On 04.12.2016 15:39, Arne Nordmark wrote:
> Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
>> On 04.12.2016 09:22, Arne Nordmark wrote:
>>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>>> also suffers from this problem.
>>>
>>> Can it be so that the important part missing is the loop traversing the
>>> class loaders in validateGlobalResourceAccess():
>>>
>>> while (cl != null) {
>>>  ...
>>>  cl = cl.getParent();
>>> }
>>
>> Hello,
>>
>> I have prepared the update for Wheezy. Since you confirmed that using the 
>> ResourceLinkFactory class
>> from 7.x trunk works for you, we have replaced the current version with this 
>> one. At the moment I
>> fail to understand what we are missing because upstream's fix for 
>> CVE-2016-6797 is relatively
>> straightforward [1] and we have already taken your bug report into account.
>>
>> Could you elaborate in which file the code from above is missing?
> 
> Sorry if I was unclear. In the ResourceLinkFactory class,
> CVE-2016-6797.patch adds among other things the new method
> 
> private static boolean validateGlobalResourceAccess(String globalName)
> 
> However, the upstream version 7.0.73 there is another change to this new
> method, which is the loop over the parent class loaders I was referring
> to above.
> 
> It seems that when preparing CVE-2016-6797-part2.patch, this change was
> left out, but it may be the change that actually makes things work.
> 
> I can build and run Debian tomcat7 on both wheezy and jessie, so if you
> would like me to make any further tests, please let me know.

My bad. It seems I have copied ResourceLinkFactory from another branch which is 
not equivalent to
7.0.73.

https://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/factory/?pathrev=1757275

Looking at Apache's github repository for Tomcat 7, the loop is indeed present.

https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java

I will use this version when I prepare a regression update. Since you have 
already confirmed that
this fixes #845425 further tests won't be necessary. Thanks for your help!





Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to