This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 1ebcd5b2c822cf677b59a875172344c80d1d1ee4 Author: Markus Koschany <[email protected]> Date: Tue Jun 20 22:23:35 2017 +0200 Import Debian changes 7.0.28-4+deb7u14 tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) --- debian/changelog | 18 ++++++ debian/patches/CVE-2017-5664.patch | 122 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 141 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4cc7b97..3b5bb48 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2017-5664. + The error page mechanism of the Java Servlet Specification requires that, + when an error occurs and an error page is configured for the error that + occurred, the original request and response are forwarded to the error + page. This means that the request is presented to the error page with the + original HTTP method. If the error page is a static file, expected + behaviour is to serve content of the file as if processing a GET request, + regardless of the actual HTTP method. The Default Servlet in Apache Tomcat + did not do this. Depending on the original request this could lead to + unexpected and undesirable results for static error pages including, if the + DefaultServlet is configured to permit writes, the replacement or removal + of the custom error page. (Closes: #864447) + + -- Markus Koschany <[email protected]> Tue, 20 Jun 2017 22:23:35 +0200 + tomcat7 (7.0.28-4+deb7u13) wheezy-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2017-5664.patch b/debian/patches/CVE-2017-5664.patch new file mode 100644 index 0000000..8275316 --- /dev/null +++ b/debian/patches/CVE-2017-5664.patch @@ -0,0 +1,122 @@ +From: Markus Koschany <[email protected]> +Date: Fri, 9 Jun 2017 23:25:05 +0200 +Subject: CVE-2017-5664 + +Origin: http://svn.apache.org/r1793491 +Origin: http://svn.apache.org/r1793471 +--- + .../apache/catalina/servlets/DefaultServlet.java | 28 ++++++++++++++++------ + .../apache/catalina/servlets/WebdavServlet.java | 6 +++++ + 2 files changed, 27 insertions(+), 7 deletions(-) + +diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java +index 0850ad4..7bff461 100644 +--- a/java/org/apache/catalina/servlets/DefaultServlet.java ++++ b/java/org/apache/catalina/servlets/DefaultServlet.java +@@ -43,6 +43,7 @@ import javax.naming.NameClassPair; + import javax.naming.NamingEnumeration; + import javax.naming.NamingException; + import javax.naming.directory.DirContext; ++import javax.servlet.DispatcherType; + import javax.servlet.RequestDispatcher; + import javax.servlet.ServletContext; + import javax.servlet.ServletException; +@@ -241,7 +242,7 @@ public class DefaultServlet + urlEncoder.addSafeCharacter('.'); + urlEncoder.addSafeCharacter('*'); + urlEncoder.addSafeCharacter('/'); +- ++ + if (Globals.IS_SECURITY_ENABLED) { + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); +@@ -415,6 +416,18 @@ public class DefaultServlet + } + + ++ @Override ++ protected void service(HttpServletRequest req, HttpServletResponse resp) ++ throws ServletException, IOException { ++ ++ if (req.getDispatcherType() == DispatcherType.ERROR) { ++ doGet(req, resp); ++ } else { ++ super.service(req, resp); ++ } ++ } ++ ++ + /** + * Process a GET request for the specified resource. + * +@@ -829,8 +842,7 @@ public class DefaultServlet + } + } + +- boolean isError = +- response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST; ++ boolean isError = DispatcherType.ERROR == request.getDispatcherType(); + + // Check if the conditions specified in the optional If headers are + // satisfied. +@@ -1295,7 +1307,7 @@ public class DefaultServlet + + } + +- ++ + /** + * Return an InputStream to an HTML representation of the contents + * of this directory. +@@ -1710,15 +1722,15 @@ public class DefaultServlet + + + private File validateGlobalXsltFile() { +- ++ + File result = null; + String base = System.getProperty(Globals.CATALINA_BASE_PROP); +- ++ + if (base != null) { + File baseConf = new File(base, "conf"); + result = validateGlobalXsltFile(baseConf); + } +- ++ + if (result == null) { + String home = System.getProperty(Globals.CATALINA_HOME_PROP); + if (home != null && !home.equals(base)) { +@@ -2302,6 +2314,8 @@ public class DefaultServlet + + /** + * Validate range. ++ * ++ * @return true if the range is valid, otherwise false + */ + public boolean validate() { + if (end >= length) +diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java +index 70204fa..0a6efbe 100644 +--- a/java/org/apache/catalina/servlets/WebdavServlet.java ++++ b/java/org/apache/catalina/servlets/WebdavServlet.java +@@ -40,6 +40,7 @@ import javax.naming.NameClassPair; + import javax.naming.NamingEnumeration; + import javax.naming.NamingException; + import javax.naming.directory.DirContext; ++import javax.servlet.DispatcherType; + import javax.servlet.RequestDispatcher; + import javax.servlet.ServletContext; + import javax.servlet.ServletException; +@@ -352,6 +353,11 @@ public class WebdavServlet + return; + } + ++ if (req.getDispatcherType() == DispatcherType.ERROR) { ++ doGet(req, resp); ++ return; ++ } ++ + final String method = req.getMethod(); + + if (debug > 0) { diff --git a/debian/patches/series b/debian/patches/series index 4664e69..7d5f339 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -51,3 +51,4 @@ BZ57544-infinite-loop.patch BZ57544-infinite-loop-part2.patch CVE-2017-5647.patch CVE-2017-5648.patch +CVE-2017-5664.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
