← Back to branch summary

~ubuntu-branches/ubuntu/wily/tomcat6/wily-proposed

« back to all changes in this revision

Viewing changes to debian/patches/0015-CVE-2011-2526.patch

  • Committer: Package Import Robot
  • Author(s): tony mancill, tony mancill, Niels Thykier
  • Date: 2011-11-08 10:42:32 UTC
  • Revision ID: package-import@ubuntu.com-20111108104232-qu3ebmbg5tteonpq
Tags: 6.0.32-7
http://bugs.debian.org/645221
http://bugs.debian.org/648038
[ tony mancill ]
* Team upload.
* Add "unset LC_ALL" to /etc/defaults/tomcat6 to prevent user 
  environment settings from leaking into the servlet container.
  - Thank you to Nicolas Pichon.  (Closes: #645221)
* Apply patch for CVE-2011-1184 and CVE-2011-2526.
  - Thank you to Marc Deslauriers.  (Closes: #648038)

[ Niels Thykier ]
* Added build-arch and build-indep targets in d/rules.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/0015-CVE-2011-2526.patch
 
1
Description: fix file restriction bypass or denial of service via untrusted web application
 
2
Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1146703
 
3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634992
 
4
 
 
5
Index: tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties
 
6
===================================================================
 
7
--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/LocalStrings.properties      2011-01-20 16:36:06.000000000 -0500
 
8
+++ tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties   2011-10-13 16:40:14.477357566 -0400
 
9
@@ -61,6 +61,7 @@
 
10
 coyoteRequest.parseParameters=Exception thrown whilst processing POSTed parameters
 
11
 coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
 
12
 coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
 
13
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile
 
14
 coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request
 
15
 
 
16
 requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
 
17
Index: tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java
 
18
===================================================================
 
19
--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/Request.java 2011-02-01 22:09:54.000000000 -0500
 
20
+++ tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java      2011-10-13 16:39:36.549356595 -0400
 
21
@@ -19,6 +19,7 @@
 
22
 package org.apache.catalina.connector;
 
23
 
 
24
 
 
25
+import java.io.File;
 
26
 import java.io.InputStream;
 
27
 import java.io.IOException;
 
28
 import java.io.BufferedReader;
 
29
@@ -1455,6 +1456,26 @@
 
30
             return;
 
31
         }
 
32
 
 
33
+        // Do the security check before any updates are made
 
34
+        if (Globals.IS_SECURITY_ENABLED &&
 
35
+                name.equals("org.apache.tomcat.sendfile.filename")) {
 
36
+            // Use the canonical file name to avoid any possible symlink and
 
37
+            // relative path issues
 
38
+            String canonicalPath;
 
39
+            try {
 
40
+                canonicalPath = new File(value.toString()).getCanonicalPath();
 
41
+            } catch (IOException e) {
 
42
+                throw new SecurityException(sm.getString(
 
43
+                        "coyoteRequest.sendfileNotCanonical", value), e);
 
44
+            }
 
45
+            // Sendfile is performed in Tomcat's security context so need to
 
46
+            // check if the web app is permitted to access the file while still
 
47
+            // in the web app's security context
 
48
+            System.getSecurityManager().checkRead(canonicalPath);
 
49
+            // Update the value so the canonical path is used
 
50
+            value = canonicalPath;
 
51
+        }
 
52
+
 
53
         oldValue = attributes.put(name, value);
 
54
         if (oldValue != null) {
 
55
             replaced = true;
 
56
Index: tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java
 
57
===================================================================
 
58
--- tomcat6-6.0.32.orig/java/org/apache/catalina/servlets/DefaultServlet.java   2011-01-20 12:08:54.000000000 -0500
 
59
+++ tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java        2011-10-13 16:39:36.549356595 -0400
 
60
@@ -1619,7 +1619,6 @@
 
61
                 request.setAttribute("org.apache.tomcat.sendfile.start", new Long(range.start));
 
