff --git a/debian/rules b/debian/rules index 8162d37..d1b69f5 100755 --- a/debian/rules +++ b/debian/rules @@ -128,6 +128,12 @@ binary-indep: build install chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh dh_compress dh_fixperms + + # Make the /etc/tomcat6/Catalina/localhost directory writable by the tomcat user + for PACKAGE in tomcat6 tomcat6-admin tomcat6-docs tomcat6-examples; do \ + chmod 775 --verbose debian/$$PACKAGE/etc/tomcat6/Catalina/localhost; \ + done + dh_installdeb dh_gencontrol dh_md5sums diff --git a/debian/tomcat6.postinst b/debian/tomcat6.postinst index 468f6f2..e4c3ee4 100644 --- a/debian/tomcat6.postinst +++ b/debian/tomcat6.postinst @@ -52,7 +52,7 @@ case "$1" in chmod 640 /etc/tomcat6/tomcat-users.xml chown -Rh $TOMCAT6_USER:$TOMCAT6_GROUP /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared chmod 775 /var/lib/tomcat6/webapps - chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost + chmod 775 /etc/tomcat6/Catalina # Authorize user tomcat6 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT6_USER`" -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
