Author: tmancill Date: 2011-02-13 01:07:34 +0000 (Sun, 13 Feb 2011) New Revision: 13304
Added: branches/tomcat6/squeeze-security/debian/patches/0012-CVE-2010-3718.patch branches/tomcat6/squeeze-security/debian/patches/0013-CVE-2011-0013.patch branches/tomcat6/squeeze-security/debian/patches/0014-CVE-2011-0534.patch Modified: branches/tomcat6/squeeze-security/debian/changelog branches/tomcat6/squeeze-security/debian/control branches/tomcat6/squeeze-security/debian/patches/series Log: patches for CVE-2011-0013, CVE-2011-0534, and CVE-2010-3718 Modified: branches/tomcat6/squeeze-security/debian/changelog =================================================================== --- branches/tomcat6/squeeze-security/debian/changelog 2011-02-12 22:01:39 UTC (rev 13303) +++ branches/tomcat6/squeeze-security/debian/changelog 2011-02-13 01:07:34 UTC (rev 13304) @@ -1,3 +1,12 @@ +tomcat6 (6.0.28-9+squeeze1) stable-security; urgency=high + + * Team upload. + * Update Vcs-* fields in debian/control to track security branch. + * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 + Thanks to Moritz Muehlenhoff (Closes: #612257) + + -- tony mancill <[email protected]> Sat, 12 Feb 2011 14:17:29 -0800 + tomcat6 (6.0.28-9) unstable; urgency=medium * Team upload. Modified: branches/tomcat6/squeeze-security/debian/control =================================================================== --- branches/tomcat6/squeeze-security/debian/control 2011-02-12 22:01:39 UTC (rev 13303) +++ branches/tomcat6/squeeze-security/debian/control 2011-02-13 01:07:34 UTC (rev 13304) @@ -9,8 +9,8 @@ Build-Depends-Indep: maven-repo-helper (>> 1.0.1), libecj-java Standards-Version: 3.8.4 Homepage: http://tomcat.apache.org -Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/tomcat6/ -Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/tomcat6/ +Vcs-Svn: svn://svn.debian.org/svn/pkg-java/branches/tomcat6/squeeze-security/ +Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/branches/tomcat6/squeeze-security/ Package: tomcat6-common Architecture: all Added: branches/tomcat6/squeeze-security/debian/patches/0012-CVE-2010-3718.patch =================================================================== --- branches/tomcat6/squeeze-security/debian/patches/0012-CVE-2010-3718.patch (rev 0) +++ branches/tomcat6/squeeze-security/debian/patches/0012-CVE-2010-3718.patch 2011-02-13 01:07:34 UTC (rev 13304) @@ -0,0 +1,31 @@ +--- a/java/org/apache/catalina/core/StandardContext.java ++++ b/java/org/apache/catalina/core/StandardContext.java +@@ -5309,11 +5309,11 @@ + dir.mkdirs(); + + // Set the appropriate servlet context attribute +- getServletContext().setAttribute(Globals.WORK_DIR_ATTR, dir); +- if (getServletContext() instanceof ApplicationContext) +- ((ApplicationContext) getServletContext()).setAttributeReadOnly +- (Globals.WORK_DIR_ATTR); +- ++ if (context == null) { ++ getServletContext(); ++ } ++ context.setAttribute(Globals.WORK_DIR_ATTR, dir); ++ context.setAttributeReadOnly(Globals.WORK_DIR_ATTR); + } + + +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -93,6 +93,9 @@ + <bug>49436</bug>: Correct documented default for readonly attribute of + the UserDatabase component. (markt) + </fix> ++ <fix> ++ Code clean-up. Avoid some casts in StandardContext. (markt) ++ </fix> + </changelog> + </subsection> + </section> Added: branches/tomcat6/squeeze-security/debian/patches/0013-CVE-2011-0013.patch =================================================================== --- branches/tomcat6/squeeze-security/debian/patches/0013-CVE-2011-0013.patch (rev 0) +++ branches/tomcat6/squeeze-security/debian/patches/0013-CVE-2011-0013.patch 2011-02-13 01:07:34 UTC (rev 13304) @@ -0,0 +1,63 @@ +--- a/java/org/apache/catalina/manager/HTMLManagerServlet.java ++++ b/java/org/apache/catalina/manager/HTMLManagerServlet.java +@@ -407,10 +407,11 @@ + + args = new