This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 0f87a8759c321cf6301ec508c09d60688a2662ae Author: Roberto C. Sanchez <robe...@debian.org> Date: Tue Nov 7 12:36:51 2017 -0500 Import Debian changes 7.0.28-4+deb7u16 tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2017-12617. When HTTP PUT was enabled (e.g., via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. --- debian/changelog | 12 ++ debian/patches/CVE-2017-12617_1.patch | 165 +++++++++++++++++++++++++++ debian/patches/CVE-2017-12617_2.patch | 54 +++++++++ debian/patches/CVE-2017-12617_3.patch | 207 ++++++++++++++++++++++++++++++++++ debian/patches/CVE-2017-12617_4.patch | 45 ++++++++ debian/patches/CVE-2017-12617_5.patch | 41 +++++++ debian/patches/CVE-2017-12617_6.patch | 30 +++++ debian/patches/series | 6 + 8 files changed, 560 insertions(+) diff --git a/debian/changelog b/debian/changelog index 8e8522b..26f16eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + + * Fix CVE-2017-12617. + When HTTP PUT was enabled (e.g., via setting the readonly initialization + parameter of the Default servlet to false) it was possible to upload a JSP + file to the server via a specially crafted request. This JSP could then be + requested and any code it contained would be executed by the server. + + -- Roberto C. Sanchez <robe...@debian.org> Tue, 07 Nov 2017 12:36:51 -0500 + tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2017-12617_1.patch b/debian/patches/CVE-2017-12617_1.patch new file mode 100644 index 0000000..b34d879 --- /dev/null +++ b/debian/patches/CVE-2017-12617_1.patch @@ -0,0 +1,165 @@ +From 512a3c3aecdb52de092c6bacddd71b85c4feda06 Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Fri, 22 Sep 2017 09:46:02 +0000 +Subject: [PATCH] Partial fix for CVE-2017-12617 This moves a check from the + Default servlet where it applied to GET, POST, HEAD and OPTIONS to the + resources implementation where it applies to any method that expects the + resource to exist (e.g.DELETE) Still need to address the case where the + resource does not exist (e.g. PUT) + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809288 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06 + +(cherry picked from commit 512a3c3aecdb52de092c6bacddd71b85c4feda06) +[rcs: Backported to wheezy] +--- + .../apache/catalina/servlets/DefaultServlet.java | 17 -------- + .../apache/naming/resources/FileDirContext.java | 11 +++++- + .../apache/naming/resources/VirtualDirContext.java | 18 ++++----- + .../naming/resources/TestFileDirContext.java | 46 ++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 28 deletions(-) + create mode 100644 test/org/apache/naming/resources/TestFileDirContext.java + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -817,11 +817,18 @@ + */ + protected File file(String name, boolean mustExist) { + File file = new File(base, name); +- return validate(file, mustExist, absoluteBase); ++ return validate(file, name, mustExist, absoluteBase); + } + + +- protected File validate(File file, boolean mustExist, String absoluteBase) { ++ protected File validate(File file, String name, boolean mustExist, String absoluteBase) { ++ ++ // If the requested names ends in '/', the Java File API will return a ++ // matching file if one exists. This isn't what we want as it is not ++ // consistent with the Servlet spec rules for request mapping. ++ if (file.isFile() && name.endsWith("/")) { ++ return null; ++ } + + if (!mustExist || file.exists() && file.canRead()) { + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java +@@ -153,7 +153,7 @@ + String resourcesDir = dirList.get(0); + if (name.equals(path)) { + File f = new File(resourcesDir); +- f = validate(f, true, resourcesDir); ++ f = validate(f, name, true, resourcesDir); + if (f != null) { + return new FileResourceAttributes(f); + } +@@ -161,8 +161,8 @@ + path += "/"; + if (name.startsWith(path)) { + String res = name.substring(path.length()); +- File f = new File(resourcesDir + "/" + res); +- f = validate(f, true, resourcesDir); ++ File f = new File(resourcesDir, res); ++ f = validate(f, res, true, resourcesDir); + if (f != null) { + return new FileResourceAttributes(f); + } +@@ -196,7 +196,7 @@ + if (name.equals(path)) { + for (String resourcesDir : dirList) { + file = new File(resourcesDir); +- file = validate(file, true, resourcesDir); ++ file = validate(file, name, true, resourcesDir); + if (file != null) { + return file; + } +@@ -206,7 +206,7 @@ + String res = name.substring(path.length()); + for (String resourcesDir : dirList) { + file = new File(resourcesDir, res); +- file = validate(file, true, resourcesDir); ++ file = validate(file, res, true, resourcesDir); + if (file != null) { + return file; + } +@@ -242,7 +242,7 @@ + if (res != null) { + for (String resourcesDir : dirList) { + File