This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 9ec56770ae1c0aef52bcfeb22205456959269a13
Author: Roberto C. Sanchez <robe...@debian.org>
Date: Wed Nov 8 23:43:03 2017 -0500
Import Debian changes 7.0.28-4+deb7u17
tomcat7 (7.0.28-4+deb7u17) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* Fix regression introduced by patch for CVE-2017-12617 (Closes: #881162)
---
debian/changelog | 7 +++++
debian/patches/CVE-2017-12617_1.patch | 36 ++++++++++++++++++++----
debian/patches/CVE-2017-12617_3.patch | 53 +++++++++++++++++++++++++----------
3 files changed, 76 insertions(+), 20 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 26f16eb..32e7434 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+tomcat7 (7.0.28-4+deb7u17) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix regression introduced by patch for CVE-2017-12617 (Closes: #881162)
+
+ -- Roberto C. Sanchez <robe...@debian.org> Wed, 08 Nov 2017 23:43:03 -0500
+
tomcat7 (7.0.28-4+deb7u16) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
diff --git a/debian/patches/CVE-2017-12617_1.patch
b/debian/patches/CVE-2017-12617_1.patch
index b34d879..c85566d 100644
--- a/debian/patches/CVE-2017-12617_1.patch
+++ b/debian/patches/CVE-2017-12617_1.patch
@@ -22,8 +22,8 @@ origin:
https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b
4 files changed, 64 insertions(+), 28 deletions(-)
create mode 100644 test/org/apache/naming/resources/TestFileDirContext.java
---- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
-+++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+--- tomcat7.git.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat7.git/java/org/apache/naming/resources/FileDirContext.java
@@ -817,11 +817,18 @@
*/
protected File file(String name, boolean mustExist) {
@@ -45,8 +45,8 @@ origin:
https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b
if (!mustExist || file.exists() && file.canRead()) {
---- tomcat-7.0.x.orig/java/org/apache/naming/resources/VirtualDirContext.java
-+++ tomcat-7.0.x/java/org/apache/naming/resources/VirtualDirContext.java
+--- tomcat7.git.orig/java/org/apache/naming/resources/VirtualDirContext.java
++++ tomcat7.git/java/org/apache/naming/resources/VirtualDirContext.java
@@ -153,7 +153,7 @@
String resourcesDir = dirList.get(0);
if (name.equals(path)) {
@@ -115,7 +115,7 @@ origin:
https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b
if (f.isFile()) {
return new FileResource(f);
--- /dev/null
-+++ tomcat-7.0.x/test/org/apache/naming/resources/TestFileDirContext.java
++++ tomcat7.git/test/org/apache/naming/resources/TestFileDirContext.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -163,3 +163,29 @@ origin:
https://github.com/apache/tomcat70/commit/512a3c3aecdb52de092c6bacddd71b
+ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc);
+ }
+}
+--- tomcat7.git.orig/java/org/apache/catalina/servlets/DefaultServlet.java
++++ tomcat7.git/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -825,23 +825,6 @@
+ return;
+ }
+
+- // If the resource is not a collection, and the resource path
+- // ends with "/" or "\", return NOT FOUND
+- if (cacheEntry.context == null) {
+- if (path.endsWith("/") || (path.endsWith("\\"))) {
+- // Check if we're included so we can return the appropriate
+- // missing resource name in the error
+- String requestUri = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_REQUEST_URI);
+- if (requestUri == null) {
+- requestUri = request.getRequestURI();
+- }
+- response.sendError(HttpServletResponse.SC_NOT_FOUND,
+- requestUri);
+- return;
+- }
+- }
+-
+ boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+
+ // Check if the conditions specified in the optional If headers are
diff --git a/debian/patches/CVE-2017-12617_3.patch
b/debian/patches/CVE-2017-12617_3.patch
index 5fec2e8..dbe9133 100644
--- a/debian/patches/CVE-2017-12617_3.patch
+++ b/debian/patches/CVE-2017-12617_3.patch
@@ -16,8 +16,8 @@ origin:
https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6
2 files changed, 110 insertions(+), 17 deletions(-)
create mode 100644 java/org/apache/naming/resources/JrePlatform.java
---- tomcat-7.0.x.orig/java/org/apache/naming/resources/FileDirContext.java
-+++ tomcat-7.0.x/java/org/apache/naming/resources/FileDirContext.java
+--- tomcat7.git.orig/java/org/apache/naming/resources/FileDirContext.java
++++ tomcat7.git/java/org/apache/naming/resources/FileDirContext.java
@@ -14,8 +14,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
@@ -84,7 +84,7 @@ origin:
https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6
// Check that this file belongs to our root path
String canPath = null;
-@@ -847,7 +861,7 @@
+@@ -847,32 +861,23 @@
} catch (IOException e) {
// Ignore
}
@@ -92,21 +92,44 @@ origin:
https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6
+ if (canPath == null || !canPath.startsWith(canonicalBase))
return null;
- // Check to see if going outside of the web application root
-@@ -868,9 +882,9 @@
- return null;
- if (absPath.equals(""))
- absPath = "/";
+- // Check to see if going outside of the web application root
+- if (!canPath.startsWith(absoluteBase)) {
++ String absPath = normalize(file.getAbsolutePath());
++ if ((absoluteBase.length() > absPath.length())) {
+ return null;
+ }
+
+- // Case sensitivity check - this is now always done
+- String fileAbsPath = file.getAbsolutePath();
+- if (fileAbsPath.endsWith("."))
+- fileAbsPath = fileAbsPath + "/";
+- String absPath = normalize(fileAbsPath);
+- canPath = normalize(canPath);
+- if ((absoluteBase.length() < absPath.length())
+- && (absoluteBase.length() < canPath.length())) {
+- absPath = absPath.substring(absoluteBase.length() + 1);
+- if (absPath == null)
+- return null;
+- if (absPath.equals(""))
+- absPath = "/";
- canPath = canPath.substring(absoluteBase.length() + 1);
- if (canPath.equals(""))
- canPath = "/";
-+ canPath = canPath.substring(canonicalBase.length() + 1);
-+ if (canPath.length() > 0)
-+ canPath = normalize(canPath);
- if (!canPath.equals(absPath))
- return null;
+- if (!canPath.equals(absPath))
+- return null;
++ absPath = absPath.substring(absoluteBase.length());
++ canPath = canPath.substring(canonicalBase.length());
++
++ // Case sensitivity check
++ if (canPath.length() > 0) {
++ canPath = normalize(canPath);
++ }
++ if (!canPath.equals(absPath)) {
++ return null;
}
-@@ -883,6 +897,36 @@
+
+ } else {
+@@ -883,6 +888,36 @@
}
@@ -144,7 +167,7 @@ origin:
https://github.com/apache/tomcat70/commit/bbcbb749c75056a2781f37038d63e6
* List the resources which are members of a collection.
*
--- /dev/null
-+++ tomcat-7.0.x/java/org/apache/naming/resources/JrePlatform.java
++++ tomcat7.git/java/org/apache/naming/resources/JrePlatform.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-java/tomcat7.git
_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