Object[7]; + args[0] = URL_ENCODER.encode(displayPath); +- args[1] = displayPath; +- args[2] = context.getDisplayName(); +- if (args[2] == null) { ++ args[1] = RequestUtil.filter(displayPath); ++ if (context.getDisplayName() == null) { + args[2] = " "; ++ } else { ++ args[2] = RequestUtil.filter(context.getDisplayName()); + } + args[3] = new Boolean(context.getAvailable()); + args[4] = response.encodeURL +--- a/java/org/apache/catalina/manager/StatusTransformer.java ++++ b/java/org/apache/catalina/manager/StatusTransformer.java +@@ -575,7 +575,7 @@ + } + + writer.print("<a href=\"#" + (count++) + ".0\">"); +- writer.print(webModuleName); ++ writer.print(filter(webModuleName)); + writer.print("</a>"); + if (iterator.hasNext()) { + writer.print("<br>"); +@@ -650,7 +650,7 @@ + } + + writer.print("<h1>"); +- writer.print(name); ++ writer.print(filter(name)); + writer.print("</h1>"); + writer.print("</a>"); + +@@ -778,11 +778,11 @@ + mBeanServer.invoke(objectName, "findMappings", null, null); + + writer.print("<h2>"); +- writer.print(servletName); ++ writer.print(filter(servletName)); + if ((mappings != null) && (mappings.length > 0)) { + writer.print(" [ "); + for (int i = 0; i < mappings.length; i++) { +- writer.print(mappings[i]); ++ writer.print(filter(mappings[i])); + if (i < mappings.length - 1) { + writer.print(" , "); + } +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -45,6 +45,9 @@ + <fix>Arrange filter logic. (jfclere) + </fix> + <fix> ++ filter input of manager app servlets. (kkolinko) ++ </fix> ++ <fix> + <bug>49230</bug>: Enhance JRE leak prevention listener with protection + for the keep-alive thread started by + <code>sun.net.www.http.HttpClient</code>. Patch provided by Rob Kooper. Added: branches/tomcat6/squeeze-security/debian/patches/0014-CVE-2011-0534.patch =================================================================== --- branches/tomcat6/squeeze-security/debian/patches/0014-CVE-2011-0534.patch (rev 0) +++ branches/tomcat6/squeeze-security/debian/patches/0014-CVE-2011-0534.patch 2011-02-13 01:07:34 UTC (rev 13304) @@ -0,0 +1,171 @@ +--- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java ++++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java +@@ -41,6 +41,11 @@ + */ + public class InternalNioInputBuffer implements InputBuffer { + ++ /** ++ * Logger. ++ */ ++ private static final org.apache.juli.logging.Log log = ++ org.apache.juli.logging.LogFactory.getLog(InternalNioInputBuffer.class); + + // -------------------------------------------------------------- Constants + +@@ -57,12 +62,7 @@ + this.request = request; + headers = request.getMimeHeaders(); + +- buf = new byte[headerBufferSize]; +-// if (headerBufferSize < (8 * 1024)) { +-// bbuf = ByteBuffer.allocateDirect(6 * 1500); +-// } else { +-// bbuf = ByteBuffer.allocateDirect((headerBufferSize / 1500 + 1) * 1500); +-// } ++ this.headerBufferSize = headerBufferSize; + + inputStreamInputBuffer = new SocketInputBuffer(); + +@@ -189,6 +189,28 @@ + protected int lastActiveFilter; + + ++ /** ++ * Maximum allowed size of the HTTP request line plus headers. ++ */ ++ private final int headerBufferSize; ++ ++ /** ++ * Known size of the NioChannel read buffer. ++ */ ++ private int socketReadBufferSize; ++ ++ /** ++ * Additional size we allocate to the buffer to be more effective when ++ * skipping empty lines that may precede the request. ++ */ ++ private static final int skipBlankLinesSize = 1024; ++ ++ /** ++ * How many bytes in the buffer are occupied by skipped blank lines that ++ * precede the request. ++ */ ++ private int skipBlankLinesBytes; ++ + // ------------------------------------------------------------- Properties + + +@@ -197,6 +219,12 @@ + */ + public void setSocket(NioChannel socket) { + this.socket = socket; ++ socketReadBufferSize = socket.getBufHandler().getReadBuffer().capacity(); ++ int bufLength = skipBlankLinesSize + headerBufferSize ++ + socketReadBufferSize; ++ if (buf == null || buf.length < bufLength) { ++ buf = new byte[bufLength]; ++ } + } + + /** +@@ -421,25 +449,23 @@ + if (useAvailableData) { + return false; + } ++ // Ignore bytes that were read ++ pos = lastValid = 0; + // Do a simple read with a short timeout + if ( readSocket(true, false)==0 ) return false; + } + chr = buf[pos++]; + } while ((chr == Constants.CR) || (chr == Constants.LF)); + pos--; +- parsingRequestLineStart = pos; +- parsingRequestLinePhase = 1; +- } +- if ( parsingRequestLinePhase == 1 ) { +- // Mark the current buffer position +- +- if (pos >= lastValid) { +- if (useAvailableData) { +- return false; +- } +- // Do a simple read with a short timeout +- if ( readSocket(true, false)==0 ) return false; ++ if (pos >= skipBlankLinesSize) { ++ // Move data, to have enough space for further reading ++ // of headers and body ++ System.arraycopy(buf, pos, buf, 0, lastValid - pos); ++ lastValid -= pos; ++ pos = 0; + } ++ skipBlankLinesBytes = pos; ++ parsingRequestLineStart = pos; + parsingRequestLinePhase = 2; + } + if ( parsingRequestLinePhase == 2 ) { +@@ -578,6 +604,13 @@ + + private void expand(int newsize) { + if ( newsize > buf.length ) { ++ if (parsingHeader) { ++ throw new IllegalArgumentException( ++ sm.getString("iib.requestheadertoolarge.error")); ++ } ++ // Should not happen ++ log.warn("Expanding buffer size. Old size: " + buf.length ++ + ", new size: " + newsize, new Exception()); + byte[] tmp = new byte[newsize]; + System.arraycopy(buf,0,tmp,0,buf.length); + buf = tmp; +@@ -639,6 +672,19 @@ + if (status == HeaderParseStatus.DONE) { + parsingHeader = false; + end = pos; ++ // Checking that ++ // (1) Headers plus request line size does not exceed its limit ++ // (2) There are enough bytes to avoid expanding the buffer when ++ // reading body ++ // Technically, (2) is technical limitation, (1) is logical ++ // limitation to enforce the meaning of headerBufferSize ++ // From the way how buf is allocated and how blank lines are being ++ // read, it should be enough to check (1) only. ++ if (end - skipBlankLinesBytes > headerBufferSize ++ || buf.length - end < socketReadBufferSize) { ++ throw new IllegalArgumentException( ++ sm.getString("iib.requestheadertoolarge.error")); ++ } + return true; + } else { + return false; +@@ -889,16 +935,7 @@ + // Do a simple read with a short timeout + read = readSocket(timeout,block)>0; + } else { +- +- if (buf.length - end < 4500) { +- // In this case, the request header was really large, so we allocate a +- // brand new one; the old one will get GCed when subsequent requests +- // clear all references +- buf = new byte[buf.length]; +- end = 0; +- } +- pos = end; +- lastValid = pos; ++ lastValid = pos = end; + // Do a simple read with a short timeout + read = readSocket(timeout, block)>0; + } +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -48,6 +48,10 @@ + filter input of manager app servlets. (kkolinko) + </fix> + <fix> ++ <bug>50631</bug>: InternalNioInputBuffer should honor ++ <code>maxHttpHeadSize</code>. (kkolinko) ++ </fix> ++ <fix> + <bug>49230</bug>: Enhance JRE leak prevention listener with protection + for the keep-alive thread started by + <code>sun.net.www.http.HttpClient</code>. Patch provided by Rob Kooper. Modified: branches/tomcat6/squeeze-security/debian/patches/series =================================================================== --- branches/tomcat6/squeeze-security/debian/patches/series 2011-02-12 22:01:39 UTC (rev 13303) +++ branches/tomcat6/squeeze-security/debian/patches/series 2011-02-13 01:07:34 UTC (rev 13304) @@ -9,3 +9,6 @@ 0009-allow-empty-PID-file.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch 0011-CVE-2010-4172.patch +0012-CVE-2010-3718.patch +0013-CVE-2011-0013.patch +0014-CVE-2011-0534.patch _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
