rpms/pki-servlet-engine
6
0
Fork 0
Code Issues Pull Requests Releases Activity

adding cve-2010-2227.patch and resolving rhbz#575341

Browse Source
This commit is contained in:
david knox 2010-10-05 09:34:55 -06:00
parent 0d7ab63ad4
commit 1bb926e7cc
2 changed files with 148 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
tomcat6-6.0-CVE-2010-2227.patch Normal file
View File

@ -0,0 +1,138 @@
--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig 2010-07-12 11:52:05.981133000 -0400
+++ java/org/apache/coyote/http11/Http11AprProcessor.java 2010-07-12 11:59:39.205913000 -0400
@@ -78,6 +78,12 @@
protected static StringManager sm =
StringManager.getManager(Constants.Package);
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
+
// ----------------------------------------------------------- Constructors
@@ -1736,6 +1742,8 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
}
@@ -1754,7 +1762,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig 2010-07-12 12:00:05.720580000 -0400
+++ java/org/apache/coyote/http11/Http11NioProcessor.java 2010-07-12 12:19:36.465303000 -0400
@@ -81,6 +81,12 @@
*/
protected SSLSupport sslSupport;
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
+
// ----------------------------------------------------------- Constructors
@@ -1763,6 +1769,8 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
}
@@ -1781,7 +1789,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11Processor.java.orig 2010-07-12 12:20:42.784634000 -0400
+++ java/org/apache/coyote/http11/Http11Processor.java 2010-07-12 12:23:14.996732000 -0400
@@ -76,6 +76,11 @@
protected static boolean isSecurityEnabled =
org.apache.coyote.Constants.IS_SECURITY_ENABLED;
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
// ------------------------------------------------------------ Constructor
@@ -1642,6 +1647,7 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
}
@@ -1660,7 +1666,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig 2010-01-19 08:43:40.000000000 -0500
+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-07-12 13:00:50.374586000 -0400
@@ -102,10 +102,14 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null)
+ {
+ if (buffered.getBuffer().length > 65536)
+ {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
--- webapps/docs/changelog.xml.orig 2010-07-12 16:08:24.000000000 -0600
+++ webapps/docs/changelog.xml 2010-07-12 16:12:43.000000000 -0600
@@ -40,6 +40,16 @@
Correct TCK failures with security manager caused by the original fix
for <bug>47774</bug>. (markt)
</fix>
+ <fix>
+ Arange filter logic (jgclere)
+ Several flaws in the handling of the 'Transfer-Encoding' header
+ were found that prevented the recycling of a buffer. A remote
+ attacker could trigger this flaw which would cause subsequent
+ requests to fail and/or information to leak between requests.
+ This flaw is mitigated if Tomcat is behind a reverse proxy
+ (such as Apache httpd 2.2) as the proxy should reject the
+ invalid transfer encoding header.
+ </fix>
</changelog>
</subsection>
<subsection name="Other">

14
tomcat6.spec
View File

@ -55,7 +55,7 @@
Name: tomcat6 Name: tomcat6
Epoch: 0 Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version} Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 9%{?dist} Release: 10%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons Group: Networking/Daemons
@ -74,10 +74,11 @@ Source9: jsp-api-OSGi-MANIFEST.MF
Source10: %{name}-%{major_version}.%{minor_version}-log4j.properties Source10: %{name}-%{major_version}.%{minor_version}-log4j.properties
Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
Patch2: %{name}-%{major_version}.%{minor_version}-CVE-2010-2227.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildArch: noarch BuildArch: noarch
BuildRequires: ant BuildRequires: ant
BuildRequires: ant-trax BuildRequires: ant-nodeps
BuildRequires: ecj BuildRequires: ecj
BuildRequires: findutils BuildRequires: findutils
BuildRequires: jakarta-commons-collections BuildRequires: jakarta-commons-collections
@ -214,13 +215,14 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
pushd %{packdname} pushd %{packdname}
%patch0 -p0 %patch0 -p0
%patch1 -p0 %patch1 -p0
%patch2 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
popd popd
%build %build
export CLASSPATH= export CLASSPATH=
export OPT_JAR_LIST="ant/ant-trax" export OPT_JAR_LIST="ant/ant-nodeps"
pushd %{packdname} pushd %{packdname}
# we don't care about the tarballs and we're going to replace # we don't care about the tarballs and we're going to replace
# tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar # tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar
@ -597,7 +599,11 @@ fi
%{appdir}/sample %{appdir}/sample
%changelog %changelog
* Fri Jul 02 2010 David Knox <dknox@rehat.com> 0:6.0.26-9 * Mon Oct 04 2010 David Knox <dknox@redhat.com> 0:6.0.26-10
- ant-nodeps is breaking the build. Put ant-nodeps on the
- OPT_JAR_LIST
* Fri Oct 01 2010 David Knox <dknox@rehat.com> 0:6.0.26-9
- Resolves rhbz#575341 - Additionally created instances of Tomcat - Resolves rhbz#575341 - Additionally created instances of Tomcat
- are broken - are broken