[tomcat6] resolves CVE-2011-3190

Dave Knox dknox at fedoraproject.org
Tue Sep 27 17:58:20 UTC 2011 

commit 53145da30c11804f6972a408dda267615756d116
Author: David Knox <dknox at dknox-laptop.(none)>
Date:   Tue Sep 27 11:58:31 2011 -0600

    resolves CVE-2011-3190

 tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch |   76 ++++++++++++++++++++++++
 tomcat6.spec                                   |    9 ++-
 2 files changed, 83 insertions(+), 2 deletions(-)
---
diff --git a/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
new file mode 100644
index 0000000..054eb9c
--- /dev/null
+++ b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
@@ -0,0 +1,76 @@
+--- java/org/apache/coyote/ajp/AjpProcessor.java.orig	2011-09-26 13:28:39.720088399 -0600
++++ java/org/apache/coyote/ajp/AjpProcessor.java	2011-09-26 13:36:15.972057199 -0600
+@@ -408,11 +408,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
+-                    if(log.isDebugEnabled()) {
+-                        log.debug("Unexpected message: "+type);
+-                    }
+-                    continue;
++						 // Unexpected packet type. Unread body packets should
++						 // have been swallowed in finish()
++						 if (log.isDebugEnabled()) {
++							 log.debug("Unexpected message: " + type);
++						 }
++						 error = true;
++						 break;
+                 }
+ 
+                 request.setStartTime(System.currentTimeMillis());
+@@ -1038,6 +1040,11 @@
+ 
+         finished = true;
+ 
++		  // Swallow the unread body packet if present
++		  if (first && request.getContentLengthLong() > 0) {
++			  receive();
++		  }
++
+         // Add the end message
+         output.write(endMessageArray);
+ 
+--- java/org/apache/coyote/ajp/AjpAprProcessor.java.orig	2011-09-26 13:29:02.955086810 -0600
++++ java/org/apache/coyote/ajp/AjpAprProcessor.java	2011-09-26 13:40:47.311038644 -0600
+@@ -390,11 +390,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
++                    // Unexpect packet type. Unread body packets
++						  // should have been swallowed in finish().
+                     if(log.isDebugEnabled()) {
+                         log.debug("Unexpected message: "+type);
+                     }
+-                    continue;
++						  error = true;
++						  break;
+                 }
+ 
+                 keptAlive = true;
+@@ -1033,6 +1035,11 @@
+ 
+         finished = true;
+ 
++		  // Swallow the unread body packet if present
++		  if (first && request.getContentLengthLong() > 0) {
++			  receive();
++		  }
++
+         // Add the end message
+         if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+             flush();
+--- webapps/docs/changelog.xml.orig	2011-09-26 13:29:57.025083112 -0600
++++ webapps/docs/changelog.xml	2011-09-26 13:45:05.305021003 -0600
+@@ -67,6 +67,10 @@
+   </subsection>
+   <subsection name="Coyote">
+     <changelog>
++	   <fix>
++		  <bug>51698</bug>: Fix CVE-2011-3190 Prevent AJP message injection
++		  (markt)
++		</fix>
+       <fix>
+         <bug>49795</bug>: Backport AprEndpoint shutdown improvements, to make
+         it more robust. (mturk/kkolinko)
diff --git a/tomcat6.spec b/tomcat6.spec
index aa702fd..d3c8438 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -53,7 +53,7 @@
 Name:          tomcat6
 Epoch:         0
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       16%{?dist}
+Release:       17%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group:         Networking/Daemons
@@ -78,7 +78,8 @@ Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
 # In 6.0.32 source
 #Patch2:        %{name}-%{major_version}.%{minor_version}-rhbz-674601.patch
 Patch3:        %{name}-6.0.32-CVE-2011-2204-rhbz-717016.patch
-Patch4: tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch
+Patch4: %{name}-6.0.32-CVE-2011-2526-rhbz-721087.patch
+Patch5: %{name}-6.0.32-CVE-2011-3190-rhbz-738502.patch
 
 	
 BuildArch:     noarch
@@ -231,6 +232,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 # %patch2 -p0
 %patch3 -p0
 %patch4 -p0
+%patch5 -p0
 
 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -622,6 +624,9 @@ fi
 %{_initrddir}/%{name}
 
 %changelog
+* Mon Sep 26 2011 David Knox <dknox at redhat.com> 0:6.0.32-17
+- Resolves CVE-2011-3190 rhbz 738502
+
 * Thu Sep 9 2011 David Knox <dknox at redhat.com> 0:6.0.32-16
 - Resolves: rhbz 719283 - provide native systemd unit file
 - Resolves: incorrect permissions on basedir

More information about the scm-commits mailing list