Bug#846298: tomcat7: Security update causes java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper

2016-12-05 Thread Emmanuel Bourg 
Hi Anthony,

Thank you for reporting this issue. This was caused by the fix for
CVE-2016-5018 in the version 7.0.56-3+deb8u5 which removed the inner
class PrivilegedIntrospectHelper. This issue was fixed upstream [1] but
the extra commit [2] wasn't documented on the Tomcat 7 security page
[3]. The tomcat8 package seems to be affected by the same issue. I'll
fix this in the next update.

Emmanuel Bourg

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60101
[2] https://svn.apache.org/r1760309
[3] https://tomcat.apache.org/security-7.html

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#846298: tomcat7: Security update causes java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper

2016-11-29 Thread Anthony DeRobertis 

Package: tomcat7
Version: 7.0.56-3+deb8u5
Severity: important

I applied the latest security update and it broke tomcat completely. The logs
show:

SEVERE: SecurityClassLoad
java.lang.ClassNotFoundException: 
org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at 
org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:49)
at 
org.apache.jasper.compiler.JspRuntimeContext.(JspRuntimeContext.java:82)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:278)
at 
org.apache.catalina.core.JasperListener.lifecycleEvent(JasperListener.java:63)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Nov 29, 2016 5:11:13 PM org.apache.catalina.core.JasperListener lifecycleEvent
WARNING: Couldn't initialize Jasper
java.lang.ExceptionInInitializerError
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:278)
at 
org.apache.catalina.core.JasperListener.lifecycleEvent(JasperListener.java:63)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.IllegalStateException: java.lang.ClassNotFoundException: 
org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
at 
org.apache.jasper.compiler.JspRuntimeContext.(JspRuntimeContext.java:99)
... 15 more
Caused by: java.lang.ClassNotFoundException: 
org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at 
org.apache.jasper.compiler.JspRuntimeContext.(JspRuntimeContext.java:92)
... 15 more

Upgrading to the version is jessie-backports fixes the issue. This looks like
https://bz.apache.org/bugzilla/show_bug.cgi?id=60101 but that's just a guess.

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat7 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat7-common 7.0.73-1~bpo8+1
ii  ucf3.0030

Versions of packages tomcat7 recommends: