pki-servlet-engine/tomcat6-6.0-CVE-2010-2227.patch

--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2010-07-12 11:52:05.981133000 -0400
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2010-07-12 11:59:39.205913000 -0400
@@ -78,6 +78,12 @@
     protected static StringManager sm =
         StringManager.getManager(Constants.Package);
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
 
     // ----------------------------------------------------------- Constructors
 
@@ -1736,6 +1742,8 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
     }
 
 
@@ -1754,7 +1762,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2010-07-12 12:00:05.720580000 -0400
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2010-07-12 12:19:36.465303000 -0400
@@ -81,6 +81,12 @@
      */
     protected SSLSupport sslSupport;
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
     // ----------------------------------------------------------- Constructors
 
 
@@ -1763,6 +1769,8 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
     }
 
 
@@ -1781,7 +1789,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11Processor.java.orig	2010-07-12 12:20:42.784634000 -0400
+++ java/org/apache/coyote/http11/Http11Processor.java	2010-07-12 12:23:14.996732000 -0400
@@ -76,6 +76,11 @@
     protected static boolean isSecurityEnabled = 
 	org.apache.coyote.Constants.IS_SECURITY_ENABLED;
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
     // ------------------------------------------------------------ Constructor
 
 
@@ -1642,6 +1647,7 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
     }
 
 
@@ -1660,7 +1666,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig	2010-01-19 08:43:40.000000000 -0500
+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2010-07-12 13:00:50.374586000 -0400
@@ -102,10 +102,14 @@
     }
 
     public void recycle() {
-        if (buffered.getBuffer().length > 65536) {
-            buffered = null;
-        } else {
-            buffered.recycle();
+        if (buffered != null)
+        {
+           if (buffered.getBuffer().length > 65536)
+           {
+              buffered = null;
+           } else {
+              buffered.recycle();
+           }
         }
         tempRead.recycle();
         hasRead = false;

--- webapps/docs/changelog.xml.orig	2010-07-12 16:08:24.000000000 -0600
+++ webapps/docs/changelog.xml	2010-07-12 16:12:43.000000000 -0600
@@ -40,6 +40,16 @@
         Correct TCK failures with security manager caused by the original fix
         for <bug>47774</bug>. (markt)
       </fix>
+      <fix>
+         Arange filter logic (jgclere) 
+         Several flaws in the handling of the 'Transfer-Encoding' header 
+         were found that prevented the recycling of a buffer. A remote 
+         attacker could trigger this flaw which would cause subsequent 
+         requests to fail and/or information to leak between requests. 
+         This flaw is mitigated if Tomcat is behind a reverse proxy 
+         (such as Apache httpd 2.2) as the proxy should reject the 
+         invalid transfer encoding header.
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
adding cve-2010-2227.patch and resolving rhbz#575341 2010-10-05 15:34:55 +00:00			`--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig 2010-07-12 11:52:05.981133000 -0400`
			`+++ java/org/apache/coyote/http11/Http11AprProcessor.java 2010-07-12 11:59:39.205913000 -0400`
			`@@ -78,6 +78,12 @@`
			`protected static StringManager sm =`
			`StringManager.getManager(Constants.Package);`

			`+ /**`
			`+ * Tracks how many internal filters are in the filter library so they`
			`+ * are skipped whe looking for pluggable filters`
			`+ */`
			`+ private int pluggableFilterIndex = Integer.MAX_VALUE;`
			`+`

			`// ----------------------------------------------------------- Constructors`

			`@@ -1736,6 +1742,8 @@`
			`//inputBuffer.addFilter(new GzipInputFilter());`
			`outputBuffer.addFilter(new GzipOutputFilter());`

			`+ pluggableFilterIndex = inputBuffer.filterLibrary.length;`
			`+`
			`}`


			`@@ -1754,7 +1762,7 @@`
			`(inputFilters[Constants.CHUNKED_FILTER]);`
			`contentDelimitation = true;`
			`} else {`
			`- for (int i = 2; i < inputFilters.length; i++) {`
			`+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {`
			`if (inputFilters[i].getEncodingName()`
			`.toString().equals(encodingName)) {`
			`inputBuffer.addActiveFilter(inputFilters[i]);`
			`--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig 2010-07-12 12:00:05.720580000 -0400`
			`+++ java/org/apache/coyote/http11/Http11NioProcessor.java 2010-07-12 12:19:36.465303000 -0400`
			`@@ -81,6 +81,12 @@`
			`*/`
			`protected SSLSupport sslSupport;`

