[tomcat7] 02/02: CVE-2016-1240 follow-up

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit c060bd2178af11805d0b1038e44027c111c6a57a
Author: Emmanuel Bourg <ebo...@apache.org>
Date:   Fri Oct 28 01:34:03 2016 +0200

    CVE-2016-1240 follow-up
---
 debian/changelog                                                   | 7 +++++++
 .../0009-Use-java.security.policy-file-in-catalina.sh.patch        | 6 +++---
 debian/tomcat7.init                                                | 7 +++++--
 debian/tomcat7.postrm.in                                           | 1 +
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 42809ba..e9d2746 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,12 @@
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 
+  * CVE-2016-1240 follow-up:
+    - The previous init.d fix was vulnerable to a race condition that could
+      be exploited to make any existing file writable by the tomcat user.
+      Thanks to Paul Szabo for the report and the fix.
+    - The catalina.policy file generated on startup was affected by a similar
+      vulnerability that could be exploited to overwrite any file on the 
system.
+      Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
 
  -- Emmanuel Bourg <ebo...@apache.org>  Sun, 30 Oct 2016 12:51:13 +0100
diff --git 
a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch 
b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
index e6036b7..ec47852 100644
--- a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
+++ b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
@@ -19,7 +19,7 @@ Forwarded: not-needed
          -sourcepath "$CATALINA_HOME"/../../java \
          -Djava.security.manager \
 -        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-+        -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
++        -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \
          -Dcatalina.base="$CATALINA_BASE" \
          -Dcatalina.home="$CATALINA_HOME" \
          -Djava.io.tmpdir="$CATALINA_TMPDIR" \
@@ -28,7 +28,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath 
"\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
@@ -37,7 +37,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath 
"\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
diff --git a/debian/tomcat7.init b/debian/tomcat7.init
index 37d670f..a9b588a 100644
--- a/debian/tomcat7.init
+++ b/debian/tomcat7.init
@@ -118,7 +118,7 @@ if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
        exit 1
 fi
 
-POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
+POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
 
 if [ -z "$CATALINA_TMPDIR" ]; then
        CATALINA_TMPDIR="$JVM_TMP"
@@ -171,7 +171,8 @@ catalina_sh() {
        # Run the catalina.sh script as a daemon
        set +e
        if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
-               install -o $TOMCAT7_USER -g adm -m 644 /dev/null 
"$CATALINA_BASE"/logs/catalina.out
+               # run install as tomcat7 to work around #841371
+               su $TOMCAT7_USER -s /bin/bash -c "install -m 644 /dev/null 
$CATALINA_BASE/logs/catalina.out"
        fi
        install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
        start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
@@ -201,6 +202,8 @@ case "$1" in
 
                # Regenerate POLICY_CACHE file
                umask 022
+               rm -rf "$CATALINA_BASE/policy"
+               mkdir "$CATALINA_BASE/policy"
                echo "// AUTO-GENERATED FILE from /etc/tomcat7/policy.d/" \
                        > "$POLICY_CACHE"
                echo ""  >> "$POLICY_CACHE"
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index de35c3a..293ffde 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -8,6 +8,7 @@ LR_CONFFILE=/etc/logrotate.d/tomcat7
 
 # Remove cached files and auto-generated catalina.policy
 rm -rf /var/cache/tomcat7/*
+rm -rf /var/lib/tomcat7/policy
 
 case "$1" in
     remove)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/tomcat7.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits