This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit edf3e37ca1cc57fb2f14877d817dfd7b04c2045d Author: Markus Koschany <a...@debian.org> Date: Thu Dec 1 23:00:20 2016 +0100 Import Debian patch 7.0.28-4+deb7u7 --- debian/changelog | 6 +- debian/patches/CVE-2016-6797-part2.patch | 126 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + debian/tomcat7.postrm.in | 2 +- 4 files changed, 132 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 22e54ee..3169446 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high +tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack @@ -37,8 +37,10 @@ tomcat7 (7.0.28-4+deb7u7) UNRELEASED; urgency=high vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo + * Fix possible privilege escalation via package purge by removing the chown + command in postrm maintainer script. See #845385 for more information. - -- Markus Koschany <a...@debian.org> Sat, 26 Nov 2016 15:39:08 +0100 + -- Markus Koschany <a...@debian.org> Thu, 01 Dec 2016 23:00:20 +0100 tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high diff --git a/debian/patches/CVE-2016-6797-part2.patch b/debian/patches/CVE-2016-6797-part2.patch new file mode 100644 index 0000000..d7c4466 --- /dev/null +++ b/debian/patches/CVE-2016-6797-part2.patch @@ -0,0 +1,126 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 1 Dec 2016 22:09:47 +0100 +Subject: CVE-2016-6797 part2 + +Backport ResourceLinkFactory.java from trunk as a precaution to avoid #845425. +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 +--- + .../apache/naming/factory/ResourceLinkFactory.java | 53 ++++++++++------------ + 1 file changed, 23 insertions(+), 30 deletions(-) + +diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java +index 157adfb..9d1c577 100644 +--- a/java/org/apache/naming/factory/ResourceLinkFactory.java ++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java +@@ -5,17 +5,15 @@ + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at +- * ++ * + * http://www.apache.org/licenses/LICENSE-2.0 +- * ++ * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +- */ +- +- ++ */ + package org.apache.naming.factory; + + import java.util.HashMap; +@@ -32,24 +30,15 @@ import javax.naming.spi.ObjectFactory; + + import org.apache.naming.ResourceLinkRef; + +- + /** + * <p>Object factory for resource links.</p> +- * ++ * + * @author Remy Maucherat +- * @version $Id: ResourceLinkFactory.java 1056946 2011-01-09 14:48:08Z markt $ + */ +- +-public class ResourceLinkFactory +- implements ObjectFactory { +- +- +- // ----------------------------------------------------------- Constructors +- ++public class ResourceLinkFactory implements ObjectFactory { + + // ------------------------------------------------------- Static Variables + +- + /** + * Global naming context. + */ +@@ -60,10 +49,9 @@ public class ResourceLinkFactory + + // --------------------------------------------------------- Public Methods + +- + /** + * Set the global context (note: can only be used once). +- * ++ * + * @param newGlobalContext new global context value + */ + public static void setGlobalContext(Context newGlobalContext) { +@@ -128,19 +116,18 @@ public class ResourceLinkFactory + + // -------------------------------------------------- ObjectFactory Methods + +- + /** + * Create a new DataSource instance. +- * ++ * + * @param obj The reference object describing the DataSource + */ + @Override + public Object getObjectInstance(Object obj, Name name, Context nameCtx, +- Hashtable<?,?> environment) +- throws NamingException { +- +- if (!(obj instanceof ResourceLinkRef)) ++ Hashtable<?,?> environment) throws NamingException { ++ ++ if (!(obj instanceof ResourceLinkRef)) { + return null; ++ } + + // Can we process this request? + Reference ref = (Reference) obj; +@@ -158,14 +145,20 @@ public class ResourceLinkFactory + } + Object result = null; + result = globalContext.lookup(globalName); +- // FIXME: Check type ++ // Check the expected type ++ String expectedClassName = ref.getClassName(); ++ try { ++ Class<?> expectedClazz = Class.forName( ++ expectedClassName, true, Thread.currentThread().getContextClassLoader()); ++ if (!expectedClazz.isAssignableFrom(result.getClass())) { ++ throw new IllegalArgumentException(); ++ } ++ } catch (ClassNotFoundException e) { ++ throw new IllegalStateException(e); ++ } + return result; + } + +- return (null); +- +- ++ return null; + } +- +- + } diff --git a/debian/patches/series b/debian/patches/series index b49c674..4aa0c0e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -44,3 +44,4 @@ CVE-2016-6797.patch CVE-2016-0762.patch CVE-2016-6816.patch CVE-2016-8735.patch +CVE-2016-6797-part2.patch diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in index 293ffde..616b3c8 100644 --- a/debian/tomcat7.postrm.in +++ b/debian/tomcat7.postrm.in @@ -61,7 +61,7 @@ case "$1" in rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind # Put all files owned by group tomcat7 back into root group before deleting # the tomcat7 user and group - chown -Rhf root:root /etc/tomcat7/ || true + #chown -Rhf root:root /etc/tomcat7/ || true # Remove user/group and log files (don't remove everything under # /var/lib/tomcat7 because there might be user-installed webapps) db_get tomcat7/username && TOMCAT7_USER="$RET" || TOMCAT7_USER="tomcat7" -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list pkg-java-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits