packages: tomcat/tomcat-CVE-2008-5515.patch (NEW), tomcat/tomcat-CVE-2009-0...
pawelz
pawelz at pld-linux.org
Tue Jun 9 20:09:02 CEST 2009
Author: pawelz Date: Tue Jun 9 18:09:02 2009 GMT
Module: packages Tag: HEAD
---- Log message:
- backported from svn trunk.
---- Files affected:
packages/tomcat:
tomcat-CVE-2008-5515.patch (NONE -> 1.1) (NEW)
packages/tomcat:
tomcat-CVE-2009-0033.patch (NONE -> 1.1) (NEW)
packages/tomcat:
tomcat-CVE-2009-0580.patch (NONE -> 1.1) (NEW)
packages/tomcat:
tomcat-CVE-2009-0781.patch (NONE -> 1.1) (NEW)
packages/tomcat:
tomcat-CVE-2009-0783.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/tomcat/tomcat-CVE-2008-5515.patch
diff -u /dev/null packages/tomcat/tomcat-CVE-2008-5515.patch:1.1
--- /dev/null Tue Jun 9 20:09:02 2009
+++ packages/tomcat/tomcat-CVE-2008-5515.patch Tue Jun 9 20:08:57 2009
@@ -0,0 +1,394 @@
+Index: container/catalina/src/share/org/apache/naming/resources/FileDirContext.java
+===================================================================
+--- container/catalina/src/share/org/apache/naming/resources/FileDirContext.java (wersja 782756)
++++ container/catalina/src/share/org/apache/naming/resources/FileDirContext.java (wersja 782757)
+@@ -37,6 +37,7 @@
+ import javax.naming.directory.ModificationItem;
+ import javax.naming.directory.SearchControls;
+
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.naming.NamingContextBindingsEnumeration;
+ import org.apache.naming.NamingContextEnumeration;
+ import org.apache.naming.NamingEntry;
+@@ -773,50 +774,10 @@
+ */
+ protected String normalize(String path) {
+
+- String normalized = path;
++ return RequestUtil.normalize(path, File.separatorChar == '\\');
+
+- // Normalize the slashes and add leading slash if necessary
+- if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0)
+- normalized = normalized.replace('\\', '/');
+- if (!normalized.startsWith("/"))
+- normalized = "/" + normalized;
+-
+- // Resolve occurrences of "//" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("//");
+- if (index < 0)
+- break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 1);
+ }
+
+- // Resolve occurrences of "/./" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("/./");
+- if (index < 0)
+- break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 2);
+- }
+-
+- // Resolve occurrences of "/../" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("/../");
+- if (index < 0)
+- break;
+- if (index == 0)
+- return (null); // Trying to go outside our context
+- int index2 = normalized.lastIndexOf('/', index - 1);
+- normalized = normalized.substring(0, index2) +
+- normalized.substring(index + 3);
+- }
+-
+- // Return the normalized path that we have completed
+- return (normalized);
+-
+- }
+-
+-
+ /**
+ * Return a File object representing the specified normalized
+ * context-relative path if it exists and is readable. Otherwise,
+Index: container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java (wersja 782757)
+@@ -318,10 +318,9 @@
+ int pos = requestPath.lastIndexOf('/');
+ String relative = null;
+ if (pos >= 0) {
+- relative = RequestUtil.normalize
+- (requestPath.substring(0, pos + 1) + path);
++ relative = requestPath.substring(0, pos + 1) + path;
+ } else {
+- relative = RequestUtil.normalize(requestPath + path);
++ relative = requestPath + path;
+ }
+
+ return (context.getServletContext().getRequestDispatcher(relative));
+Index: container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (wersja 782757)
+@@ -43,6 +43,7 @@
+ import org.apache.catalina.Wrapper;
+ import org.apache.catalina.deploy.ApplicationParameter;
+ import org.apache.catalina.util.Enumerator;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.catalina.util.ResourceSet;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.catalina.util.StringManager;
+@@ -388,7 +389,7 @@
+ path = path.substring(0, pos);
+ }
+
+- path = normalize(path);
++ path = RequestUtil.normalize(path);
+ if (path == null)
+ return (null);
+
+@@ -475,7 +476,7 @@
+ throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
+ }
+
+- path = normalize(path);
++ path = RequestUtil.normalize(path);
+ if (path == null)
+ return (null);
+
+@@ -524,10 +525,13 @@
+ */
+ public InputStream getResourceAsStream(String path) {
+
+- path = normalize(path);
+ if (path == null || !path.startsWith("/"))
+ return (null);
+
++ path = RequestUtil.normalize(path);
++ if (path == null)
++ return null;
++
+ DirContext resources = context.getResources();
+ if (resources != null) {
+ try {
+@@ -560,7 +564,7 @@
+ (sm.getString("applicationContext.resourcePaths.iae", path));
+ }
+
+- path = normalize(path);
++ path = RequestUtil.normalize(path);
+ if (path == null)
+ return (null);
+
+@@ -870,45 +874,6 @@
+
+
+ /**
+- * Return a context-relative path, beginning with a "/", that represents
+- * the canonical version of the specified path after ".." and "." elements
+- * are resolved out. If the specified path attempts to go outside the
+- * boundaries of the current context (i.e. too many ".." path elements
+- * are present), return <code>null</code> instead.
+- *
+- * @param path Path to be normalized
+- */
+- private String normalize(String path) {
+-
+- if (path == null) {
+- return null;
+- }
+-
+- String normalized = path;
+-
+- // Normalize the slashes
+- if (normalized.indexOf('\\') >= 0)
+- normalized = normalized.replace('\\', '/');
+-
+- // Resolve occurrences of "/../" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("/../");
+- if (index < 0)
+- break;
+- if (index == 0)
+- return (null); // Trying to go outside our context
+- int index2 = normalized.lastIndexOf('/', index - 1);
+- normalized = normalized.substring(0, index2) +
+- normalized.substring(index + 3);
+- }
+-
+- // Return the normalized path that we have completed
+- return (normalized);
+-
+- }
+-
+-
+- /**
+ * Merge the context initialization parameters specified in the application
+ * deployment descriptor with the application parameters described in the
+ * server configuration, respecting the <code>override</code> property of
+Index: container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (wersja 782757)
+@@ -1369,76 +1369,6 @@
+ resp.setStatus(WebdavStatus.SC_NO_CONTENT);
+ }
+
+- /**
+- * Return a context-relative path, beginning with a "/", that represents
+- * the canonical version of the specified path after ".." and "." elements
+- * are resolved out. If the specified path attempts to go outside the
+- * boundaries of the current context (i.e. too many ".." path elements
+- * are present), return <code>null</code> instead.
+- *
+- * @param path Path to be normalized
+- */
+- protected String normalize(String path) {
+- if (path == null) {
+- return null;
+- }
+-
+- // Create a place for the normalized path
+- String normalized = path;
+-
+- if (normalized.equals("/.")) {
+- return "/";
+- }
+-
+- // Normalize the slashes and add leading slash if necessary
+- if (normalized.indexOf('\\') >= 0) {
+- normalized = normalized.replace('\\', '/');
+- }
+-
+- if (!normalized.startsWith("/")) {
+- normalized = "/" + normalized;
+- }
+-
+- // Resolve occurrences of "//" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("//");
+- if (index < 0) {
+- break;
+- }
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 1);
+- }
+-
+- // Resolve occurrences of "/./" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("/./");
+- if (index < 0) {
+- break;
+- }
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 2);
+- }
+-
+- // Resolve occurrences of "/../" in the normalized path
+- while (true) {
+- int index = normalized.indexOf("/../");
+- if (index < 0) {
+- break;
+- }
+- if (index == 0) {
+- return (null); // Trying to go outside our context
+- }
+-
+- int index2 = normalized.lastIndexOf('/', index - 1);
+- normalized = normalized.substring(0, index2) +
+- normalized.substring(index + 3);
+- }
+-
+- // Return the normalized path that we have completed
+- return (normalized);
+- }
+-
+-
+ // -------------------------------------------------------- Private Methods
+
+ /**
+@@ -1589,7 +1519,7 @@
+ }
+
+ // Normalise destination path (remove '.' and '..')
