This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit edf3e37ca1cc57fb2f14877d817dfd7b04c2045d
Author: Markus Koschany <a...@debian.org>
Date: Thu Dec 1 23:00:20 2016 +0100
Import Debian patch 7.0.28-4+deb7u7
---
debian/changelog | 6 +-
debian/patches/CVE-2016-6797-part2.patch | 126 +++++++++++++++++++++++++++++++
debian/patches/series | 1 +
debian/tomcat7.postrm.in | 2 +-
4 files changed, 132 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 22e54ee..3169446 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high
+tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
* Fixed CVE-2016-0762: The Realm implementations did not process the supplied
password if the supplied user name did not exist. This made a timing attack
@@ -37,8 +37,10 @@ tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high
vulnerability that could be exploited to overwrite any file on the
system.
Thanks to Paul Szabo for the report.
* Hardened the init.d script, thanks to Paul Szabo
+ * Fix possible privilege escalation via package purge by removing the chown
+ command in postrm maintainer script. See #845385 for more information.
- -- Markus Koschany <a...@debian.org> Sat, 26 Nov 2016 15:39:08 +0100
+ -- Markus Koschany <a...@debian.org> Thu, 01 Dec 2016 23:00:20 +0100
tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high
diff --git a/debian/patches/CVE-2016-6797-part2.patch
b/debian/patches/CVE-2016-6797-part2.patch
new file mode 100644
index 0000000..d7c4466
--- /dev/null
+++ b/debian/patches/CVE-2016-6797-part2.patch
@@ -0,0 +1,126 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 1 Dec 2016 22:09:47 +0100
+Subject: CVE-2016-6797 part2
+
+Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425.
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
+---
+ .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------
+ 1 file changed, 23 insertions(+), 30 deletions(-)
+
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java
b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 157adfb..9d1c577 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -5,17 +5,15 @@
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+- *
++ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+- *
++ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+- */
+-
+-
++ */
+ package org.apache.naming.factory;
+
+ import java.util.HashMap;
+@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory;
+
+ import org.apache.naming.ResourceLinkRef;
+
+-
+ /**
+ * <p>Object factory for resource links.</p>
+- *
++ *
+ * @author Remy Maucherat
+- * @version $Id: ResourceLinkFactory.java 1056946 2011-01-09 14:48:08Z markt $
+ */
+-
+-public class ResourceLinkFactory
+- implements ObjectFactory {
+-
+-
+- // -----------------------------------------------------------
Constructors
+-
++public class ResourceLinkFactory implements ObjectFactory {
+
+ // ------------------------------------------------------- Static
Variables
+
+-
+ /**
+ * Global naming context.
+ */
+@@ -60,10 +49,9 @@ public class ResourceLinkFactory
+
+ // --------------------------------------------------------- Public
Methods
+
+-
+ /**
+ * Set the global context (note: can only be used once).
+- *
++ *
+ * @param newGlobalContext new global context value
+ */
+ public static void setGlobalContext(Context newGlobalContext) {
+@@ -128,19 +116,18 @@ public class ResourceLinkFactory
+
+ // -------------------------------------------------- ObjectFactory
Methods
+
+-
+ /**
+ * Create a new DataSource instance.
+- *
++ *
+ * @param obj The reference object describing the DataSource
+ */
+ @Override
+ public Object getObjectInstance(Object obj, Name name, Context nameCtx,
+- Hashtable<?,?> environment)
+- throws NamingException {
+-
+- if (!(obj instanceof ResourceLinkRef))
++ Hashtable<?,?> environment) throws NamingException {
++
++ if (!(obj instanceof ResourceLinkRef)) {
+ return null;
++ }
+
+ // Can we process this request?
+ Reference ref = (Reference) obj;
+@@ -158,14 +145,20 @@ public class ResourceLinkFactory
+ }
+ Object result = null;
+ result = globalContext.lookup(globalName);
+- // FIXME: Check type
++ // Check the expected type
++ String expectedClassName = ref.getClassName();
++ try {
++ Class<?> expectedClazz = Class.forName(
++ expectedClassName, true,
Thread.currentThread().getContextClassLoader());
++ if (!expectedClazz.isAssignableFrom(result.getClass())) {
++ throw new IllegalArgumentException();
++ }
++ } catch (ClassNotFoundException e) {
++ throw new IllegalStateException(e);
++ }
+ return result;
+ }
+
+- return (null);
+-
+-
++ return null;
+ }
+-
+-
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b49c674..4aa0c0e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@ CVE-2016-6797.patch
CVE-2016-0762.patch
CVE-2016-6816.patch
CVE-2016-8735.patch
+CVE-2016-6797-part2.patch
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index 293ffde..616b3c8 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -61,7 +61,7 @@ case "$1" in
rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
# Put all files owned by group tomcat7 back into root group before
deleting
# the tomcat7 user and group
- chown -Rhf root:root /etc/tomcat7/ || true
+ #chown -Rhf root:root /etc/tomcat7/ || true
# Remove user/group and log files (don't remove everything under
# /var/lib/tomcat7 because there might be user-installed webapps)
db_get tomcat7/username && TOMCAT7_USER="$RET" ||
TOMCAT7_USER="tomcat7"
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-java/tomcat7.git
_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
