[tomcat7] 03/04: CVE-2016-1240 follow-up

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Thu Oct 27 23:41:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository tomcat7.

commit ca2f40d56a1ffd21eb251d9ef25cc2f394c3a7e1
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Oct 28 01:34:03 2016 +0200

    CVE-2016-1240 follow-up
---
 debian/changelog                                                   | 7 +++++++
 .../0009-Use-java.security.policy-file-in-catalina.sh.patch        | 6 +++---
 debian/tomcat7.init                                                | 7 +++++--
 debian/tomcat7.postrm.in                                           | 1 +
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8088a33..6389956 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,12 @@
 tomcat7 (7.0.72-2) UNRELEASED; urgency=medium
 
+  * CVE-2016-1240 follow-up:
+    - The previous init.d fix was vulnerable to a race condition that could
+      be exploited to make any existing file writable by the tomcat user.
+      Thanks to Paul Szabo for the report and the fix.
+    - The catalina.policy file generated on startup was affected by a similar
+      vulnerability that could be exploited to overwrite any file on the system.
+      Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
   * Switch to debhelper level 10
 
diff --git a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
index 7b34743..98a7eb3 100644
--- a/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
+++ b/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
@@ -19,7 +19,7 @@ Forwarded: not-needed
          -sourcepath "$CATALINA_HOME"/../../java \
          -Djava.security.manager \
 -        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-+        -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
++        -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \
          -Dcatalina.base="$CATALINA_BASE" \
          -Dcatalina.home="$CATALINA_HOME" \
          -Djava.io.tmpdir="$CATALINA_TMPDIR" \
@@ -28,7 +28,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
@@ -37,7 +37,7 @@ Forwarded: not-needed
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
diff --git a/debian/tomcat7.init b/debian/tomcat7.init
index 37d670f..a9b588a 100644
--- a/debian/tomcat7.init
+++ b/debian/tomcat7.init
@@ -118,7 +118,7 @@ if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
 	exit 1
 fi
 
-POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
+POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
 
 if [ -z "$CATALINA_TMPDIR" ]; then
 	CATALINA_TMPDIR="$JVM_TMP"
@@ -171,7 +171,8 @@ catalina_sh() {
 	# Run the catalina.sh script as a daemon
 	set +e
 	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
-		install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+		# run install as tomcat7 to work around #841371
+		su $TOMCAT7_USER -s /bin/bash -c "install -m 644 /dev/null $CATALINA_BASE/logs/catalina.out"
 	fi
 	install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
@@ -201,6 +202,8 @@ case "$1" in
 
 		# Regenerate POLICY_CACHE file
 		umask 022
+		rm -rf "$CATALINA_BASE/policy"
+		mkdir "$CATALINA_BASE/policy"
 		echo "// AUTO-GENERATED FILE from /etc/tomcat7/policy.d/" \
 			> "$POLICY_CACHE"
 		echo ""  >> "$POLICY_CACHE"
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index de35c3a..293ffde 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -8,6 +8,7 @@ LR_CONFFILE=/etc/logrotate.d/tomcat7
 
 # Remove cached files and auto-generated catalina.policy
 rm -rf /var/cache/tomcat7/*
+rm -rf /var/lib/tomcat7/policy
 
 case "$1" in
     remove)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list