This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 184246a2ae9062609e009c1973b768c74580966d Author: Markus Koschany <a...@debian.org> Date: Sun Sep 24 16:35:16 2017 +0200 Import Debian changes 7.0.28-4+deb7u15 tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high * Team upload. * Fix CVE-2017-12616. When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. --- debian/changelog | 10 ++ debian/patches/CVE-2017-12616.patch | 257 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 268 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3b5bb48..8e8522b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +tomcat7 (7.0.28-4+deb7u15) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2017-12616. + When using a VirtualDirContext it was possible to bypass security + constraints and/or view the source code of JSPs for resources served by the + VirtualDirContext using a specially crafted request. + + -- Markus Koschany <a...@debian.org> Sun, 24 Sep 2017 16:35:16 +0200 + tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2017-12616.patch b/debian/patches/CVE-2017-12616.patch new file mode 100644 index 0000000..4cc7fc2 --- /dev/null +++ b/debian/patches/CVE-2017-12616.patch @@ -0,0 +1,257 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 24 Sep 2017 16:24:01 +0200 +Subject: CVE-2017-12616 + +Origin: http://svn.apache.org/viewvc?view=rev&rev=1804729 +--- + .../apache/naming/resources/FileDirContext.java | 48 +++++++++++++++++----- + .../apache/naming/resources/VirtualDirContext.java | 37 ++++++++++++----- + 2 files changed, 64 insertions(+), 21 deletions(-) + +diff --git a/java/org/apache/naming/resources/FileDirContext.java b/java/org/apache/naming/resources/FileDirContext.java +index 7e28948..119f132 100644 +--- a/java/org/apache/naming/resources/FileDirContext.java ++++ b/java/org/apache/naming/resources/FileDirContext.java +@@ -197,7 +197,7 @@ public class FileDirContext extends BaseDirContext { + @Override + protected Object doLookup(String name) { + Object result = null; +- File file = file(name); ++ File file = file(name, true); + + if (file == null) + return null; +@@ -234,7 +234,7 @@ public class FileDirContext extends BaseDirContext { + public void unbind(String name) + throws NamingException { + +- File file = file(name); ++ File file = file(name, true); + + if (file == null) + throw new NameNotFoundException( +@@ -262,13 +262,16 @@ public class FileDirContext extends BaseDirContext { + public void rename(String oldName, String newName) + throws NamingException { + +- File file = file(oldName); ++ File file = file(oldName, true); + + if (file == null) + throw new NameNotFoundException + (sm.getString("resources.notFound", oldName)); + +- File newFile = new File(base, newName); ++ File newFile = file(newName, false); ++ if (newFile == null) { ++ throw new NamingException(sm.getString("resources.renameFail", oldName, newName)); ++ } + + if (!file.renameTo(newFile)) { + throw new NamingException(sm.getString("resources.renameFail", +@@ -323,7 +326,7 @@ public class FileDirContext extends BaseDirContext { + protected List<NamingEntry> doListBindings(String name) + throws NamingException { + +- File file = file(name); ++ File file = file(name, true); + + if (file == null) + return null; +@@ -427,7 +430,7 @@ public class FileDirContext extends BaseDirContext { + throws NamingException { + + // Building attribute list +- File file = file(name); ++ File file = file(name, true); + + if (file == null) + return null; +@@ -500,7 +503,7 @@ public class FileDirContext extends BaseDirContext { + + // Note: No custom attributes allowed + +- File file = new File(base, name); ++ File file = file(name, false); + if (file.exists()) + throw new NameAlreadyBoundException + (sm.getString("resources.alreadyBound", name)); +@@ -535,7 +538,10 @@ public class FileDirContext extends BaseDirContext { + // Note: No custom attributes allowed + // Check obj type + +- File file = new File(base, name); ++ File file = file(name, false); ++ if (file == null) { ++ throw new NamingException(sm.getString("resources.bindFailed", name)); ++ } + + InputStream is = null; + if (obj instanceof Resource) { +@@ -610,7 +616,10 @@ public class FileDirContext extends BaseDirContext { + public DirContext createSubcontext(String name, Attributes attrs) + throws NamingException { + +- File file = new File(base, name); ++ File file = file(name, false); ++ if (file == null) { ++ throw new NamingException(sm.getString("resources.bindFailed", name)); ++ } + if (file.exists()) + throw new NameAlreadyBoundException + (sm.getString("resources.alreadyBound", name)); +@@ -785,6 +794,7 @@ public class FileDirContext extends BaseDirContext { + + } + ++ + /** + * Return a File object representing the specified normalized + * context-relative path if it exists and is readable. Otherwise, +@@ -793,9 +803,27 @@ public class FileDirContext extends BaseDirContext { + * @param name Normalized context-relative path (with leading '/') + */ + protected File file(String