+- destinationPath = normalize(destinationPath);
++ destinationPath = RequestUtil.normalize(destinationPath);
+
+ String contextPath = req.getContextPath();
+ if ((contextPath != null) &&
+@@ -2347,7 +2277,8 @@
+ if (!toAppend.startsWith("/"))
+ toAppend = "/" + toAppend;
+
+- generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend)));
++ generatedXML.writeText(rewriteUrl(RequestUtil.normalize(
++ absoluteUri + toAppend)));
+
+ generatedXML.writeElement(null, "href", XMLWriter.CLOSING);
+
+Index: container/catalina/src/share/org/apache/catalina/connector/Request.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/connector/Request.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/connector/Request.java (wersja 782757)
+@@ -1243,10 +1243,9 @@
+ int pos = requestPath.lastIndexOf('/');
+ String relative = null;
+ if (pos >= 0) {
+- relative = RequestUtil.normalize
+- (requestPath.substring(0, pos + 1) + path);
++ relative = requestPath.substring(0, pos + 1) + path;
+ } else {
+- relative = RequestUtil.normalize(requestPath + path);
++ relative = requestPath + path;
+ }
+
+ return (context.getServletContext().getRequestDispatcher(relative));
+Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java (wersja 782757)
+@@ -48,7 +48,7 @@
+ if ((result == null) || (result.equals(""))) {
+ result = "/";
+ }
+- return normalize(result);
++ return RequestUtil.normalize(result);
+ }
+
+
+@@ -64,15 +64,9 @@
+ *
+ * @param path
+ * Path to be normalized
++ * @deprecated
+ */
+ public static String normalize(String path) {
+- if (path == null) return null;
+- String normalized = path;
+- //Why doesn't RequestUtil do this??
+- // Normalize the slashes and add leading slash if necessary
+- if (normalized.indexOf('\\') >= 0)
+- normalized = normalized.replace('\\', '/');
+- normalized = RequestUtil.normalize(path);
+- return normalized;
++ return RequestUtil.normalize(path);
+ }
+ }
+\ No newline at end of file
+Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java (wersja 782757)
+@@ -32,6 +32,7 @@
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ import org.apache.catalina.connector.Request;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.coyote.Constants;
+
+ /**
+@@ -373,7 +374,7 @@
+ + pathWithoutContext);
+ }
+ String fullPath = prefix + path;
+- String retVal = SSIServletRequestUtil.normalize(fullPath);
++ String retVal = RequestUtil.normalize(fullPath);
+ if (retVal == null) {
+ throw new IOException("Normalization yielded null on path: "
+ + fullPath);
+@@ -406,7 +407,7 @@
+ return new ServletContextAndPath(context,
+ getAbsolutePath(virtualPath));
+ } else {
+- String normalized = SSIServletRequestUtil.normalize(virtualPath);
++ String normalized = RequestUtil.normalize(virtualPath);
+ if (isVirtualWebappRelative) {
+ return new ServletContextAndPath(context, normalized);
+ } else {
+Index: container/catalina/src/share/org/apache/catalina/util/RequestUtil.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/util/RequestUtil.java (wersja 782756)
++++ container/catalina/src/share/org/apache/catalina/util/RequestUtil.java (wersja 782757)
+@@ -147,13 +147,29 @@
+ * @param path Relative path to be normalized
+ */
+ public static String normalize(String path) {
++ return normalize(path, true);
++ }
+
++ /**
++ * Normalize a relative URI path that may have relative values ("/./",
++ * "/../", and so on ) it it. <strong>WARNING</strong> - This method is
++ * useful only for normalizing application-generated paths. It does not
++ * try to perform security checks for malicious input.
++ *
++ * @param path Relative path to be normalized
++ * @param replaceBackSlash Should '\\' be replaced with '/'
++ */
++ public static String normalize(String path, boolean replaceBackSlash) {
++
+ if (path == null)
+ return null;
+
+ // Create a place for the normalized path
+ String normalized = path;
+
++ if (replaceBackSlash && normalized.indexOf('\\') >= 0)
++ normalized = normalized.replace('\\', '/');
++
+ if (normalized.equals("/."))