f = new File(resourcesDir, res); +- f = validate(f, true, resourcesDir); ++ f = validate(f, res, true, resourcesDir); + if (f != null && f.isDirectory()) { + List<NamingEntry> virtEntries = super.list(f); + for (NamingEntry entry : virtEntries) { +@@ -278,7 +278,7 @@ + if (name.equals(path)) { + for (String resourcesDir : dirList) { + File f = new File(resourcesDir); +- f = validate(f, true, resourcesDir); ++ f = validate(f, name, true, resourcesDir); + if (f != null) { + if (f.isFile()) { + return new FileResource(f); +@@ -294,8 +294,8 @@ + if (name.startsWith(path)) { + String res = name.substring(path.length()); + for (String resourcesDir : dirList) { +- File f = new File(resourcesDir + "/" + res); +- f = validate(f, true, resourcesDir); ++ File f = new File(resourcesDir, res); ++ f = validate(f, res, true, resourcesDir); + if (f != null) { + if (f.isFile()) { + return new FileResource(f); +--- /dev/null ++++ tomcat-7.0.x/test/org/apache/naming/resources/TestFileDirContext.java +@@ -0,0 +1,46 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.naming.resources; ++ ++import java.io.File; ++ ++import javax.servlet.http.HttpServletResponse; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++import org.apache.catalina.startup.Tomcat; ++import org.apache.catalina.startup.TomcatBaseTest; ++import org.apache.tomcat.util.buf.ByteChunk; ++ ++public class TestFileDirContext extends TomcatBaseTest { ++ ++ @Test ++ public void testLookupResourceWithTrailingSlash() throws Exception { ++ Tomcat tomcat = getTomcatInstance(); ++ ++ File appDir = new File("test/webapp-3.0"); ++ // app dir is relative to server home ++ tomcat.addWebapp(null, "/test", appDir.getAbsolutePath()); ++ ++ tomcat.start(); ++ ++ int sc = getUrl("http://localhost:" + getPort() + ++ "/test/index.html/", new ByteChunk(), null); ++ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc); ++ } ++} diff --git a/debian/patches/CVE-2017-12617_2.patch b/debian/patches/CVE-2017-12617_2.patch new file mode 100644 index 0000000..c4f467e --- /dev/null +++ b/debian/patches/CVE-2017-12617_2.patch @@ -0,0 +1,54 @@ +From 327e8a6644e188764325a013aa2725a60f1b37e5 Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Fri, 22 Sep 2017 10:18:29 +0000 +Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 + Remainder of fix for CVE-2017-12617 This ensures that a path specified for + creation of a file does not end in '/' since that is dropped by the File API. + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809293 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/327e8a6644e188764325a013aa2725a60f1b37e5 + +(cherry picked from commit 327e8a6644e188764325a013aa2725a60f1b37e5) +[rcs: Backported to wheezy] +--- + java/org/apache/naming/resources/FileDirContext.java | 9 +++++++-- + webapps/docs/changelog.xml | 5 +++++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -498,11 +498,16 @@ + * @exception NamingException if a naming exception is encountered + */ + @Override +- public void bind(String name, Object obj, Attributes attrs) +- throws NamingException { ++ public void bind(String name, Object obj, Attributes attrs) throws NamingException { + + // Note: No custom attributes allowed + ++ // bind() is meant to create a file so ensure that the path doesn't end ++ // in '/' ++ if (name.endsWith("/")) { ++ throw new NamingException(sm.getString("resources.bindFailed", name)); ++ } ++ + File file = file(name, false); + if (file.exists()) + throw new NameAlreadyBoundException +--- tomcat-7.0.x.orig/webapps/docs/changelog.xml ++++ tomcat-7.0.x/webapps/docs/changelog.xml +@@ -378,6 +378,11 @@ + Protect initialization of <code>ResourceLinkFactory</code> when + running with a SecurityManager. (kkolinko) + </fix> ++ <fix> ++ <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being ++ uploaded via a specially crafted request when HTTP PUT was enabled. ++ (markt) ++ </fix> + </changelog> + </subsection> + <subsection name="Jasper"> diff --git a/debian/patches/CVE-2017-12617_3.patch b/debian/patches/CVE-2017-12617_3.patch new file mode 100644 index 0000000..5fec2e8 --- /dev/null +++ b/debian/patches/CVE-2017-12617_3.patch @@ -0,0 +1,207 @@ +From bbcbb749c75056a2781f37038d63e646fe972104 Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Thu, 28 Sep 2017 11:54:25 +0000 +Subject: [PATCH] First pass at aligning 7.0.x checks with 8.0.x + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809978 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e646fe972104 + +(cherry picked from commit bbcbb749c75056a2781f37038d63e646fe972104) +[rcs: Backported to wheezy] +--- + .../apache/naming/resources/FileDirContext.java | 68 ++++++++++++++++------ + java/org/apache/naming/resources/JrePlatform.java | 59 +++++++++++++++++++ + 2 files changed, 110 insertions(+), 