[tomcat7] 02/05: Fixed CVE-2016-5018: Security Manager Bypass

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sun Oct 30 21:03:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit 92e560741d4f93d002946cd33e3be189ba966f85
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sun Oct 30 16:37:07 2016 +0100

    Fixed CVE-2016-5018: Security Manager Bypass
---
 debian/changelog                   |   3 ++
 debian/patches/CVE-2016-5018.patch | 100 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 104 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bebc993..4e9c9a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 
+  * Fixed CVE-2016-5018: A malicious web application was able to bypass
+    a configured SecurityManager via a Tomcat utility method that was
+    accessible to web applications.
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
new file mode 100644
index 0000000..0666882
--- /dev/null
+++ b/debian/patches/CVE-2016-5018.patch
@@ -0,0 +1,100 @@
+Description: Fixes CVE-2016-5018: A malicious web application was able to bypass
+ a configured SecurityManager via a Tomcat utility method that was accessible to
+ web applications.
+Origin: backport, http://svn.apache.org/r1754902
+--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+@@ -14,7 +14,6 @@
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+-
+ package org.apache.jasper.runtime;
+ 
+ import java.beans.PropertyEditor;
+@@ -23,9 +22,6 @@
+ import java.io.IOException;
+ import java.io.OutputStreamWriter;
+ import java.lang.reflect.Method;
+-import java.security.AccessController;
+-import java.security.PrivilegedActionException;
+-import java.security.PrivilegedExceptionAction;
+ import java.util.Enumeration;
+ 
+ import javax.servlet.RequestDispatcher;
+@@ -37,7 +33,6 @@
+ import javax.servlet.jsp.PageContext;
+ import javax.servlet.jsp.tagext.BodyContent;
+ 
+-import org.apache.jasper.Constants;
+ import org.apache.jasper.JasperException;
+ import org.apache.jasper.compiler.Localizer;
+ import org.apache.jasper.util.ExceptionUtils;
+@@ -56,36 +51,6 @@
+  */
+ public class JspRuntimeLibrary {
+     
+-    protected static class PrivilegedIntrospectHelper
+-        implements PrivilegedExceptionAction<Void> {
+-
+-        private Object bean;
+-        private String prop;
+-        private String value;
+-        private ServletRequest request;
+-        private String param;
+-        private boolean ignoreMethodNF;
+-
+-        PrivilegedIntrospectHelper(Object bean, String prop,
+-                                   String value, ServletRequest request,
+-                                   String param, boolean ignoreMethodNF)
+-        {
+-            this.bean = bean;
+-            this.prop = prop;
+-            this.value = value;
+-            this.request = request;
+-            this.param = param;
+-            this.ignoreMethodNF = ignoreMethodNF;
+-        }
+-         
+-        @Override
+-        public Void run() throws JasperException {
+-            internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-            return null;
+-        }
+-    }
+-
+     /**
+      * Returns the value of the javax.servlet.error.exception request
+      * attribute value, if present, otherwise the value of the
+@@ -290,29 +255,7 @@
+     public static void introspecthelper(Object bean, String prop,
+                                         String value, ServletRequest request,
+                                         String param, boolean ignoreMethodNF)
+-                                        throws JasperException
+-    {
+-        if( Constants.IS_SECURITY_ENABLED ) {
+-            try {
+-                PrivilegedIntrospectHelper dp =
+-                    new PrivilegedIntrospectHelper(
+-                        bean,prop,value,request,param,ignoreMethodNF);
+-                AccessController.doPrivileged(dp);
+-            } catch( PrivilegedActionException pe) {
+-                Exception e = pe.getException();
+-                throw (JasperException)e;
+-            }
+-        } else {
+-            internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-        }
+-    }
+-
+-    private static void internalIntrospecthelper(Object bean, String prop,
+-                                        String value, ServletRequest request,
+-                                        String param, boolean ignoreMethodNF) 
+-                                        throws JasperException
+-    {
++                                        throws JasperException {
+         Method method = null;
+         Class<?> type = null;
+         Class<?> propertyEditorClass = null;
diff --git a/debian/patches/series b/debian/patches/series
index 5e47fd9..1ad4cc7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,4 +27,5 @@ CVE-2016-0706.patch
 CVE-2016-0714.patch
 CVE-2016-0763.patch
 CVE-2016-3092.patch
+CVE-2016-5018.patch
 CVE-2016-6794.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list