This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository tomcat7.
commit e04961069c17dbb08ca1e55037172b52a239b16e Author: Emmanuel Bourg <[email protected]> Date: Tue Jan 5 01:03:07 2016 +0100 Fixed CVE-2013-4444: Remove serialization support from FileItem --- debian/changelog | 2 + debian/patches/CVE-2013-4444.patch | 114 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 117 insertions(+) diff --git a/debian/changelog b/debian/changelog index da1df8f..d3549c1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high length header. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. + * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent + a remote code execution vulnerablity in very limited circumstances. -- Emmanuel Bourg <[email protected]> Mon, 04 Jan 2016 12:03:34 +0100 diff --git a/debian/patches/CVE-2013-4444.patch b/debian/patches/CVE-2013-4444.patch new file mode 100644 index 0000000..39ce26e --- /dev/null +++ b/debian/patches/CVE-2013-4444.patch @@ -0,0 +1,114 @@ +Description: CVE-2013-4444: Remove serialization support from FileItem to prevent + a remote code execution vulnerablity in very limited circumstances. +Origin: backport, http://svn.apache.org/r1470437 +--- a/java/org/apache/tomcat/util/http/fileupload/FileItem.java ++++ b/java/org/apache/tomcat/util/http/fileupload/FileItem.java +@@ -20,7 +20,6 @@ + import java.io.IOException; + import java.io.InputStream; + import java.io.OutputStream; +-import java.io.Serializable; + import java.io.UnsupportedEncodingException; + + /** +@@ -50,7 +49,7 @@ + * + * @version $Id: FileItem.java 981816 2010-08-03 10:44:58Z markt $ + */ +-public interface FileItem extends Serializable { ++public interface FileItem { + + + // ------------------------------- Methods from javax.activation.DataSource +--- a/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java ++++ b/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java +@@ -24,8 +24,6 @@ + import java.io.FileOutputStream; + import java.io.IOException; + import java.io.InputStream; +-import java.io.ObjectInputStream; +-import java.io.ObjectOutputStream; + import java.io.OutputStream; + import java.io.UnsupportedEncodingException; + import java.util.Map; +@@ -84,11 +82,6 @@ + + // ----------------------------------------------------- Manifest constants + +- /** +- * The UID to use when serializing this instance. +- */ +- private static final long serialVersionUID = 2237570099615271025L; +- + + /** + * Default content charset to be used when no explicit charset +@@ -176,11 +169,6 @@ + private transient File tempFile; + + /** +- * File to allow for serialization of the content of this item. +- */ +- private File dfosFile; +- +- /** + * The file items headers. + */ + private FileItemHeaders headers; +@@ -690,56 +678,6 @@ + } + + +- // -------------------------------------------------- Serialization methods +- +- +- /** +- * Writes the state of this object during serialization. +- * +- * @param out The stream to which the state should be written. +- * +- * @throws IOException if an error occurs. +- */ +- private void writeObject(ObjectOutputStream out) throws IOException { +- // Read the data +- if (dfos.isInMemory()) { +- cachedContent = get(); +- } else { +- cachedContent = null; +- dfosFile = dfos.getFile(); +- } +- +- // write out values +- out.defaultWriteObject(); +- } +- +- /** +- * Reads the state of this object during deserialization. +- * +- * @param in The stream from which the state should be read. +- * +- * @throws IOException if an error occurs. +- * @throws ClassNotFoundException if class cannot be found. +- */ +- private void readObject(ObjectInputStream in) +- throws IOException, ClassNotFoundException { +- // read values +- in.defaultReadObject(); +- +- OutputStream output = getOutputStream(); +- if (cachedContent != null) { +- output.write(cachedContent); +- } else { +- FileInputStream input = new FileInputStream(dfosFile); +- IOUtils.copy(input, output); +- dfosFile.delete(); +- dfosFile = null; +- } +- output.close(); +- +- cachedContent = null; +- } +- + /** + * Returns the file item headers. + * @return The file items headers. diff --git a/debian/patches/series b/debian/patches/series index c4c4ff8..d0b872d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -23,3 +23,4 @@ cve-2012-3439-tests.patch 0025-use-tls-in-ssl-unit-tests.patch CVE-2014-7810.patch CVE-2014-0099.patch +CVE-2013-4444.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
