This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository tomcat7.
commit 04b149da51a82cb64b9e570b5592839a3bd2af53 Author: Emmanuel Bourg <[email protected]> Date: Mon Jan 4 12:23:34 2016 +0100 Fixed CVE-2014-0099: Check for overflow when parsing the request content length header --- debian/changelog | 4 ++ debian/patches/CVE-2014-0099.patch | 109 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 114 insertions(+) diff --git a/debian/changelog b/debian/changelog index b7aa54e..da1df8f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,10 @@ tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. + * Fixed CVE-2014-0099: Check for overflow when parsing the request content + length header. This exposed a request smuggling vulnerability when Tomcat + was located behind a reverse proxy that correctly processed the content + length header. -- Emmanuel Bourg <[email protected]> Mon, 04 Jan 2016 12:03:34 +0100 diff --git a/debian/patches/CVE-2014-0099.patch b/debian/patches/CVE-2014-0099.patch new file mode 100644 index 0000000..9fe94c6 --- /dev/null +++ b/debian/patches/CVE-2014-0099.patch @@ -0,0 +1,109 @@ +Description: CVE-2014-0099: Check for overflow when parsing the request content length header. +Origin: backport, http://svn.apache.org/r1578814 +--- a/java/org/apache/tomcat/util/buf/Ascii.java ++++ b/java/org/apache/tomcat/util/buf/Ascii.java +@@ -40,10 +40,11 @@ + private static final boolean[] isWhite = new boolean[256]; + private static final boolean[] isDigit = new boolean[256]; + ++ private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10; ++ + /* + * Initialize character translation and type tables. + */ +- + static { + for (int i = 0; i < 256; i++) { + toUpper[i] = (byte)i; +@@ -206,19 +207,12 @@ + } + + long n = c - '0'; +- long m; +- + while (--len > 0) { +- if (!isDigit(c = b[off++])) { +- throw new NumberFormatException(); +- } +- m = n * 10 + c - '0'; +- +- if (m < n) { +- // Overflow +- throw new NumberFormatException(); ++ if (isDigit(c = b[off++]) && ++ (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) { ++ n = n * 10 + c - '0'; + } else { +- n = m; ++ throw new NumberFormatException(); + } + } + +--- /dev/null ++++ b/test/org/apache/tomcat/util/buf/TestAscii.java +@@ -0,0 +1,65 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.buf; ++ ++import java.math.BigInteger; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++public class TestAscii { ++ ++ @Test ++ public void testParseLong1() { ++ String value = "9223372036854775807"; // Long.MAX_VALUE ++ byte[] bytes = value.getBytes(); ++ long result = Ascii.parseLong(bytes, 0, bytes.length); ++ Assert.assertEquals(value, String.valueOf(result)); ++ } ++ ++ @Test(expected = NumberFormatException.class) ++ public void testParseLong2() { ++ byte[] bytes = "9223372036854775808".getBytes(); // Long.MAX_VALUE + 1 ++ long result = Ascii.parseLong(bytes, 0, bytes.length); ++ Assert.fail("NumberFormatException expected, got: " + result); ++ } ++ ++ @Test(expected = NumberFormatException.class) ++ public void testParseLong3() { ++ byte[] bytes = "9223372036854775810".getBytes(); // Long.MAX_VALUE + 3 ++ long result = Ascii.parseLong(bytes, 0, bytes.length); ++ Assert.fail("NumberFormatException expected, got: " + result); ++ } ++ ++ @Test(expected = NumberFormatException.class) ++ public void testParseLong4() { ++ BigInteger x = BigInteger.valueOf(5000000000L).shiftLeft(32); ++ byte[] bytes = String.valueOf(x).getBytes(); ++ long result = Ascii.parseLong(bytes, 0, bytes.length); ++ Assert.fail("NumberFormatException expected, got: " + result); ++ } ++ ++ @Test ++ public void testParseLong5() { ++ String value = "9223372036854775806"; // Long.MAX_VALUE - 1 ++ byte[] bytes = value.getBytes(); ++ long result = Ascii.parseLong(bytes, 0, bytes.length); ++ Assert.assertEquals(value, String.valueOf(result)); ++ } ++ ++ ++} diff --git a/debian/patches/series b/debian/patches/series index 015b631..c4c4ff8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,3 +22,4 @@ cve-2012-3439-tests.patch 0024-CVE-2013-4322.patch 0025-use-tls-in-ssl-unit-tests.patch CVE-2014-7810.patch +CVE-2014-0099.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