62
                 request.setAttribute("org.apache.tomcat.sendfile.end", new Long(range.end + 1));
 
63
             }
 
64
-            request.setAttribute("org.apache.tomcat.sendfile.token", this);
 
65
             return true;
 
66
         } else {
 
67
             return false;
 
68
Index: tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java
 
69
===================================================================
 
70
--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/Http11AprProcessor.java   2011-01-07 12:49:20.000000000 -0500
 
71
+++ tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java        2011-10-13 16:39:36.549356595 -0400
 
72
@@ -910,7 +910,18 @@
 
73
                 sendfileData.socket = socket;
 
74
                 sendfileData.keepAlive = keepAlive;
 
75
                 if (!endpoint.getSendfile().add(sendfileData)) {
 
76
-                    openSocket = true;
 
77
+                    if (sendfileData.socket == 0) {
 
78
+                        // Didn't send all the data but the socket is no longer
 
79
+                        // set. Something went wrong. Close the connection.
 
80
+                        // Too late to set status code.
 
81
+                        if (log.isDebugEnabled()) {
 
82
+                            log.debug(sm.getString(
 
83
+                                    "http11processor.sendfile.error"));
 
84
+                        }
 
85
+                        error = true;
 
86
+                    } else {
 
87
+                        openSocket = true;
 
88
+                    }
 
89
                     break;
 
90
                 }
 
91
             }
 
92
Index: tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties
 
93
===================================================================
 
94
--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/LocalStrings.properties   2009-05-02 21:29:42.000000000 -0400
 
95
+++ tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties        2011-10-13 16:39:36.549356595 -0400
 
96
@@ -56,6 +56,7 @@
 
97
 http11processor.socket.info=Exception getting socket information
 
98
 http11processor.socket.ssl=Exception getting SSL attributes
 
99
 http11processor.socket.timeout=Error setting socket timeout
 
100
+http11processor.sendfile.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points
 
101
 
 
102
 #
 
103
 # InternalInputBuffer
 
104
Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java
 
105
===================================================================
 
106
--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/AprEndpoint.java        2011-02-01 03:07:46.000000000 -0500
 
107
+++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java     2011-10-13 16:41:23.769359341 -0400
 
108
@@ -1812,7 +1812,9 @@
 
109
                                                data.pos, data.end - data.pos, 0);
 
110
                     if (nw < 0) {
 
111
                         if (!(-nw == Status.EAGAIN)) {
 
112
-                            destroySocket(data.socket);
 
113
+                            Pool.destroy(data.fdpool);
 
114
+                            // No need to close socket, this will be done by
 
115
+                            // calling code since data.socket == 0
 
116
                             data.socket = 0;
 
117
                             return false;
 
118
                         } else {
 
119
Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java
 
120
===================================================================
 
121
--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/NioEndpoint.java        2011-01-07 13:43:39.000000000 -0500
 
122
+++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java     2011-10-13 16:39:36.553356596 -0400
 
123
@@ -1734,6 +1734,13 @@
 
124
                         sd.pos += written;
 
125
                         sd.length -= written;
 
126
                         attachment.access();
 
127
+                    } else {
 
128
+                        // Unusual not to be able to transfer any bytes
 
129
+                        // Check the length was set correctly
 
130
+                        if (sd.fchannel.size() <= sd.pos) {
 
131
+                            throw new IOException("Sendfile configured to " +
 
132
+                                    "send more data than was available");
 
133
+                        }
 
134
                     }
 
135
                 }
 
136
                 if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
 
137
@@ -1758,6 +1765,7 @@
 
138
                             log.debug("Send file connection is being closed");
 
139
                         }
 
140
                         cancelledKey(sk,SocketStatus.STOP,false);
 
141
+                        return false;
 
142
                     }
 
143
                 } else if ( attachment.interestOps() == 0 && reg ) {
 
144
                     if (log.isDebugEnabled()) {