+ return "/";
+
================================================================
Index: packages/tomcat/tomcat-CVE-2009-0033.patch
diff -u /dev/null packages/tomcat/tomcat-CVE-2009-0033.patch:1.1
--- /dev/null Tue Jun 9 20:09:02 2009
+++ packages/tomcat/tomcat-CVE-2009-0033.patch Tue Jun 9 20:08:58 2009
@@ -0,0 +1,61 @@
+Index: connectors/jk/java/org/apache/jk/common/ChannelSocket.java
+===================================================================
+--- connectors/jk/java/org/apache/jk/common/ChannelSocket.java (wersja 781361)
++++ connectors/jk/java/org/apache/jk/common/ChannelSocket.java (wersja 781362)
+@@ -46,6 +46,7 @@
+ import org.apache.coyote.Request;
+ import org.apache.coyote.RequestGroupInfo;
+ import org.apache.coyote.RequestInfo;
++import org.apache.coyote.ActionCode;
+ import org.apache.tomcat.util.threads.ThreadPool;
+ import org.apache.tomcat.util.threads.ThreadPoolRunnable;
+
+@@ -703,6 +704,7 @@
+ status= this.invoke( recv, ep );
+ if( status!= JkHandler.OK ) {
+ log.warn("processCallbacks status " + status );
++ ep.action(ActionCode.ACTION_CLOSE, ep.getRequest().getResponse());
+ break;
+ }
+ }
+Index: connectors/jk/java/org/apache/jk/common/HandlerRequest.java
+===================================================================
+--- connectors/jk/java/org/apache/jk/common/HandlerRequest.java (wersja 781361)
++++ connectors/jk/java/org/apache/jk/common/HandlerRequest.java (wersja 781362)
+@@ -265,8 +265,16 @@
+ ((Request)ep.getRequest()).unparsedURI());
+ }
+ } catch( Exception ex ) {
++ /* If we are here it is because we have a bad header or something like that */
+ log.error( "Error decoding request ", ex );
+ msg.dump( "Incomming message");
++ Response res=ep.getRequest().getResponse();
++ if ( res==null ) {
++ res=new Response();
++ ep.getRequest().setResponse(res);
++ }
++ res.setMessage("Bad Request");
++ res.setStatus(400);
+ return ERROR;
+ }
+
+Index: connectors/jk/java/org/apache/jk/common/ChannelNioSocket.java
+===================================================================
+--- connectors/jk/java/org/apache/jk/common/ChannelNioSocket.java (wersja 781361)
++++ connectors/jk/java/org/apache/jk/common/ChannelNioSocket.java (wersja 781362)
+@@ -56,6 +56,7 @@
+ import org.apache.coyote.Request;
+ import org.apache.coyote.RequestGroupInfo;
+ import org.apache.coyote.RequestInfo;
++import org.apache.coyote.ActionCode;
+ import org.apache.tomcat.util.threads.ThreadPool;
+ import org.apache.tomcat.util.threads.ThreadPoolRunnable;
+
+@@ -854,6 +855,7 @@
+ status= invoke( recv, ep );
+ if( status != JkHandler.OK ) {
+ log.warn("processCallbacks status " + status );
++ ep.action(ActionCode.ACTION_CLOSE, ep.getRequest().getResponse());
+ return false;
+ }
+ synchronized(this) {
================================================================
Index: packages/tomcat/tomcat-CVE-2009-0580.patch
diff -u /dev/null packages/tomcat/tomcat-CVE-2009-0580.patch:1.1
--- /dev/null Tue Jun 9 20:09:02 2009
+++ packages/tomcat/tomcat-CVE-2009-0580.patch Tue Jun 9 20:08:58 2009
@@ -0,0 +1,63 @@
+Index: container/webapps/docs/changelog.xml
+===================================================================
+--- container/webapps/docs/changelog.xml (wersja 781378)
++++ container/webapps/docs/changelog.xml (wersja 781379)
+@@ -76,6 +76,11 @@
+ logging at the context level but the security policy prevents this.
+ (markt/rjung)
+ </fix>
++ <fix>
++ Fix an information disclosure vulnerability in a number of the Realms
++ that allowed user enumeration when using FORM authentication. This is
++ CVE-2009-0580. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
+Index: container/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java (wersja 781378)
++++ container/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java (wersja 781379)
+@@ -270,8 +270,9 @@
+ */
+ public Principal authenticate(String username, String credentials) {
+
+- // No user - can't possibly authenticate, don't bother the database then
+- if (username == null) {
++ // No user or no credentials
++ // Can't possibly authenticate, don't bother the database then
++ if (username == null || credentials == null) {
+ return null;
+ }
+
+Index: container/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java (wersja 781378)
++++ container/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java (wersja 781379)
+@@ -393,9 +393,10 @@
+ String username,
+ String credentials) {
+
+- // No user - can't possibly authenticate
+- if (username == null) {
+- return (null);
++ // No user or no credentials
++ // Can't possibly authenticate, don't bother the database then
++ if (username == null || credentials == null) {
++ return null;
+ }
+
+ // Look up the user's credentials
+Index: container/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java (wersja 781378)
++++ container/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java (wersja 781379)
+@@ -147,7 +147,7 @@
+ (GenericPrincipal) principals.get(username);
+
+ boolean validated = false;
+- if (principal != null) {
++ if (principal != null && credentials != null) {
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared case-insensitive
+ validated = (digest(credentials)
================================================================
Index: packages/tomcat/tomcat-CVE-2009-0781.patch
diff -u /dev/null packages/tomcat/tomcat-CVE-2009-0781.patch:1.1
--- /dev/null Tue Jun 9 20:09:02 2009
+++ packages/tomcat/tomcat-CVE-2009-0781.patch Tue Jun 9 20:08:59 2009
@@ -0,0 +1,20 @@
+Index: container/webapps/docs/changelog.xml
+===================================================================
+--- container/webapps/docs/changelog.xml (wersja 750927)
++++ container/webapps/docs/changelog.xml (wersja 750928)
+@@ -31,6 +31,15 @@
+ </properties>
+
+ <body>
++<section name="Tomcat 5.5.28 (fhanik)">
++ <subsection name="webapps">
++ <changelog>
++ <fix>
++ Fix CVE-2009-0781. XSS in calendar example. (markt)
++ </fix>
++ </changelog>
++ </subsection>
++</section>
+ <section name="Tomcat 5.5.27 (fhanik)">
+ <subsection name="General">
+ <changelog>
================================================================
Index: packages/tomcat/tomcat-CVE-2009-0783.patch
diff -u /dev/null packages/tomcat/tomcat-CVE-2009-0783.patch:1.1
--- /dev/null Tue Jun 9 20:09:02 2009
+++ packages/tomcat/tomcat-CVE-2009-0783.patch Tue Jun 9 20:09:00 2009
@@ -0,0 +1,196 @@
+Index: container/catalina/src/share/org/apache/catalina/core/StandardContext.java
+===================================================================
+--- container/catalina/src/share/org/apache/catalina/core/StandardContext.java (wersja 781541)
++++ container/catalina/src/share/org/apache/catalina/core/StandardContext.java (wersja 781542)
+@@ -4140,10 +4140,6 @@
+ ((Lifecycle) pipeline).start();
+ }
+
+- if(getProcessTlds()) {
+- processTlds();
+- }
+-
+ // Notify our interested LifecycleListeners
+ lifecycle.fireLifecycleEvent(START_EVENT, null);
+
+@@ -4278,40 +4274,6 @@
+ }
+
+ /**
+- * Processes TLDs.
+- *
+- * @throws LifecycleException If an error occurs
+- */
+- protected void processTlds() throws LifecycleException {
+- TldConfig tldConfig = new TldConfig();
+- tldConfig.setContext(this);
+-
+- // (1) check if the attribute has been defined
+- // on the context element.
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list