Bug#845425: DataSource no longer accessible since jessie security update
Markus Koschany
apo at debian.org
Sun Dec 4 14:59:23 UTC 2016
On 04.12.2016 15:39, Arne Nordmark wrote:
> Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
>> On 04.12.2016 09:22, Arne Nordmark wrote:
>>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>>> also suffers from this problem.
>>>
>>> Can it be so that the important part missing is the loop traversing the
>>> class loaders in validateGlobalResourceAccess():
>>>
>>> while (cl != null) {
>>> ...
>>> cl = cl.getParent();
>>> }
>>
>> Hello,
>>
>> I have prepared the update for Wheezy. Since you confirmed that using the ResourceLinkFactory class
>> from 7.x trunk works for you, we have replaced the current version with this one. At the moment I
>> fail to understand what we are missing because upstream's fix for CVE-2016-6797 is relatively
>> straightforward [1] and we have already taken your bug report into account.
>>
>> Could you elaborate in which file the code from above is missing?
>
> Sorry if I was unclear. In the ResourceLinkFactory class,
> CVE-2016-6797.patch adds among other things the new method
>
> private static boolean validateGlobalResourceAccess(String globalName)
>
> However, the upstream version 7.0.73 there is another change to this new
> method, which is the loop over the parent class loaders I was referring
> to above.
>
> It seems that when preparing CVE-2016-6797-part2.patch, this change was
> left out, but it may be the change that actually makes things work.
>
> I can build and run Debian tomcat7 on both wheezy and jessie, so if you
> would like me to make any further tests, please let me know.
My bad. It seems I have copied ResourceLinkFactory from another branch which is not equivalent to
7.0.73.
https://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/factory/?pathrev=1757275
Looking at Apache's github repository for Tomcat 7, the loop is indeed present.
https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java
I will use this version when I prepare a regression update. Since you have already confirmed that
this fixes #845425 further tests won't be necessary. Thanks for your help!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161204/592fb697/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list