This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit 4e7bd11fd88ff594aaeeb81bb2e3f9128fd58fa4 Author: Markus Koschany <[email protected]> Date: Thu Sep 15 15:21:55 2016 +0200 Fix CVE-2016-1240 and Debian bug #821391. tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink attacks and a possible root privilege escalation. Do not unconditionally override files in /etc/tomcat7. Change file permissions to 640 for Debian files in /etc/tomcat7/* --- debian/changelog | 12 ++++++++++++ debian/tomcat7.init | 6 ++++-- debian/tomcat7.postinst | 21 +++++++++++++++++++-- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8368244..4f8b5df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +tomcat7 (7.0.28-4+deb7u6) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2016-1240: + tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink + attacks and a possible root privilege escalation. + * Do not unconditionally override files in /etc/tomcat7. + Change file permissions to 640 for Debian files in /etc/tomcat7/* + (Closes: #821391) + + -- Markus Koschany <[email protected]> Thu, 15 Sep 2016 15:20:36 +0200 + tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high * Team upload. diff --git a/debian/tomcat7.init b/debian/tomcat7.init index fb11566..2821a3d 100644 --- a/debian/tomcat7.init +++ b/debian/tomcat7.init @@ -171,8 +171,10 @@ catalina_sh() { # Run the catalina.sh script as a daemon set +e - touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out - chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out + if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then + install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out + fi + install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID" start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \ -c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH" diff --git a/debian/tomcat7.postinst b/debian/tomcat7.postinst index ef339db..bedfba9 100644 --- a/debian/tomcat7.postinst +++ b/debian/tomcat7.postinst @@ -48,8 +48,25 @@ case "$1" in # configuration files should not be modifiable by tomcat7 user, as this can be a security issue # (an attacker may insert code in a webapp and have access to all tomcat configuration) # but those files should be readable by tomcat7, so we set the group to tomcat7 - chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/* - chmod 640 /etc/tomcat7/tomcat-users.xml + for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties; + do + if [ -f "/etc/tomcat7/$i" ]; then + chown root:$TOMCAT7_GROUP /etc/tomcat7/$i + chmod 640 /etc/tomcat7/$i + fi + done + # configuration policy files should not be modifiable by the tomcat7 user. Only + # diverge from default permissions for known Debian files + chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d + for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy; + do + if [ -f "/etc/tomcat7/policy.d/$i" ]; then + chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i + chmod 640 /etc/tomcat7/policy.d/$i + fi + done + chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina + chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared chmod 775 /var/lib/tomcat7/webapps chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
