[tomcat7] 01/05: Fixed CVE-2016-6794: System Property Disclosure

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sun Oct 30 21:03:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit 1f7d198d5d8ea64a565f55011d80416902b6505f
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sun Oct 30 15:24:45 2016 +0100

    Fixed CVE-2016-6794: System Property Disclosure
---
 debian/changelog                   |   5 ++
 debian/patches/CVE-2016-6794.patch | 137 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 143 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e9d2746..bebc993 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 
+  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
+    application's ability to read system properties should be controlled by
+    the SecurityManager. Tomcat's system property replacement feature for
+    configuration files could be used by a malicious web application to bypass
+    the SecurityManager and read system properties that should not be visible.
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch
new file mode 100644
index 0000000..b8326b1
--- /dev/null
+++ b/debian/patches/CVE-2016-6794.patch
@@ -0,0 +1,137 @@
+Description: Fixes CVE-2016-6794: When a SecurityManager is configured, a web
+ application's ability to read system properties should be controlled by the
+ SecurityManager. Tomcat's system property replacement feature for configuration
+ files could be used by a malicious web application to bypass the SecurityManager
+ and read system properties that should not be visible.
+Origin: backport, https://svn.apache.org/r1754728
+--- a/java/org/apache/catalina/loader/WebappClassLoader.java
++++ b/java/org/apache/catalina/loader/WebappClassLoader.java
+@@ -79,6 +79,7 @@
+ import org.apache.tomcat.util.ExceptionUtils;
+ import org.apache.tomcat.util.IntrospectionUtils;
+ import org.apache.tomcat.util.res.StringManager;
++import org.apache.tomcat.util.security.PermissionCheck;
+ 
+ /**
+  * Specialized web application class loader.
+@@ -123,7 +124,7 @@
+  */
+ public class WebappClassLoader
+     extends URLClassLoader
+-    implements Lifecycle
++    implements Lifecycle, PermissionCheck
+  {
+ 
+     private static final org.apache.juli.logging.Log log=
+@@ -1753,6 +1754,27 @@
+     }
+ 
+ 
++    @Override
++    public boolean check(Permission permission) {
++        if (!Globals.IS_SECURITY_ENABLED) {
++            return true;
++        }
++        Policy currentPolicy = Policy.getPolicy();
++        if (currentPolicy != null) {
++            ResourceEntry entry = findResourceInternal("/", "/");
++            if (entry != null) {
++                CodeSource cs = new CodeSource(
++                        entry.codeBase, (java.security.cert.Certificate[]) null);
++                PermissionCollection pc = currentPolicy.getPermissions(cs);
++                if (pc.implies(permission)) {
++                    return true;
++                }
++            }
++        }
++        return false;
++    }
++
++
+     /**
+      * Returns the search path of URLs for loading classes and resources.
+      * This includes the original list of URLs specified to the constructor,
+--- a/java/org/apache/tomcat/util/digester/Digester.java
++++ b/java/org/apache/tomcat/util/digester/Digester.java
+@@ -26,11 +26,13 @@
+ import java.lang.reflect.InvocationTargetException;
+ import java.net.URI;
+ import java.net.URISyntaxException;
++import java.security.Permission;
+ import java.util.EmptyStackException;
+ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+ import java.util.Map;
++import java.util.PropertyPermission;
+ 
+ import javax.xml.parsers.ParserConfigurationException;
+ import javax.xml.parsers.SAXParser;
+@@ -40,6 +42,7 @@
+ import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.ExceptionUtils;
+ import org.apache.tomcat.util.IntrospectionUtils;
++import org.apache.tomcat.util.security.PermissionCheck;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.EntityResolver;
+ import org.xml.sax.ErrorHandler;
+@@ -81,6 +84,13 @@
+         implements IntrospectionUtils.PropertySource {
+         @Override
+         public String getProperty( String key ) {
++            ClassLoader cl = Thread.currentThread().getContextClassLoader();
++            if (cl instanceof PermissionCheck) {
++                Permission p = new PropertyPermission(key, "read");
++                if (!((PermissionCheck) cl).check(p)) {
++                    return null;
++                }
++            }
+             return System.getProperty(key);
+         }
+     }
+--- /dev/null
++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java
+@@ -0,0 +1,43 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.security;
++
++import java.security.Permission;
++
++/**
++ * This interface is implemented by components to enable privileged code to
++ * check whether the component has a given permission.
++ * This is typically used when a privileged component (e.g. the container) is
++ * performing an action on behalf of an untrusted component (e.g. a web
++ * application) without the current thread having passed through a code source
++ * provided by the untrusted component. Because the current thread has not
++ * passed through a code source provided by the untrusted component the
++ * SecurityManager assumes the code is trusted so the standard checking
++ * mechanisms can't be used.
++ */
++public interface PermissionCheck {
++
++    /**
++     * Does this component have the given permission?
++     *
++     * @param permission The permission to test
++     *
++     * @return {@code false} if a SecurityManager is enabled and the component
++     *         does not have the given permission, otherwise {@code false}
++     */
++    boolean check(Permission permission);
++}
diff --git a/debian/patches/series b/debian/patches/series
index da20b83..5e47fd9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ CVE-2016-0706.patch
 CVE-2016-0714.patch
 CVE-2016-0763.patch
 CVE-2016-3092.patch
+CVE-2016-6794.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list