[tomcat7] 04/05: Fixed CVE-2016-6796: Security Manager Bypass
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Sun Oct 30 21:03:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat7.
commit 106644f8eeccf71648e9530ed736f32976fcbc4c
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Sun Oct 30 18:52:26 2016 +0100
Fixed CVE-2016-6796: Security Manager Bypass
---
debian/changelog | 3 ++
debian/patches/CVE-2016-6796.patch | 92 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 96 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 5fea2c1..2527535 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
the SecurityManager. Tomcat's system property replacement feature for
configuration files could be used by a malicious web application to bypass
the SecurityManager and read system properties that should not be visible.
+ * Fixed CVE-2016-6796: A malicious web application was able to bypass
+ a configured SecurityManager via manipulation of the configuration
+ parameters for the JSP Servlet.
* Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
access to global JNDI resources to those resources explicitly linked to the
web application. Therefore, it was possible for a web application to access
diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch
new file mode 100644
index 0000000..5ea9a01
--- /dev/null
+++ b/debian/patches/CVE-2016-6796.patch
@@ -0,0 +1,92 @@
+Description: Fixes CVE-2016-6796: A malicious web application was able to bypass
+ a configured SecurityManager via manipulation of the configuration parameters
+ for the JSP Servlet.
+Origin: backport, https://svn.apache.org/r1758495
+--- a/conf/web.xml
++++ b/conf/web.xml
+@@ -162,6 +162,8 @@
+ <!-- engineOptionsClass Allows specifying the Options class used to -->
+ <!-- configure Jasper. If not present, the default -->
+ <!-- EmbeddedServletOptions will be used. -->
++ <!-- This option is ignored when running under a -->
++ <!-- SecurityManager. -->
+ <!-- -->
+ <!-- errorOnUseBeanInvalidClassAttribute -->
+ <!-- Should Jasper issue an error when the value of -->
+@@ -223,6 +225,8 @@
+ <!-- scratchdir What scratch directory should we use when -->
+ <!-- compiling JSP pages? [default work directory -->
+ <!-- for the current web application] -->
++ <!-- This option is ignored when running under a -->
++ <!-- SecurityManager. -->
+ <!-- -->
+ <!-- suppressSmap Should the generation of SMAP info for JSR45 -->
+ <!-- debugging be suppressed? [false] -->
+--- a/java/org/apache/jasper/EmbeddedServletOptions.java
++++ b/java/org/apache/jasper/EmbeddedServletOptions.java
+@@ -635,6 +635,10 @@
+ * scratchdir
+ */
+ String dir = config.getInitParameter("scratchdir");
++ if (dir != null && Constants.IS_SECURITY_ENABLED) {
++ log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
++ dir = null;
++ }
+ if (dir != null) {
+ scratchDir = new File(dir);
+ } else {
+--- a/java/org/apache/jasper/resources/LocalStrings.properties
++++ b/java/org/apache/jasper/resources/LocalStrings.properties
+@@ -454,6 +454,7 @@
+ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
+ jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
+ jsp.error.lastModified=Unable to determine last modified date for file [{0}]
++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
+
+ jsp.exception=An exception occurred processing JSP page {0} at line {1}
+
+--- a/java/org/apache/jasper/servlet/JspServlet.java
++++ b/java/org/apache/jasper/servlet/JspServlet.java
+@@ -71,8 +71,8 @@
+ private ServletConfig config;
+ private transient Options options;
+ private transient JspRuntimeContext rctxt;
+- //jspFile for a jsp configured explicitly as a servlet, in environments where this configuration is
+- //translated into an init-param for this servlet.
++ // jspFile for a jsp configured explicitly as a servlet, in environments where this
++ // configuration is translated into an init-param for this servlet.
+ private String jspFile;
+
+
+@@ -90,6 +90,11 @@
+ // Check for a custom Options implementation
+ String engineOptionsName =
+ config.getInitParameter("engineOptionsClass");
++ if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
++ log.info(Localizer.getMessage(
++ "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
++ engineOptionsName = null;
++ }
+ if (engineOptionsName != null) {
+ // Instantiate the indicated Options implementation
+ try {
+--- a/webapps/docs/jasper-howto.xml
++++ b/webapps/docs/jasper-howto.xml
+@@ -132,7 +132,7 @@
+
+ <li><strong>engineOptionsClass</strong> - Allows specifying the Options class
+ used to configure Jasper. If not present, the default EmbeddedServletOptions
+-will be used.
++will be used. This option is ignored if running under a SecurityManager.
+ </li>
+
+ <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue
+@@ -185,7 +185,7 @@
+
+ <li><strong>scratchdir</strong> - What scratch directory should we use when
+ compiling JSP pages? Default is the work directory for the current web
+-application.</li>
++application. This option is ignored if running under a SecurityManager.</li>
+
+ <li><strong>suppressSmap</strong> - Should the generation of SMAP info for JSR45
+ debugging be suppressed? <code>true</code> or <code>false</code>, default
diff --git a/debian/patches/series b/debian/patches/series
index 296cb13..47e1378 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,4 +29,5 @@ CVE-2016-0763.patch
CVE-2016-3092.patch
CVE-2016-5018.patch
CVE-2016-6794.patch
+CVE-2016-6796.patch
CVE-2016-6797.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list