			`+ /**`
			`+ * Tracks how many internal filters are in the filter library so they`
			`+ * are skipped whe looking for pluggable filters`
			`+ */`
			`+ private int pluggableFilterIndex = Integer.MAX_VALUE;`
			`+`
			`// ----------------------------------------------------------- Constructors`


			`@@ -1763,6 +1769,8 @@`
			`//inputBuffer.addFilter(new GzipInputFilter());`
			`outputBuffer.addFilter(new GzipOutputFilter());`

			`+ pluggableFilterIndex = inputBuffer.filterLibrary.length;`
			`+`
			`}`


			`@@ -1781,7 +1789,7 @@`
			`(inputFilters[Constants.CHUNKED_FILTER]);`
			`contentDelimitation = true;`
			`} else {`
			`- for (int i = 2; i < inputFilters.length; i++) {`
			`+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {`
			`if (inputFilters[i].getEncodingName()`
			`.toString().equals(encodingName)) {`
			`inputBuffer.addActiveFilter(inputFilters[i]);`
			`--- java/org/apache/coyote/http11/Http11Processor.java.orig 2010-07-12 12:20:42.784634000 -0400`
			`+++ java/org/apache/coyote/http11/Http11Processor.java 2010-07-12 12:23:14.996732000 -0400`
			`@@ -76,6 +76,11 @@`
			`protected static boolean isSecurityEnabled =`
			`org.apache.coyote.Constants.IS_SECURITY_ENABLED;`

			`+ /**`
			`+ * Tracks how many internal filters are in the filter library so they`
			`+ * are skipped whe looking for pluggable filters`
			`+ */`
			`+ private int pluggableFilterIndex = Integer.MAX_VALUE;`
			`// ------------------------------------------------------------ Constructor`


			`@@ -1642,6 +1647,7 @@`
			`//inputBuffer.addFilter(new GzipInputFilter());`
			`outputBuffer.addFilter(new GzipOutputFilter());`

			`+ pluggableFilterIndex = inputBuffer.filterLibrary.length;`
			`}`


			`@@ -1660,7 +1666,7 @@`
			`(inputFilters[Constants.CHUNKED_FILTER]);`
			`contentDelimitation = true;`
			`} else {`
			`- for (int i = 2; i < inputFilters.length; i++) {`
			`+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {`
			`if (inputFilters[i].getEncodingName()`
			`.toString().equals(encodingName)) {`
			`inputBuffer.addActiveFilter(inputFilters[i]);`
			`--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig 2010-01-19 08:43:40.000000000 -0500`
			`+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-07-12 13:00:50.374586000 -0400`
			`@@ -102,10 +102,14 @@`
			`}`

			`public void recycle() {`
			`- if (buffered.getBuffer().length > 65536) {`
			`- buffered = null;`
			`- } else {`
			`- buffered.recycle();`
			`+ if (buffered != null)`
			`+ {`
			`+ if (buffered.getBuffer().length > 65536)`
			`+ {`
			`+ buffered = null;`
			`+ } else {`
			`+ buffered.recycle();`
			`+ }`
			`}`
			`tempRead.recycle();`
			`hasRead = false;`

			`--- webapps/docs/changelog.xml.orig 2010-07-12 16:08:24.000000000 -0600`
			`+++ webapps/docs/changelog.xml 2010-07-12 16:12:43.000000000 -0600`
			`@@ -40,6 +40,16 @@`
			`Correct TCK failures with security manager caused by the original fix`
			`for <bug>47774</bug>. (markt)`
			`</fix>`
			`+ <fix>`
			`+ Arange filter logic (jgclere)`
			`+ Several flaws in the handling of the 'Transfer-Encoding' header`
			`+ were found that prevented the recycling of a buffer. A remote`
			`+ attacker could trigger this flaw which would cause subsequent`
			`+ requests to fail and/or information to leak between requests.`
			`+ This flaw is mitigated if Tomcat is behind a reverse proxy`
			`+ (such as Apache httpd 2.2) as the proxy should reject the`
			`+ invalid transfer encoding header.`
			`+ </fix>`
			`</changelog>`
			`</subsection>`
			`<subsection name="Other">`