[tomcat8] 01/02: Moved the generated catalina.policy file to /var/lib/tomcat8/policy

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Thu Oct 27 23:23:24 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository tomcat8.

commit 732d1a0a454b783265cc0558078acc16298eb2cf
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Oct 28 01:16:28 2016 +0200

    Moved the generated catalina.policy file to /var/lib/tomcat8/policy
---
 debian/changelog                                             | 12 ++++++++----
 .../0009-Use-java.security.policy-file-in-catalina.sh.patch  |  6 +++---
 debian/tomcat8.init                                          |  4 +++-
 debian/tomcat8.postrm.in                                     |  1 +
 4 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8959798..b0a4300 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,13 @@
-tomcat8 (8.0.38-2) UNRELEASED; urgency=medium
+tomcat8 (8.0.38-2) UNRELEASED; urgency=high
 
   * Team upload.
-  * CVE-2016-1240 follow-up: Fixed a race condition in the init.d script
-    that could be exploited to make any existing file writable by the tomcat
-    user. Thanks to Paul Szabo for the report and the fix.
+  * CVE-2016-1240 follow-up:
+    - The previous init.d fix was vulnerable to a race condition that could
+      be exploited to make any existing file writable by the tomcat user.
+      Thanks to Paul Szabo for the report and the fix.
+    - The catalina.policy file generated on startup was affected by a similar
+      vulnerability that could be exploited to overwrite any file on the system.
+      Thanks to Paul Szabo for the report.
   * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
   * Added the new libtomcat8-embed-java package containing the libraries
     for embedding Tomcat into other applications.
diff --git a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
index 73feaa7..2b3c3e7 100644
--- a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
+++ b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
@@ -14,7 +14,7 @@ Forwarded: not-needed
          -sourcepath "$CATALINA_HOME"/../../java \
          -Djava.security.manager \
 -        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-+        -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
++        -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \
          -Dcatalina.base="$CATALINA_BASE" \
          -Dcatalina.home="$CATALINA_HOME" \
          -Djava.io.tmpdir="$CATALINA_TMPDIR" \
@@ -23,7 +23,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
@@ -32,7 +32,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
diff --git a/debian/tomcat8.init b/debian/tomcat8.init
index 3442ead..ada099d 100644
--- a/debian/tomcat8.init
+++ b/debian/tomcat8.init
@@ -117,7 +117,7 @@ if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
 	exit 1
 fi
 
-POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
+POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
 
 if [ -z "$CATALINA_TMPDIR" ]; then
 	CATALINA_TMPDIR="$JVM_TMP"
@@ -201,6 +201,8 @@ case "$1" in
 
 		# Regenerate POLICY_CACHE file
 		umask 022
+		rm -rf "$CATALINA_BASE/policy"
+		mkdir "$CATALINA_BASE/policy"
 		echo "// AUTO-GENERATED FILE from /etc/tomcat8/policy.d/" \
 			> "$POLICY_CACHE"
 		echo ""  >> "$POLICY_CACHE"
diff --git a/debian/tomcat8.postrm.in b/debian/tomcat8.postrm.in
index 9343591..d25ce11 100644
--- a/debian/tomcat8.postrm.in
+++ b/debian/tomcat8.postrm.in
@@ -8,6 +8,7 @@ LR_CONFFILE=/etc/logrotate.d/tomcat8
 
 # Remove cached files and auto-generated catalina.policy
 rm -rf /var/cache/tomcat8/*
+rm -rf /var/lib/tomcat8/policy
 
 case "$1" in
     remove)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list