Author: jamespage-guest
Date: 2011-09-15 08:29:14 +0000 (Thu, 15 Sep 2011)
New Revision: 14906
Added:
trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch
Modified:
trunk/tomcat6/debian/changelog
trunk/tomcat6/debian/patches/series
Log:
Added patch for CVE-2011-3190 (LP: #843701).
Modified: trunk/tomcat6/debian/changelog
===================================================================
--- trunk/tomcat6/debian/changelog 2011-09-15 08:18:54 UTC (rev 14905)
+++ trunk/tomcat6/debian/changelog 2011-09-15 08:29:14 UTC (rev 14906)
@@ -10,6 +10,9 @@
[ Niels Thykier ]
* Removed myself from uploaders.
+ [ James Page ]
+ * Added patch for CVE-2011-3190 (LP: #843701).
+
-- tony mancill <tmanc...@debian.org> Sun, 14 Aug 2011 08:20:45 -0700
tomcat6 (6.0.32-5) unstable; urgency=low
Added: trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch
===================================================================
--- trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch
(rev 0)
+++ trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch 2011-09-15
08:29:14 UTC (rev 14906)
@@ -0,0 +1,72 @@
+Description: [PATCH] Fix CVE-2011-3190 Fix
+ https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
+ Prevent AJP request forgery via unread request body packet
+Origin:
https://github.com/apache/tomcat60/commit/1a04877e07c8ac9f924b130cbc372a11c273de66
+
+Index: tomcat6/java/org/apache/coyote/ajp/AjpAprProcessor.java
+===================================================================
+--- tomcat6.orig/java/org/apache/coyote/ajp/AjpAprProcessor.java
2011-09-08 14:25:11.619833000 +0100
++++ tomcat6/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-08
14:44:12.771697501 +0100
+@@ -390,11 +390,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request
body
+- if(log.isDebugEnabled()) {
+- log.debug("Unexpected message: "+type);
++ // Unexpected packet type. Unread body packets should have
++ // been swallowed in finish().
++ if (log.isDebugEnabled()) {
++ log.debug("Unexpected message: " + type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ keptAlive = true;
+@@ -1033,6 +1035,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ if (outputBuffer.position() + endMessageArray.length >
outputBuffer.capacity()) {
+ flush();
+Index: tomcat6/java/org/apache/coyote/ajp/AjpProcessor.java
+===================================================================
+--- tomcat6.orig/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-08
14:25:11.619833000 +0100
++++ tomcat6/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-08
14:44:12.771697501 +0100
+@@ -408,11 +408,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request
body
+- if(log.isDebugEnabled()) {
+- log.debug("Unexpected message: "+type);
++ // Unexpected packet type. Unread body packets should have
++ // been swallowed in finish().
++ if (log.isDebugEnabled()) {
++ log.debug("Unexpected message: " + type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ request.setStartTime(System.currentTimeMillis());
+@@ -1038,6 +1040,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ output.write(endMessageArray);
Modified: trunk/tomcat6/debian/patches/series
===================================================================
--- trunk/tomcat6/debian/patches/series 2011-09-15 08:18:54 UTC (rev 14905)
+++ trunk/tomcat6/debian/patches/series 2011-09-15 08:29:14 UTC (rev 14906)
@@ -9,3 +9,4 @@
0010-Use-java.security.policy-file-in-catalina.sh.patch
0011-623242.patch
0012-CVE-2011-2204.patch
+0013-CVE-2011-3190.patch
_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
