This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat6.
commit 014753724b6a82042dcb67142708907bb507173e Author: Markus Koschany <[email protected]> Date: Sat Dec 17 17:28:37 2016 +0100 Import Debian patch 6.0.45+dfsg-1~deb7u5 --- debian/changelog | 6 ++ debian/patches/CVE-2016-6797-part2.patch | 136 ++----------------------------- debian/patches/series | 2 +- 3 files changed, 12 insertions(+), 132 deletions(-) diff --git a/debian/changelog b/debian/changelog index 162788d..cfc23e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +tomcat6 (6.0.45+dfsg-1~deb7u5) wheezy-security; urgency=high + + * Backport only the minimal changes to fix #845425. (Closes: #848492) + + -- Markus Koschany <[email protected]> Sat, 17 Dec 2016 17:28:37 +0100 + tomcat6 (6.0.45+dfsg-1~deb7u4) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch index 3e6e7a4..ae4206a 100644 --- a/debian/patches/CVE-2016-6797-part2.patch +++ b/debian/patches/CVE-2016-6797-part2.patch @@ -1,80 +1,17 @@ From: Markus Koschany <[email protected]> -Date: Thu, 1 Dec 2016 15:02:31 +0100 +Date: Sat, 17 Dec 2016 17:26:40 +0100 Subject: CVE-2016-6797 part2 -Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425. Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 --- - .../apache/naming/factory/ResourceLinkFactory.java | 70 ++++++++++++---------- - 1 file changed, 37 insertions(+), 33 deletions(-) + java/org/apache/naming/factory/ResourceLinkFactory.java | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java -index 56b1423..51b5a1e 100644 +index 56b1423..0c899ec 100644 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java -@@ -5,17 +5,15 @@ - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at -- * -+ * - * http://www.apache.org/licenses/LICENSE-2.0 -- * -+ * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -- */ -- -- -+ */ - package org.apache.naming.factory; - - import java.util.HashMap; -@@ -31,24 +29,19 @@ import javax.naming.Reference; - import javax.naming.spi.ObjectFactory; - - import org.apache.naming.ResourceLinkRef; -- -+import org.apache.naming.StringManager; - - /** - * <p>Object factory for resource links.</p> -- * -+ * - * @author Remy Maucherat - * - */ -- --public class ResourceLinkFactory -- implements ObjectFactory { -- -- -- // ----------------------------------------------------------- Constructors -- -+public class ResourceLinkFactory implements ObjectFactory { - - // ------------------------------------------------------- Static Variables - -+ private static final StringManager sm = StringManager.getManager(Constants.Package); - - /** - * Global naming context. -@@ -60,10 +53,9 @@ public class ResourceLinkFactory - - // --------------------------------------------------------- Public Methods - -- - /** - * Set the global context (note: can only be used once). -- * -+ * - * @param newGlobalContext new global context value - */ - public static void setGlobalContext(Context newGlobalContext) { -@@ -118,9 +110,12 @@ public class ResourceLinkFactory +@@ -118,9 +118,12 @@ public class ResourceLinkFactory private static boolean validateGlobalResourceAccess(String globalName) { ClassLoader cl = Thread.currentThread().getContextClassLoader(); @@ -90,66 +27,3 @@ index 56b1423..51b5a1e 100644 } return false; } -@@ -128,24 +123,21 @@ public class ResourceLinkFactory - - // -------------------------------------------------- ObjectFactory Methods - -- - /** - * Create a new DataSource instance. -- * -+ * - * @param obj The reference object describing the DataSource - */ - public Object getObjectInstance(Object obj, Name name, Context nameCtx, -- Hashtable environment) -- throws NamingException { -- -- if (!(obj instanceof ResourceLinkRef)) -+ Hashtable<?,?> environment) throws NamingException { -+ -+ if (!(obj instanceof ResourceLinkRef)) { - return null; -+ } - - // Can we process this request? - Reference ref = (Reference) obj; - -- String type = ref.getClassName(); -- - // Read the global ref addr - String globalName = null; - RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); -@@ -158,14 +150,26 @@ public class ResourceLinkFactory - } - Object result = null; - result = globalContext.lookup(globalName); -- // FIXME: Check type -+ // Check the expected type -+ String expectedClassName = ref.getClassName(); -+ if (expectedClassName == null) { -+ throw new IllegalArgumentException( -+ sm.getString("resourceLinkFactory.nullType", name, globalName)); -+ } -+ try { -+ Class<?> expectedClazz = Class.forName( -+ expectedClassName, true, Thread.currentThread().getContextClassLoader()); -+ if (!expectedClazz.isAssignableFrom(result.getClass())) { -+ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.wrongType", -+ name, globalName, expectedClassName, result.getClass().getName())); -+ } -+ } catch (ClassNotFoundException e) { -+ throw new IllegalArgumentException(sm.getString("resourceLinkFactory.unknownType", -+ name, globalName, expectedClassName), e); -+ } - return result; - } - -- return (null); -- -- -+ return null; - } -- -- - } diff --git a/debian/patches/series b/debian/patches/series index 05ba616..ad4e253 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,5 +14,5 @@ CVE-2016-5018.patch CVE-2016-6796.patch CVE-2016-6816.patch CVE-2016-8735.patch -CVE-2016-6797-part2.patch CVE-2016-5018-part2.patch +CVE-2016-6797-part2.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
