adding cve-2010-2227.patch and resolving rhbz#575341

2010-10-05 09:34:55 -06:00 · 2010-10-05 09:34:55 -06:00 · 1bb926e7cc
commit 1bb926e7cc
parent 0d7ab63ad4
2 changed files with 148 additions and 4 deletions
--- a/tomcat6-6.0-CVE-2010-2227.patch
+++ b/tomcat6-6.0-CVE-2010-2227.patch
@ -0,0 +1,138 @@
+--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2010-07-12 11:52:05.981133000 -0400
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2010-07-12 11:59:39.205913000 -0400
+@@ -78,6 +78,12 @@
+     protected static StringManager sm =
+         StringManager.getManager(Constants.Package);
+ 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
+ 
+     // ----------------------------------------------------------- Constructors
+ 
+@@ -1736,6 +1742,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
+     }
+ 
+ 
+@@ -1754,7 +1762,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2010-07-12 12:00:05.720580000 -0400
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2010-07-12 12:19:36.465303000 -0400
+@@ -81,6 +81,12 @@
+      */
+     protected SSLSupport sslSupport;
+ 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
+     // ----------------------------------------------------------- Constructors
+ 
+ 
+@@ -1763,6 +1769,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
+     }
+ 
+ 
+@@ -1781,7 +1789,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11Processor.java.orig	2010-07-12 12:20:42.784634000 -0400
+++ java/org/apache/coyote/http11/Http11Processor.java	2010-07-12 12:23:14.996732000 -0400
+@@ -76,6 +76,11 @@
+     protected static boolean isSecurityEnabled = 
+ 	org.apache.coyote.Constants.IS_SECURITY_ENABLED;
+ 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+     // ------------------------------------------------------------ Constructor
+ 
+ 
+@@ -1642,6 +1647,7 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+     }
+ 
+ 
+@@ -1660,7 +1666,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig	2010-01-19 08:43:40.000000000 -0500
+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2010-07-12 13:00:50.374586000 -0400
+@@ -102,10 +102,14 @@
+     }
+ 
+     public void recycle() {
+-        if (buffered.getBuffer().length > 65536) {
+-            buffered = null;
+-        } else {
+-            buffered.recycle();
+        if (buffered != null)
+        {
+           if (buffered.getBuffer().length > 65536)
+           {
+              buffered = null;
+           } else {
+              buffered.recycle();
+           }
+         }
+         tempRead.recycle();
+         hasRead = false;
+
+--- webapps/docs/changelog.xml.orig	2010-07-12 16:08:24.000000000 -0600
+++ webapps/docs/changelog.xml	2010-07-12 16:12:43.000000000 -0600
+@@ -40,6 +40,16 @@
+         Correct TCK failures with security manager caused by the original fix
+         for <bug>47774</bug>. (markt)
+       </fix>
+      <fix>
+         Arange filter logic (jgclere) 
+         Several flaws in the handling of the 'Transfer-Encoding' header 
+         were found that prevented the recycling of a buffer. A remote 
+         attacker could trigger this flaw which would cause subsequent 
+         requests to fail and/or information to leak between requests. 
+         This flaw is mitigated if Tomcat is behind a reverse proxy 
+         (such as Apache httpd 2.2) as the proxy should reject the 
+         invalid transfer encoding header.
+      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Other">
--- a/tomcat6.spec
+++ b/tomcat6.spec
@ -55,7 +55,7 @@
 Name: tomcat6
 Epoch: 0
 Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 Group: Networking/Daemons
@ -74,10 +74,11 @@ Source9: jsp-api-OSGi-MANIFEST.MF
 Source10: %{name}-%{major_version}.%{minor_version}-log4j.properties
 Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
+Patch2: %{name}-%{major_version}.%{minor_version}-CVE-2010-2227.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildArch: noarch
 BuildRequires: ant
-BuildRequires: ant-trax
+BuildRequires: ant-nodeps
 BuildRequires: ecj
 BuildRequires: findutils
 BuildRequires: jakarta-commons-collections
@ -214,13 +215,14 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 pushd %{packdname}
 %patch0 -p0
 %patch1 -p0
+%patch2 -p0
 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
 popd

 %build
 export CLASSPATH=
-export OPT_JAR_LIST="ant/ant-trax"
+export OPT_JAR_LIST="ant/ant-nodeps"
 pushd %{packdname}
   # we don't care about the tarballs and we're going to replace
   # tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar
@ -597,7 +599,11 @@ fi
 %{appdir}/sample

 %changelog
-* Fri Jul 02 2010 David Knox <dknox@rehat.com> 0:6.0.26-9
+* Mon Oct 04 2010 David Knox <dknox@redhat.com> 0:6.0.26-10
+- ant-nodeps is breaking the build. Put ant-nodeps on the 
+- OPT_JAR_LIST
+
+* Fri Oct 01 2010 David Knox <dknox@rehat.com> 0:6.0.26-9
 - Resolves rhbz#575341 - Additionally created instances of Tomcat 
 - are broken