[tomcat7] 03/04: CVE-2016-1240 follow-up
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Thu Oct 27 23:41:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository tomcat7.
commit ca2f40d56a1ffd21eb251d9ef25cc2f394c3a7e1
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Fri Oct 28 01:34:03 2016 +0200
CVE-2016-1240 follow-up
---
debian/changelog | 7 +++++++
.../0009-Use-java.security.policy-file-in-catalina.sh.patch | 6 +++---
debian/tomcat7.init | 7 +++++--
debian/tomcat7.postrm.in | 1 +
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 8088a33..6389956 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,12 @@
tomcat7 (7.0.72-2) UNRELEASED; urgency=medium
+ * CVE-2016-1240 follow-up:
+ - The previous init.d fix was vulnerable to a race condition that could
+ be exploited to make any existing file writable by the tomcat user.
+ Thanks to Paul Szabo for the report and the fix.
+ - The catalina.policy file generated on startup was affected by a similar
+ vulnerability that could be exploited to overwrite any file on the system.
+ Thanks to Paul Szabo for the report.
* Hardened the init.d script, thanks to Paul Szabo
* Switch to debhelper level 10
diff --git a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
index 7b34743..98a7eb3 100644
--- a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
+++ b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
@@ -19,7 +19,7 @@ Forwarded: not-needed
-sourcepath "$CATALINA_HOME"/../../java \
-Djava.security.manager \
- -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-+ -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
++ -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \
-Dcatalina.base="$CATALINA_BASE" \
-Dcatalina.home="$CATALINA_HOME" \
-Djava.io.tmpdir="$CATALINA_TMPDIR" \
@@ -28,7 +28,7 @@ Forwarded: not-needed
-Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
-Djava.security.manager \
- -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+ -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++ -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
-Dcatalina.base="\"$CATALINA_BASE\"" \
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
@@ -37,7 +37,7 @@ Forwarded: not-needed
-Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
-Djava.security.manager \
- -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+ -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++ -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
-Dcatalina.base="\"$CATALINA_BASE\"" \
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
diff --git a/debian/tomcat7.init b/debian/tomcat7.init
index 37d670f..a9b588a 100644
--- a/debian/tomcat7.init
+++ b/debian/tomcat7.init
@@ -118,7 +118,7 @@ if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
exit 1
fi
-POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
+POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
if [ -z "$CATALINA_TMPDIR" ]; then
CATALINA_TMPDIR="$JVM_TMP"
@@ -171,7 +171,8 @@ catalina_sh() {
# Run the catalina.sh script as a daemon
set +e
if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
- install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+ # run install as tomcat7 to work around #841371
+ su $TOMCAT7_USER -s /bin/bash -c "install -m 644 /dev/null $CATALINA_BASE/logs/catalina.out"
fi
install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
@@ -201,6 +202,8 @@ case "$1" in
# Regenerate POLICY_CACHE file
umask 022
+ rm -rf "$CATALINA_BASE/policy"
+ mkdir "$CATALINA_BASE/policy"
echo "// AUTO-GENERATED FILE from /etc/tomcat7/policy.d/" \
> "$POLICY_CACHE"
echo "" >> "$POLICY_CACHE"
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index de35c3a..293ffde 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -8,6 +8,7 @@ LR_CONFFILE=/etc/logrotate.d/tomcat7
# Remove cached files and auto-generated catalina.policy
rm -rf /var/cache/tomcat7/*
+rm -rf /var/lib/tomcat7/policy
case "$1" in
remove)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list