This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 7ede8c819a6f7ec8eb7cd297a3d71ed5493811bc Author: Markus Koschany <[email protected]> Date: Mon Dec 5 22:17:10 2016 +0100 Import Debian patch 7.0.28-4+deb7u8 --- debian/changelog | 11 ++++++ debian/patches/CVE-2016-5018-part2.patch | 36 ++++++++++++++++++++ debian/patches/CVE-2016-6797-part2.patch | 58 +++++++++++++++++++++++++------- debian/patches/series | 1 + debian/rules | 6 ++++ debian/tomcat7.postinst | 2 +- 6 files changed, 101 insertions(+), 13 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3169446..db98a75 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +tomcat7 (7.0.28-4+deb7u8) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS team. + * Add CVE-2016-5018-part2.patch and fix a regression when using Jasper with + SecurityManager enabled. + * Update CVE-2016-6797-part2.patch and fix a regression in + ResourceLinkFactory.java. (Closes: #845425) + * Fix CVE-2016-9774: Privilege escalation when the package is upgraded. + + -- Markus Koschany <[email protected]> Mon, 05 Dec 2016 22:17:10 +0100 + tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high * Fixed CVE-2016-0762: The Realm implementations did not process the supplied diff --git a/debian/patches/CVE-2016-5018-part2.patch b/debian/patches/CVE-2016-5018-part2.patch new file mode 100644 index 0000000..c7343fe --- /dev/null +++ b/debian/patches/CVE-2016-5018-part2.patch @@ -0,0 +1,36 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 5 Dec 2016 21:38:15 +0100 +Subject: CVE-2016-5018 part2 + +--- + java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 -- + java/org/apache/jasper/security/SecurityClassLoad.java | 3 --- + 2 files changed, 5 deletions(-) + +diff --git a/java/org/apache/jasper/compiler/JspRuntimeContext.java b/java/org/apache/jasper/compiler/JspRuntimeContext.java +index 893541a..7468192 100644 +--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java ++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java +@@ -91,8 +91,6 @@ public final class JspRuntimeContext { + factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + factory.getClass().getClassLoader().loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + factory.getClass().getClassLoader().loadClass( basePackage + + "servlet.JspServletWrapper"); +diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java +index a066dfb..a96d7ba 100644 +--- a/java/org/apache/jasper/security/SecurityClassLoad.java ++++ b/java/org/apache/jasper/security/SecurityClassLoad.java +@@ -47,9 +47,6 @@ public final class SecurityClassLoad { + loader.loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + loader.loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- +- loader.loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + loader.loadClass( basePackage + + "runtime.TagHandlerPool"); diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch index d7c4466..3918897 100644 --- a/debian/patches/CVE-2016-6797-part2.patch +++ b/debian/patches/CVE-2016-6797-part2.patch @@ -5,11 +5,11 @@ Subject: CVE-2016-6797 part2 Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425. Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 --- - .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------ - 1 file changed, 23 insertions(+), 30 deletions(-) + .../apache/naming/factory/ResourceLinkFactory.java | 74 ++++++++++++---------- + 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java -index 157adfb..9d1c577 100644 +index 157adfb..4a77d5b 100644 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java @@ -5,17 +5,15 @@ @@ -33,11 +33,13 @@ index 157adfb..9d1c577 100644 package org.apache.naming.factory; import java.util.HashMap; -@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory; +@@ -31,24 +29,18 @@ import javax.naming.Reference; + import javax.naming.spi.ObjectFactory; import org.apache.naming.ResourceLinkRef; - - ++import org.apache.naming.StringManager; + /** * <p>Object factory for resource links.</p> - * @@ -56,11 +58,11 @@ index 157adfb..9d1c577 100644 // ------------------------------------------------------- Static Variables -- ++ private static final StringManager sm = StringManager.getManager(Constants.Package); + /** * Global naming context. - */ -@@ -60,10 +49,9 @@ public class ResourceLinkFactory +@@ -60,10 +52,9 @@ public class ResourceLinkFactory // --------------------------------------------------------- Public Methods @@ -72,7 +74,23 @@ index 157adfb..9d1c577 100644 * @param newGlobalContext new global context value */ public static void setGlobalContext(Context newGlobalContext) { -@@ -128,19 +116,18 @@ public class ResourceLinkFactory +@@ -118,9 +109,12 @@ public class ResourceLinkFactory + + private static boolean validateGlobalResourceAccess(String globalName) { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); +- Map<String,String> registrations = globalResourceRegistrations.get(cl); +- if (registrations != null && registrations.containsValue(globalName)) { +- return true; ++ while (cl != null) { ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null && registrations.containsValue(globalName)) { ++ return true; ++ } ++ cl = cl.getParent(); + } + return false; + } +@@ -128,19 +122,18 @@ public class ResourceLinkFactory // -------------------------------------------------- ObjectFactory Methods @@ -97,21 +115,37 @@ index 157adfb..9d1c577 100644 // Can we process this request? Reference ref = (Reference) obj; -@@ -158,14 +145,20 @@ public class ResourceLinkFactory +@@ -150,22 +143,33 @@ public class ResourceLinkFactory + RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); + if (refAddr != null) { + globalName = refAddr.getContent().toString(); +- // When running under a security manager confirm that the current +- // web application has really been configured to access the specified +- // global resource ++ // Confirm that the current web application is currently configured ++ // to access the specified global resource + if (!validateGlobalResourceAccess(globalName)) { + return null; } Object result = null; result = globalContext.lookup(globalName); - // FIXME: Check type + // Check the expected type + String expectedClassName = ref.getClassName(); ++ if (expectedClassName == null) { ++ throw new IllegalArgumentException( ++ sm.getString("resourceLinkFactory.nullType", name, globalName)); ++ } + try { + Class<?> expectedClazz = Class.forName( + expectedClassName, true, Thread.currentThread().getContextClassLoader()); + if (!expectedClazz.isAssignableFrom(result.getClass())) { -+ throw new IllegalArgumentException(); ++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType", ++ name, globalName, expectedClassName, result.getClass().getName())); + } + } catch (ClassNotFoundException e) { -+ throw new IllegalStateException(e); ++ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType", ++ name, globalName, expectedClassName), e); + } return result; } diff --git a/debian/patches/series b/debian/patches/series index 4aa0c0e..26bf020 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,3 +45,4 @@ CVE-2016-0762.patch CVE-2016-6816.patch CVE-2016-8735.patch CVE-2016-6797-part2.patch +CVE-2016-5018-part2.patch diff --git a/debian/rules b/debian/rules index 31423af..55f3890 100755 --- a/debian/rules +++ b/debian/rules @@ -168,6 +168,12 @@ binary-indep: build install jh_manifest dh_compress dh_fixperms + + # Make the /etc/tomcat7/Catalina/localhost directory writable by the tomcat user + for PACKAGE in tomcat7 tomcat7-admin tomcat7-docs tomcat7-examples; do \ + chmod 775 --verbose debian/$$PACKAGE/etc/tomcat7/Catalina/localhost; \ + done + dh_installdeb dh_gencontrol dh_md5sums diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst index bedfba9..a8919dd 100644 --- a/debian/tomcat7.postinst +++ b/debian/tomcat7.postinst @@ -69,7 +69,7 @@ case "$1" in chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared chmod 775 /var/lib/tomcat7/webapps - chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost + chmod 775 /etc/tomcat7/Catalina # Authorize user tomcat7 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT7_USER`" -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
