[tomcat7] 02/05: Fixed CVE-2016-5018: Security Manager Bypass
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Sun Oct 30 21:03:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat7.
commit 92e560741d4f93d002946cd33e3be189ba966f85
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Sun Oct 30 16:37:07 2016 +0100
Fixed CVE-2016-5018: Security Manager Bypass
---
debian/changelog | 3 ++
debian/patches/CVE-2016-5018.patch | 100 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 104 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index bebc993..4e9c9a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
+ * Fixed CVE-2016-5018: A malicious web application was able to bypass
+ a configured SecurityManager via a Tomcat utility method that was
+ accessible to web applications.
* Fixed CVE-2016-6794: When a SecurityManager is configured, a web
application's ability to read system properties should be controlled by
the SecurityManager. Tomcat's system property replacement feature for
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
new file mode 100644
index 0000000..0666882
--- /dev/null
+++ b/debian/patches/CVE-2016-5018.patch
@@ -0,0 +1,100 @@
+Description: Fixes CVE-2016-5018: A malicious web application was able to bypass
+ a configured SecurityManager via a Tomcat utility method that was accessible to
+ web applications.
+Origin: backport, http://svn.apache.org/r1754902
+--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+@@ -14,7 +14,6 @@
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-
+ package org.apache.jasper.runtime;
+
+ import java.beans.PropertyEditor;
+@@ -23,9 +22,6 @@
+ import java.io.IOException;
+ import java.io.OutputStreamWriter;
+ import java.lang.reflect.Method;
+-import java.security.AccessController;
+-import java.security.PrivilegedActionException;
+-import java.security.PrivilegedExceptionAction;
+ import java.util.Enumeration;
+
+ import javax.servlet.RequestDispatcher;
+@@ -37,7 +33,6 @@
+ import javax.servlet.jsp.PageContext;
+ import javax.servlet.jsp.tagext.BodyContent;
+
+-import org.apache.jasper.Constants;
+ import org.apache.jasper.JasperException;
+ import org.apache.jasper.compiler.Localizer;
+ import org.apache.jasper.util.ExceptionUtils;
+@@ -56,36 +51,6 @@
+ */
+ public class JspRuntimeLibrary {
+
+- protected static class PrivilegedIntrospectHelper
+- implements PrivilegedExceptionAction<Void> {
+-
+- private Object bean;
+- private String prop;
+- private String value;
+- private ServletRequest request;
+- private String param;
+- private boolean ignoreMethodNF;
+-
+- PrivilegedIntrospectHelper(Object bean, String prop,
+- String value, ServletRequest request,
+- String param, boolean ignoreMethodNF)
+- {
+- this.bean = bean;
+- this.prop = prop;
+- this.value = value;
+- this.request = request;
+- this.param = param;
+- this.ignoreMethodNF = ignoreMethodNF;
+- }
+-
+- @Override
+- public Void run() throws JasperException {
+- internalIntrospecthelper(
+- bean,prop,value,request,param,ignoreMethodNF);
+- return null;
+- }
+- }
+-
+ /**
+ * Returns the value of the javax.servlet.error.exception request
+ * attribute value, if present, otherwise the value of the
+@@ -290,29 +255,7 @@
+ public static void introspecthelper(Object bean, String prop,
+ String value, ServletRequest request,
+ String param, boolean ignoreMethodNF)
+- throws JasperException
+- {
+- if( Constants.IS_SECURITY_ENABLED ) {
+- try {
+- PrivilegedIntrospectHelper dp =
+- new PrivilegedIntrospectHelper(
+- bean,prop,value,request,param,ignoreMethodNF);
+- AccessController.doPrivileged(dp);
+- } catch( PrivilegedActionException pe) {
+- Exception e = pe.getException();
+- throw (JasperException)e;
+- }
+- } else {
+- internalIntrospecthelper(
+- bean,prop,value,request,param,ignoreMethodNF);
+- }
+- }
+-
+- private static void internalIntrospecthelper(Object bean, String prop,
+- String value, ServletRequest request,
+- String param, boolean ignoreMethodNF)
+- throws JasperException
+- {
++ throws JasperException {
+ Method method = null;
+ Class<?> type = null;
+ Class<?> propertyEditorClass = null;
diff --git a/debian/patches/series b/debian/patches/series
index 5e47fd9..1ad4cc7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,4 +27,5 @@ CVE-2016-0706.patch
CVE-2016-0714.patch
CVE-2016-0763.patch
CVE-2016-3092.patch
+CVE-2016-5018.patch
CVE-2016-6794.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list