On 04.12.2016 15:39, Arne Nordmark wrote:
> Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
>> On 04.12.2016 09:22, Arne Nordmark wrote:
>>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>>> also suffers from this problem.
>>> Can it be so that the important part missing is the loop traversing the
>>> class loaders in validateGlobalResourceAccess():
>>> while (cl != null) {
>>>  ...
>>>  cl = cl.getParent();
>>> }
>> Hello,
>> I have prepared the update for Wheezy. Since you confirmed that using the 
>> ResourceLinkFactory class
>> from 7.x trunk works for you, we have replaced the current version with this 
>> one. At the moment I
>> fail to understand what we are missing because upstream's fix for 
>> CVE-2016-6797 is relatively
>> straightforward [1] and we have already taken your bug report into account.
>> Could you elaborate in which file the code from above is missing?
> Sorry if I was unclear. In the ResourceLinkFactory class,
> CVE-2016-6797.patch adds among other things the new method
> private static boolean validateGlobalResourceAccess(String globalName)
> However, the upstream version 7.0.73 there is another change to this new
> method, which is the loop over the parent class loaders I was referring
> to above.
> It seems that when preparing CVE-2016-6797-part2.patch, this change was
> left out, but it may be the change that actually makes things work.
> I can build and run Debian tomcat7 on both wheezy and jessie, so if you
> would like me to make any further tests, please let me know.

My bad. It seems I have copied ResourceLinkFactory from another branch which is 
not equivalent to


Looking at Apache's github repository for Tomcat 7, the loop is indeed present.


I will use this version when I prepare a regression update. Since you have 
already confirmed that
this fixes #845425 further tests won't be necessary. Thanks for your help!

Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to