Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Markus Koschany apo at debian.org
Sun Feb 12 20:38:31 UTC 2017 

Hi,

a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
the issue is related to our latest security updates. We would like to
address this regression as soon as possible because this one can be
triggered remotely and cause a denial-of-service.

I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
will update the changelogs later.

Regards,

Markus
-------------- next part --------------
diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog
--- tomcat7-7.0.56/debian/changelog	2017-01-05 18:16:41.000000000 +0100
+++ tomcat7-7.0.56/debian/changelog	2017-02-10 03:30:38.000000000 +0100
@@ -1,3 +1,10 @@
+tomcat7 (7.0.56-3+deb8u8) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Add BZ57544-infinite-loop.patch
+
+ -- Markus Koschany <apo at debian.org>  Fri, 10 Feb 2017 03:30:38 +0100
+
 tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high
 
   * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch
--- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch	1970-01-01 01:00:00.000000000 +0100
+++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch	2017-02-10 03:30:38.000000000 +0100
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 10 Feb 2017 03:01:38 +0100
+Subject: BZ57544 infinite loop
+
+Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551
+Origin: https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index eda3609..a1251d6 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -225,15 +225,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{
+         request.recycle();
+ 
+         // Copy leftover bytes to the beginning of the buffer
+-        if (lastValid - pos > 0) {
+-            int npos = 0;
+-            int opos = pos;
+-            while (lastValid - opos > opos - npos) {
+-                System.arraycopy(buf, opos, buf, npos, opos - npos);
+-                npos += pos;
+-                opos += pos;
+-            }
+-            System.arraycopy(buf, opos, buf, npos, lastValid - opos);
++        if (lastValid - pos > 0 && pos > 0) {
++            System.arraycopy(buf, pos, buf, 0, lastValid - pos);
++            lastValid = lastValid - pos;
++            pos = 0;
+         }
+ 
+         // Recycle filters
+@@ -242,12 +237,9 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{
+         }
+ 
+         // Reset pointers
+-        lastValid = lastValid - pos;
+-        pos = 0;
+         lastActiveFilter = -1;
+         parsingHeader = true;
+         swallowInput = true;
+-
+     }
+ 
+ 
diff -Nru tomcat7-7.0.56/debian/patches/series tomcat7-7.0.56/debian/patches/series
--- tomcat7-7.0.56/debian/patches/series	2017-01-05 18:13:55.000000000 +0100
+++ tomcat7-7.0.56/debian/patches/series	2017-02-10 03:30:38.000000000 +0100
@@ -38,3 +38,4 @@
 BZ-57377.patch
 CVE-2016-8735.patch
 CVE-2016-8745.patch
+BZ57544-infinite-loop.patch
-------------- next part --------------
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog
--- tomcat8-8.0.14/debian/changelog	2017-01-06 00:39:34.000000000 +0100
+++ tomcat8-8.0.14/debian/changelog	2017-02-10 01:08:51.000000000 +0100
@@ -1,3 +1,10 @@
+tomcat8 (8.0.14-1+deb8u7) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Add BZ57544-infinite-loop.patch
+
+ -- Markus Koschany <apo at debian.org>  Fri, 10 Feb 2017 01:08:51 +0100
+
 tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high
 
   * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch
--- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch	1970-01-01 01:00:00.000000000 +0100
+++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch	2017-02-10 01:08:51.000000000 +0100
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 10 Feb 2017 01:06:54 +0100
+Subject: BZ57544 infinite loop
+
+Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304
+Origin: https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index 33d4b3b..2aef369 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -235,15 +235,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{
+         request.recycle();
+ 
+         // Copy leftover bytes to the beginning of the buffer
+-        if (lastValid - pos > 0) {
+-            int npos = 0;
+-            int opos = pos;
+-            while (lastValid - opos > opos - npos) {
+-                System.arraycopy(buf, opos, buf, npos, opos - npos);
+-                npos += pos;
+-                opos += pos;
+-            }
+-            System.arraycopy(buf, opos, buf, npos, lastValid - opos);
++        if (lastValid - pos > 0 && pos > 0) {
++            System.arraycopy(buf, pos, buf, 0, lastValid - pos);
++            lastValid = lastValid - pos;
++            pos = 0;
+         }
+ 
+         // Recycle filters
+@@ -252,12 +247,9 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{
+         }
+ 
+         // Reset pointers
+-        lastValid = lastValid - pos;
+-        pos = 0;
+         lastActiveFilter = -1;
+         parsingHeader = true;
+         swallowInput = true;
+-
+     }
+ 
+ 
diff -Nru tomcat8-8.0.14/debian/patches/series tomcat8-8.0.14/debian/patches/series
--- tomcat8-8.0.14/debian/patches/series	2017-01-06 00:39:34.000000000 +0100
+++ tomcat8-8.0.14/debian/patches/series	2017-02-10 01:08:51.000000000 +0100
@@ -33,3 +33,4 @@
 BZ-57377.patch
 CVE-2016-8735.patch
 CVE-2016-8745.patch
+BZ57544-infinite-loop.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170212/392a1afc/attachment-0003.sig>

More information about the pkg-java-maintainers mailing list