This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 9ec56770ae1c0aef52bcfeb22205456959269a13 Author: Roberto C. Sanchez <robe...@debian.org> Date: Wed Nov 8 23:43:03 2017 -0500 Import Debian changes 7.0.28-4+deb7u17 tomcat7 (7.0.28-4+deb7u17) wheezy-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix regression introduced by patch for CVE-2017-12617 (Closes: #881162) --- debian/changelog | 7 +++++ debian/patches/CVE-2017-12617_1.patch | 36 ++++++++++++++++++++---- debian/patches/CVE-2017-12617_3.patch | 53 +++++++++++++++++++++++++---------- 3 files changed, 76 insertions(+), 20 deletions(-) diff --git a/debian/changelog b/debian/changelog index 26f16eb..32e7434 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +tomcat7 (7.0.28-4+deb7u17) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Fix regression introduced by patch for CVE-2017-12617 (Closes: #881162) + + -- Roberto C. Sanchez <robe...@debian.org> Wed, 08 Nov 2017 23:43:03 -0500 + tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high * Non-maintainer upload by the LTS Security Team. diff --git a/debian/patches/CVE-2017-12617_1.patch b/debian/patches/CVE-2017-12617_1.patch index b34d879..c85566d 100644 --- a/debian/patches/CVE-2017-12617_1.patch +++ b/debian/patches/CVE-2017-12617_1.patch @@ -22,8 +22,8 @@ origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b 4 files changed, 64 insertions(+), 28 deletions(-) create mode 100644 test/org/apache/naming/resources/TestFileDirContext.java ---- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java -+++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +--- tomcat7.git.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat7.git/java/org/apache/naming/resources/FileDirContext.java @@ -817,11 +817,18 @@ */ protected File file(String name, boolean mustExist) { @@ -45,8 +45,8 @@ origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b if (!mustExist || file.exists() && file.canRead()) { ---- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java -+++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java +--- tomcat7.git.orig/java/org/apache/naming/resources/VirtualDirContext.java ++++ tomcat7.git/java/org/apache/naming/resources/VirtualDirContext.java @@ -153,7 +153,7 @@ String resourcesDir = dirList.get(0); if (name.equals(path)) { @@ -115,7 +115,7 @@ origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b if (f.isFile()) { return new FileResource(f); --- /dev/null -+++ tomcat-7.0.x/test/org/apache/naming/resources/TestFileDirContext.java ++++ tomcat7.git/test/org/apache/naming/resources/TestFileDirContext.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more @@ -163,3 +163,29 @@ origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b + Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc); + } +} +--- tomcat7.git.orig/java/org/apache/catalina/servlets/DefaultServlet.java ++++ tomcat7.git/java/org/apache/catalina/servlets/DefaultServlet.java +@@ -825,23 +825,6 @@ + return; + } + +- // If the resource is not a collection, and the resource path +- // ends with "/" or "\", return NOT FOUND +- if (cacheEntry.context == null) { +- if (path.endsWith("/") || (path.endsWith("\\"))) { +- // Check if we're included so we can return the appropriate +- // missing resource name in the error +- String requestUri = (String) request.getAttribute( +- RequestDispatcher.INCLUDE_REQUEST_URI); +- if (requestUri == null) { +- requestUri = request.getRequestURI(); +- } +- response.sendError(HttpServletResponse.SC_NOT_FOUND, +- requestUri); +- return; +- } +- } +- + boolean isError = DispatcherType.ERROR == request.getDispatcherType(); + + // Check if the conditions specified in the optional If headers are diff --git a/debian/patches/CVE-2017-12617_3.patch b/debian/patches/CVE-2017-12617_3.patch index 5fec2e8..dbe9133 100644 --- a/debian/patches/CVE-2017-12617_3.patch +++ b/debian/patches/CVE-2017-12617_3.patch @@ -16,8 +16,8 @@ origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6 2 files changed, 110 insertions(+), 17 deletions(-) create mode 100644 java/org/apache/naming/resources/JrePlatform.java ---- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java -+++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +--- tomcat7.git.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat7.git/java/org/apache/naming/resources/FileDirContext.java @@ -14,8 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. @@ -84,7 +84,7 @@ origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6 // Check that this file belongs to our root path String canPath = null; -@@ -847,7 +861,7 @@ +@@ -847,32 +861,23 @@ } catch (IOException e) { // Ignore } @@ -92,21 +92,44 @@ origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6 + if (canPath == null || !canPath.startsWith(canonicalBase)) return null; - // Check to see if going outside of the web application root -@@ -868,9 +882,9 @@ - return null; - if (absPath.equals("")) - absPath = "/"; +- // Check to see if going outside of the web application root +- if (!canPath.startsWith(absoluteBase)) { ++ String absPath = normalize(file.getAbsolutePath()); ++ if ((absoluteBase.length() > absPath.length())) { + return null; + } + +- // Case sensitivity check - this is now always done +- String fileAbsPath = file.getAbsolutePath(); +- if (fileAbsPath.endsWith(".")) +- fileAbsPath = fileAbsPath + "/"; +- String absPath = normalize(fileAbsPath); +- canPath = normalize(canPath); +- if ((absoluteBase.length() < absPath.length()) +- && (absoluteBase.length() < canPath.length())) { +- absPath = absPath.substring(absoluteBase.length() + 1); +- if (absPath == null) +- return null; +- if (absPath.equals("")) +- absPath = "/"; - canPath = canPath.substring(absoluteBase.length() + 1); - if (canPath.equals("")) - canPath = "/"; -+ canPath = canPath.substring(canonicalBase.length() + 1); -+ if (canPath.length() > 0) -+ canPath = normalize(canPath); - if (!canPath.equals(absPath)) - return null; +- if (!canPath.equals(absPath)) +- return null; ++ absPath = absPath.substring(absoluteBase.length()); ++ canPath = canPath.substring(canonicalBase.length()); ++ ++ // Case sensitivity check ++ if (canPath.length() > 0) { ++ canPath = normalize(canPath); ++ } ++ if (!canPath.equals(absPath)) { ++ return null; } -@@ -883,6 +897,36 @@ + + } else { +@@ -883,6 +888,36 @@ } @@ -144,7 +167,7 @@ origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6 * List the resources which are members of a collection. * --- /dev/null -+++ tomcat-7.0.x/java/org/apache/naming/resources/JrePlatform.java ++++ tomcat7.git/java/org/apache/naming/resources/JrePlatform.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits