[tomcat7] 02/02: Fix CVE-2012-3544: Denial of service
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Feb 17 16:33:44 UTC 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.
commit c63dfaed281a15defcccb3823e9866a60466a894
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Feb 17 17:32:15 2014 +0100
Fix CVE-2012-3544: Denial of service
---
debian/changelog | 8 +-
debian/patches/0021-CVE-2012-3544.patch | 156 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 163 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a497314..73f4914 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,10 +7,14 @@ tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high
requiring authentication with the current session. By repeatedly sending
a request for an authenticated resource while the victim is completing
the login form, an attacker could inject a request that would be executed
- using the victim's credentials.
- * Fix for CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
+ using the victim's credentials. (Closes: #707704)
+ * Fix CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
prevents the request from being recycled. This may expose elements of a
previous request to a current request.
+ * Fix CVE-2012-3544: When processing a request submitted using the chunked
+ transfer encoding, Tomcat ignored but did not limit any extensions that
+ were included. This allows a client to perform a limited denial of service
+ by streaming an unlimited amount of data to the server.
-- Emmanuel Bourg <ebourg at apache.org> Sun, 09 Feb 2014 01:09:12 +0100
diff --git a/debian/patches/0021-CVE-2012-3544.patch b/debian/patches/0021-CVE-2012-3544.patch
new file mode 100644
index 0000000..96eaa17
--- /dev/null
+++ b/debian/patches/0021-CVE-2012-3544.patch
@@ -0,0 +1,156 @@
+Description: Fix for CVE-2012-3544: When processing a request submitted using
+ the chunked transfer encoding, Tomcat ignored but did not limit any extensions
+ that were included. This allows a client to perform a limited DOS by streaming
+ an unlimited amount of data to the server.
+Origin: backport from Tomcat 7.0.30, http://svn.apache.org/r1378702 and http://svn.apache.org/r1378921
+--- a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
++++ b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
+@@ -144,7 +144,7 @@
+
+ if(needCRLFParse) {
+ needCRLFParse = false;
+- parseCRLF();
++ parseCRLF(false);
+ }
+
+ if (remaining <= 0) {
+@@ -179,7 +179,7 @@
+ //so we defer it to the next call BZ 11117
+ needCRLFParse = true;
+ } else {
+- parseCRLF(); //parse the CRLF immediately
++ parseCRLF(false); //parse the CRLF immediately
+ }
+ }
+
+@@ -303,9 +303,8 @@
+ return false;
+ }
+
+- if (buf[pos] == Constants.CR) {
+- // FIXME: Improve parsing to check for CRLF
+- } else if (buf[pos] == Constants.LF) {
++ if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
++ parseCRLF(false);
+ eol = true;
+ } else if (buf[pos] == Constants.SEMI_COLON) {
+ trailer = true;
+@@ -322,7 +321,10 @@
+ }
+ }
+
+- pos++;
++ // Parsing the CRLF increments pos
++ if (!eol) {
++ pos++;
++ }
+
+ }
+
+@@ -343,9 +345,22 @@
+
+ /**
+ * Parse CRLF at end of chunk.
++ * @deprecated Use {@link #parseCRLF(boolean)}
+ */
+- protected boolean parseCRLF()
+- throws IOException {
++ @Deprecated
++ protected boolean parseCRLF() throws IOException {
++ parseCRLF(false);
++ return true;
++ }
++
++ /**
++ * Parse CRLF at end of chunk.
++ *
++ * @param tolerant Should tolerant parsing (LF and CRLF) be used? This
++ * is recommended (RFC2616, section 19.3) for message
++ * headers.
++ */
++ protected void parseCRLF(boolean tolerant) throws IOException {
+
+ boolean eol = false;
+ boolean crfound = false;
+@@ -361,7 +376,9 @@
+ if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered.");
+ crfound = true;
+ } else if (buf[pos] == Constants.LF) {
+- if (!crfound) throw new IOException("Invalid CRLF, no CR character encountered.");
++ if (!tolerant && !crfound) {
++ throw new IOException("Invalid CRLF, no CR character encountered.");
++ }
+ eol = true;
+ } else {
+ throw new IOException("Invalid CRLF");
+@@ -370,9 +387,6 @@
+ pos++;
+
+ }
+-
+- return true;
+-
+ }
+
+
+@@ -393,26 +407,19 @@
+ MimeHeaders headers = request.getMimeHeaders();
+
+ byte chr = 0;
+- while (true) {
+- // Read new bytes if needed
+- if (pos >= lastValid) {
+- if (readBytes() <0)
+- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
+- }
+
+- chr = buf[pos];
+-
+- if ((chr == Constants.CR) || (chr == Constants.LF)) {
+- if (chr == Constants.LF) {
+- pos++;
+- return false;
+- }
+- } else {
+- break;
+- }
++ // Read new bytes if needed
++ if (pos >= lastValid) {
++ if (readBytes() <0)
++ throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
++ }
+
+- pos++;
++ chr = buf[pos];
+
++ // CRLF terminates the request
++ if (chr == Constants.CR || chr == Constants.LF) {
++ parseCRLF(false);
++ return false;
+ }
+
+ // Mark the current buffer position
+@@ -492,9 +499,8 @@
+ }
+
+ chr = buf[pos];
+- if (chr == Constants.CR) {
+- // Skip
+- } else if (chr == Constants.LF) {
++ if (chr == Constants.CR || chr == Constants.LF) {
++ parseCRLF(true);
+ eol = true;
+ } else if (chr == Constants.SP) {
+ trailingHeaders.append(chr);
+@@ -503,8 +509,9 @@
+ lastSignificantChar = trailingHeaders.getEnd();
+ }
+
+- pos++;
+-
++ if (!eol) {
++ pos++;
++ }
+ }
+
+ // Checking the first character of the new line. If the character
diff --git a/debian/patches/series b/debian/patches/series
index e4650e5..d62c03a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ cve-2012-3439-tests.patch
0018-CVE-2014-0050.patch
0019-CVE-2013-2067.patch
0020-CVE-2013-2071.patch
+0021-CVE-2012-3544.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list