name) { ++ return file(name, true); ++ } + ++ ++ /** ++ * Return a File object representing the specified normalized ++ * context-relative path if it exists and is readable. Otherwise, ++ * return <code>null</code>. ++ * ++ * @param name Normalized context-relative path (with leading '/') ++ * @param mustExist Must the specified resource exist? ++ */ ++ protected File file(String name, boolean mustExist) { + File file = new File(base, name); +- if (file.exists() && file.canRead()) { ++ return validate(file, mustExist, absoluteBase); ++ } ++ ++ ++ protected File validate(File file, boolean mustExist, String absoluteBase) { ++ ++ if (!mustExist || file.exists() && file.canRead()) { + + if (allowLinking) + return file; +diff --git a/java/org/apache/naming/resources/VirtualDirContext.java b/java/org/apache/naming/resources/VirtualDirContext.java +index 39942af..fd7eccd 100644 +--- a/java/org/apache/naming/resources/VirtualDirContext.java ++++ b/java/org/apache/naming/resources/VirtualDirContext.java +@@ -77,7 +77,8 @@ public class VirtualDirContext extends FileDirContext { + * be listed twice. + * </p> + * +- * @param path ++ * @param path The set of file system paths and virtual paths to map them to ++ * in the required format + */ + public void setExtraResourcePaths(String path) { + extraResourcePaths = path; +@@ -107,13 +108,13 @@ public class VirtualDirContext extends FileDirContext { + } + path = resSpec.substring(0, idx); + } +- String dir = resSpec.substring(idx + 1); ++ File dir = new File(resSpec.substring(idx + 1)); + List<String> resourcePaths = mappedResourcePaths.get(path); + if (resourcePaths == null) { + resourcePaths = new ArrayList<String>(); + mappedResourcePaths.put(path, resourcePaths); + } +- resourcePaths.add(dir); ++ resourcePaths.add(dir.getAbsolutePath()); + } + } + if (mappedResourcePaths.isEmpty()) { +@@ -152,7 +153,8 @@ public class VirtualDirContext extends FileDirContext { + String resourcesDir = dirList.get(0); + if (name.equals(path)) { + File f = new File(resourcesDir); +- if (f.exists() && f.canRead()) { ++ f = validate(f, true, resourcesDir); ++ if (f != null) { + return new FileResourceAttributes(f); + } + } +@@ -160,7 +162,8 @@ public class VirtualDirContext extends FileDirContext { + if (name.startsWith(path)) { + String res = name.substring(path.length()); + File f = new File(resourcesDir + "/" + res); +- if (f.exists() && f.canRead()) { ++ f = validate(f, true, resourcesDir); ++ if (f != null) { + return new FileResourceAttributes(f); + } + } +@@ -169,9 +172,16 @@ public class VirtualDirContext extends FileDirContext { + throw initialException; + } + ++ + @Override + protected File file(String name) { +- File file = super.file(name); ++ return file(name, true); ++ } ++ ++ ++ @Override ++ protected File file(String name, boolean mustExist) { ++ File file = super.file(name, true); + if (file != null || mappedResourcePaths == null) { + return file; + } +@@ -186,7 +196,8 @@ public class VirtualDirContext extends FileDirContext { + if (name.equals(path)) { + for (String resourcesDir : dirList) { + file = new File(resourcesDir); +- if (file.exists() && file.canRead()) { ++ file = validate(file, true, resourcesDir); ++ if (file != null) { + return file; + } + } +@@ -195,7 +206,8 @@ public class VirtualDirContext extends FileDirContext { + String res = name.substring(path.length()); + for (String resourcesDir : dirList) { + file = new File(resourcesDir, res); +- if (file.exists() && file.canRead()) { ++ file = validate(file, true, resourcesDir); ++ if (file != null) { + return file; + } + } +@@ -230,7 +242,8 @@ public class VirtualDirContext extends FileDirContext { + if (res != null) { + for (String resourcesDir : dirList) { + File f = new File(resourcesDir, res); +- if (f.exists() && f.canRead() && f.isDirectory()) { ++ f = validate(f, true, resourcesDir); ++ if (f != null && f.isDirectory()) { + List<NamingEntry> virtEntries = super.list(f); + for (NamingEntry entry : virtEntries) { + // filter duplicate +@@ -265,7 +278,8 @@ public class VirtualDirContext extends FileDirContext { + if (name.equals(path)) { + for (String resourcesDir : dirList) { + File f = new File(resourcesDir); +- if (f.exists() && f.canRead()) { ++ f = validate(f, true, resourcesDir); ++ if (f != null) { + if (f.isFile()) { + return new FileResource(f); + } +@@ -281,7 +295,8 @@ public class VirtualDirContext extends FileDirContext { + String res = name.substring(path.length()); + for (String resourcesDir : dirList) { + File f = new File(resourcesDir + "/" + res); +- if (f.exists() && f.canRead()) { ++ f = validate(f, true, resourcesDir); ++ if (f != null) { + if (f.isFile()) { + return new FileResource(f); + } diff --git a/debian/patches/series b/debian/patches/series index 7d5f339..d959268 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -52,3 +52,4 @@ BZ57544-infinite-loop-part2.patch CVE-2017-5647.patch CVE-2017-5648.patch CVE-2017-5664.patch +CVE-2017-12616.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits