[tomcat8] 01/01: Fixed a race condition in tomcat8.init that could be exploited to chown/chmod any file, thanks to Paul Szabo

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository tomcat8.

commit a7e011ad273d6e6062a520ef55cd61e190c0bd1a
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Oct 26 16:27:47 2016 +0200

    Fixed a race condition in tomcat8.init that could be exploited to chown/chmod any file, thanks to Paul Szabo
---
 debian/changelog    | 3 +++
 debian/tomcat8.init | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index ac4ce68..8959798 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 tomcat8 (8.0.38-2) UNRELEASED; urgency=medium
 
   * Team upload.
+  * CVE-2016-1240 follow-up: Fixed a race condition in the init.d script
+    that could be exploited to make any existing file writable by the tomcat
+    user. Thanks to Paul Szabo for the report and the fix.
   * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
   * Added the new libtomcat8-embed-java package containing the libraries
     for embedding Tomcat into other applications.
diff --git a/debian/tomcat8.init b/debian/tomcat8.init
index b7df816..3442ead 100644
--- a/debian/tomcat8.init
+++ b/debian/tomcat8.init
@@ -170,7 +170,8 @@ catalina_sh() {
 	# Run the catalina.sh script as a daemon
 	set +e
 	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
-		install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+		# run install as tomcat8 to work around #841371
+		su $TOMCAT8_USER -s /bin/bash -c "install -m 644 /dev/null $CATALINA_BASE/logs/catalina.out"
 	fi
 	install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git