This is an automated email from the git hooks/post-receive script.
apo pushed a commit to annotated tag debian/6.0.45+dfsg-1_deb7u3
in repository tomcat6.
commit 49766f57ad1d039638c8cef1187c4d965c7aad30
Author: Markus Koschany <a...@debian.org>
Date: Thu Dec 1 20:01:25 2016 +0000
Import Debian patch 6.0.45+dfsg-1~deb7u3
---
debian/changelog | 6 +-
debian/patches/CVE-2016-6797-part2.patch | 131 +++++++++++++++++++++++++++++++
debian/patches/series | 1 +
debian/tomcat6.postrm | 2 +-
4 files changed, 137 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 5ecc7a3..fbc761d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high
+tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high
* Fixed CVE-2016-0762: The Realm implementations did not process the supplied
password if the supplied user name did not exist. This made a timing attack
@@ -37,8 +37,10 @@ tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high
vulnerability that could be exploited to overwrite any file on the
system.
Thanks to Paul Szabo for the report.
* Hardened the init.d script, thanks to Paul Szabo
+ * Fix possible privilege escalation via package purge by removing the chown
+ command in postrm maintainer script. See #845385 for more information.
- -- Markus Koschany <a...@debian.org> Fri, 25 Nov 2016 22:04:20 +0100
+ -- Markus Koschany <a...@debian.org> Thu, 01 Dec 2016 20:01:25 +0000
tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high
diff --git a/debian/patches/CVE-2016-6797-part2.patch
b/debian/patches/CVE-2016-6797-part2.patch
new file mode 100644
index 0000000..eac0cb1
--- /dev/null
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -0,0 +1,131 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 1 Dec 2016 15:02:31 +0100
+Subject: CVE-2016-6797 part2
+
+Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
+---
+ .../apache/naming/factory/ResourceLinkFactory.java | 54 +++++++++-------------
+ 1 file changed, 23 insertions(+), 31 deletions(-)
+
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java
b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 56b1423..4a13b10 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -5,17 +5,15 @@
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+- *
++ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+- *
++ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+- */
+-
+-
++ */
+ package org.apache.naming.factory;
+
+ import java.util.HashMap;
+@@ -32,24 +30,16 @@ import javax.naming.spi.ObjectFactory;
+
+ import org.apache.naming.ResourceLinkRef;
+
+-
+ /**
+ * <p>Object factory for resource links.</p>
+- *
++ *
+ * @author Remy Maucherat
+ *
+ */
+-
+-public class ResourceLinkFactory
+- implements ObjectFactory {
+-
+-
+- // -----------------------------------------------------------
Constructors
+-
++public class ResourceLinkFactory implements ObjectFactory {
+
+ // ------------------------------------------------------- Static
Variables
+
+-
+ /**
+ * Global naming context.
+ */
+@@ -60,10 +50,9 @@ public class ResourceLinkFactory
+
+ // --------------------------------------------------------- Public
Methods
+
+-
+ /**
+ * Set the global context (note: can only be used once).
+- *
++ *
+ * @param newGlobalContext new global context value
+ */
+ public static void setGlobalContext(Context newGlobalContext) {
+@@ -128,24 +117,21 @@ public class ResourceLinkFactory
+
+ // -------------------------------------------------- ObjectFactory
Methods
+
+-
+ /**
+ * Create a new DataSource instance.
+- *
++ *
+ * @param obj The reference object describing the DataSource
+ */
+ public Object getObjectInstance(Object obj, Name name, Context nameCtx,
+- Hashtable environment)
+- throws NamingException {
+-
+- if (!(obj instanceof ResourceLinkRef))
++ Hashtable<?,?> environment) throws NamingException {
++
++ if (!(obj instanceof ResourceLinkRef)) {
+ return null;
++ }
+
+ // Can we process this request?
+ Reference ref = (Reference) obj;
+
+- String type = ref.getClassName();
+-
+ // Read the global ref addr
+ String globalName = null;
+ RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+@@ -158,14 +144,20 @@ public class ResourceLinkFactory
+ }
+ Object result = null;
+ result = globalContext.lookup(globalName);
+- // FIXME: Check type
++ // Check the expected type
++ String expectedClassName = ref.getClassName();
++ try {
++ Class<?> expectedClazz = Class.forName(
++ expectedClassName, true,
Thread.currentThread().getContextClassLoader());
++ if (!expectedClazz.isAssignableFrom(result.getClass())) {
++ throw new IllegalArgumentException();
++ }
++ } catch (ClassNotFoundException e) {
++ throw new IllegalStateException(e);
++ }
+ return result;
+ }
+
+- return (null);
+-
+-
++ return null;
+ }
+-
+-
+ }
diff --git a/debian/patches/series b/debian/patches/series
index e2c4068..d5bde93 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ CVE-2016-5018.patch
CVE-2016-6796.patch
CVE-2016-6816.patch
CVE-2016-8735.patch
+CVE-2016-6797-part2.patch
diff --git a/debian/tomcat6.postrm b/debian/tomcat6.postrm
index 359ca31..d210343 100644
--- a/debian/tomcat6.postrm
+++ b/debian/tomcat6.postrm
@@ -60,7 +60,7 @@ case "$1" in
rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
# Put all files owned by group tomcat6 back into root group before
deleting
# the tomcat6 user and group
- chown -Rhf root:root /etc/tomcat6/ || true
+ #chown -Rhf root:root /etc/tomcat6/ || true
# Remove user/group and log files (don't remove everything under
# /var/lib/tomcat6 because there might be user-installed webapps)
db_get tomcat6/username && TOMCAT6_USER="$RET" ||
TOMCAT6_USER="tomcat6"
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-java/tomcat6.git
_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