17 deletions(-) + create mode 100644 java/org/apache/naming/resources/JrePlatform.java + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -14,8 +14,6 @@ + * See the License for the specific language governing permissions and + * limitations under the License. + */ +- +- + package org.apache.naming.resources; + + import java.io.File; +@@ -99,6 +97,8 @@ + */ + protected String absoluteBase = null; + ++ private String canonicalBase = null; ++ + + /** + * Allow linking. +@@ -108,7 +108,6 @@ + + // ------------------------------------------------------------- Properties + +- + /** + * Set the document root. + * +@@ -139,12 +138,20 @@ + if (!base.exists() || !base.isDirectory() || !base.canRead()) + throw new IllegalArgumentException + (sm.getString("fileResources.base", docBase)); +- this.absoluteBase = base.getAbsolutePath(); ++ ++ this.absoluteBase = normalize(base.getAbsolutePath()); ++ ++ // absoluteBase also needs to be normalized. Using the canonical path is ++ // the simplest way of doing this. ++ try { ++ this.canonicalBase = base.getCanonicalPath(); ++ } catch (IOException e) { ++ throw new IllegalArgumentException(e); ++ } + super.setDocBase(docBase); + + } + +- + /** + * Set allow linking. + */ +@@ -837,8 +844,15 @@ + + if (!mustExist || file.exists() && file.canRead()) { + +- if (allowLinking) ++ if (allowLinking) { + return file; ++ } ++ ++ // Additional Windows specific checks to handle known problems with ++ // File.getCanonicalPath() ++ if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) { ++ return null; ++ } + + // Check that this file belongs to our root path + String canPath = null; +@@ -847,7 +861,7 @@ + } catch (IOException e) { + // Ignore + } +- if (canPath == null) ++ if (canPath == null || !canPath.startsWith(canonicalBase)) + return null; + + // Check to see if going outside of the web application root +@@ -868,9 +882,9 @@ + return null; + if (absPath.equals("")) + absPath = "/"; +- canPath = canPath.substring(absoluteBase.length() + 1); +- if (canPath.equals("")) +- canPath = "/"; ++ canPath = canPath.substring(canonicalBase.length() + 1); ++ if (canPath.length() > 0) ++ canPath = normalize(canPath); + if (!canPath.equals(absPath)) + return null; + } +@@ -883,6 +897,36 @@ + } + + ++ private boolean isInvalidWindowsFilename(String name) { ++ final int len = name.length(); ++ if (len == 0) { ++ return false; ++ } ++ // This consistently ~10 times faster than the equivalent regular ++ // expression irrespective of input length. ++ for (int i = 0; i < len; i++) { ++ char c = name.charAt(i); ++ if (c == '\"' || c == '<' || c == '>') { ++ // These characters are disallowed in Windows file names and ++ // there are known problems for file names with these characters ++ // when using File#getCanonicalPath(). ++ // Note: There are additional characters that are disallowed in ++ // Windows file names but these are not known to cause ++ // problems when using File#getCanonicalPath(). ++ return true; ++ } ++ } ++ // Windows does not allow file names to end in ' ' unless specific low ++ // level APIs are used to create the files that bypass various checks. ++ // File names that end in ' ' are known to cause problems when using ++ // File#getCanonicalPath(). ++ if (name.charAt(len -1) == ' ') { ++ return true; ++ } ++ return false; ++ } ++ ++ + /** + * List the resources which are members of a collection. + * +--- /dev/null ++++ tomcat-7.0.x/java/org/apache/naming/resources/JrePlatform.java +@@ -0,0 +1,59 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.naming.resources; ++ ++import java.security.AccessController; ++import java.security.PrivilegedAction; ++ ++public class JrePlatform { ++ ++ private static final String OS_NAME_PROPERTY = "os.name"; ++ private static final String OS_NAME_WINDOWS_PREFIX = "Windows"; ++ ++ static { ++ /* ++ * There are a few places where a) the behaviour of the Java API depends ++ * on the underlying platform and b) those behavioural differences have ++ * an impact on Tomcat. ++ * ++ * Tomcat therefore needs to be able to determine the platform it is ++ * running on to account for those differences. ++ * ++ * In an ideal world this code would not exist. ++ */ ++ ++ // This check is derived from the check in Apache Commons Lang ++ String osName; ++ if (System.getSecurityManager() == null) { ++ osName = System.getProperty(OS_NAME_PROPERTY); ++ } else { ++ osName = AccessController.doPrivileged( ++ new PrivilegedAction<String>() { ++ ++ @Override ++ public String run() { ++ return System.getProperty(OS_NAME_PROPERTY); ++ } ++ }); ++ } ++ ++ IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX); ++ } ++ ++ ++ public static final boolean IS_WINDOWS; ++} diff --git a/debian/patches/CVE-2017-12617_4.patch b/debian/patches/CVE-2017-12617_4.patch new file mode 100644 index 0000000..8c6da55 --- /dev/null +++ b/debian/patches/CVE-2017-12617_4.patch @@ -0,0 +1,45 @@ +From cf0b37beb0622abdf24acc7110daf883f3fe4f95 Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Thu, 28 Sep 2017 13:30:46 +0000 +Subject: [PATCH] Fix failing tests on Windows + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809992 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95 + +(cherry picked from commit cf0b37beb0622abdf24acc7110daf883f3fe4f95) +[rcs: Backported to wheezy] +--- + java/org/apache/naming/resources/FileDirContext.java | 9 +++++---- + java/org/apache/naming/resources/VirtualDirContext.java | 5 +++++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -829,11 +829,12 @@ + */ + protected File file(String name, boolean mustExist) { + File file = new File(base, name); +- return validate(file, name, mustExist, absoluteBase); ++ return validate(file, name, mustExist, absoluteBase, canonicalBase); + } + + +- protected File validate(File file, String name, boolean mustExist, String absoluteBase) { ++ protected File validate(File file, String name, boolean mustExist, String absoluteBase, ++ String canonicalBase) { + + // If the requested names ends in '/', the Java File API will return a + // matching file if one exists. This isn't what we want as it is not +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java +@@ -311,4 +311,8 @@ + return retSuper; + } + ++ ++ protected File validate(File file, String name, boolean mustExist, String absoluteBase) { ++ return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase); ++ } + } diff --git a/debian/patches/CVE-2017-12617_5.patch b/debian/patches/CVE-2017-12617_5.patch new file mode 100644 index 0000000..25b70b5 --- /dev/null +++ b/debian/patches/CVE-2017-12617_5.patch @@ -0,0 +1,41 @@ +From fd52f8601170b91f9d7162510e54563e5bf6bdfe Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Thu, 28 Sep 2017 17:20:38 +0000 +Subject: [PATCH] Tab police + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1810014 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe + +(cherry picked from commit fd52f8601170b91f9d7162510e54563e5bf6bdfe) +[rcs: Backported to wheezy] +--- + java/org/apache/naming/resources/FileDirContext.java | 2 +- + java/org/apache/naming/resources/VirtualDirContext.java | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -834,7 +834,7 @@ + + + protected File validate(File file, String name, boolean mustExist, String absoluteBase, +- String canonicalBase) { ++ String canonicalBase) { + + // If the requested names ends in '/', the Java File API will return a + // matching file if one exists. This isn't what we want as it is not +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java +@@ -311,8 +311,8 @@ + return retSuper; + } + +- ++ + protected File validate(File file, String name, boolean mustExist, String absoluteBase) { +- return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase); ++ return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase); + } + } diff --git a/debian/patches/CVE-2017-12617_6.patch b/debian/patches/CVE-2017-12617_6.patch new file mode 100644 index 0000000..982c40d --- /dev/null +++ b/debian/patches/CVE-2017-12617_6.patch @@ -0,0 +1,30 @@ +From 24aea94807f940ee44aa550378dc903289039ddd Mon Sep 17 00:00:00 2001 +From: Mark Thomas <ma...@apache.org> +Date: Thu, 28 Sep 2017 18:40:58 +0000 +Subject: [PATCH] Further alignment with 8.0.x and later. Fixes Linux test + failures. + +git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1810026 13f79535-47bb-0310-9956-ffa450edef68 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 +origin: https://github.com/apache/tomcat70/commit/24aea94807f940ee44aa550378dc903289039ddd + +(cherry picked from commit 24aea94807f940ee44aa550378dc903289039ddd) +[rcs: Backported to wheezy] +--- + java/org/apache/naming/resources/FileDirContext.java | 4 ++++ + 1 file changed, 4 insertions(+) + +--- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java ++++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java +@@ -828,6 +828,10 @@ + * @param mustExist Must the specified resource exist? + */ + protected File file(String name, boolean mustExist) { ++ if (name.equals("/")) { ++ name = ""; ++ } ++ + File file = new File(base, name); + return validate(file, name, mustExist, absoluteBase, canonicalBase); + } diff --git a/debian/patches/series b/debian/patches/series index d959268..ef0c723 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -53,3 +53,9 @@ CVE-2017-5647.patch CVE-2017-5648.patch CVE-2017-5664.patch CVE-2017-12616.patch +CVE-2017-12617_1.patch +CVE-2017-12617_2.patch +CVE-2017-12617_3.patch +CVE-2017-12617_4.patch +CVE-2017-12617_5.patch +CVE-2017-12617_6.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits