[tomcat6] resolves CVE-2011-3190
Dave Knox
dknox at fedoraproject.org
Tue Sep 27 17:58:20 UTC 2011
commit 53145da30c11804f6972a408dda267615756d116
Author: David Knox <dknox at dknox-laptop.(none)>
Date: Tue Sep 27 11:58:31 2011 -0600
resolves CVE-2011-3190
tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch | 76 ++++++++++++++++++++++++
tomcat6.spec | 9 ++-
2 files changed, 83 insertions(+), 2 deletions(-)
---
diff --git a/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
new file mode 100644
index 0000000..054eb9c
--- /dev/null
+++ b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
@@ -0,0 +1,76 @@
+--- java/org/apache/coyote/ajp/AjpProcessor.java.orig 2011-09-26 13:28:39.720088399 -0600
++++ java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-26 13:36:15.972057199 -0600
+@@ -408,11 +408,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
+- if(log.isDebugEnabled()) {
+- log.debug("Unexpected message: "+type);
+- }
+- continue;
++ // Unexpected packet type. Unread body packets should
++ // have been swallowed in finish()
++ if (log.isDebugEnabled()) {
++ log.debug("Unexpected message: " + type);
++ }
++ error = true;
++ break;
+ }
+
+ request.setStartTime(System.currentTimeMillis());
+@@ -1038,6 +1040,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ output.write(endMessageArray);
+
+--- java/org/apache/coyote/ajp/AjpAprProcessor.java.orig 2011-09-26 13:29:02.955086810 -0600
++++ java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-26 13:40:47.311038644 -0600
+@@ -390,11 +390,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
++ // Unexpect packet type. Unread body packets
++ // should have been swallowed in finish().
+ if(log.isDebugEnabled()) {
+ log.debug("Unexpected message: "+type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ keptAlive = true;
+@@ -1033,6 +1035,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+ flush();
+--- webapps/docs/changelog.xml.orig 2011-09-26 13:29:57.025083112 -0600
++++ webapps/docs/changelog.xml 2011-09-26 13:45:05.305021003 -0600
+@@ -67,6 +67,10 @@
+ </subsection>
+ <subsection name="Coyote">
+ <changelog>
++ <fix>
++ <bug>51698</bug>: Fix CVE-2011-3190 Prevent AJP message injection
++ (markt)
++ </fix>
+ <fix>
+ <bug>49795</bug>: Backport AprEndpoint shutdown improvements, to make
+ it more robust. (mturk/kkolinko)
diff --git a/tomcat6.spec b/tomcat6.spec
index aa702fd..d3c8438 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -53,7 +53,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 16%{?dist}
+Release: 17%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -78,7 +78,8 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
# In 6.0.32 source
#Patch2: %{name}-%{major_version}.%{minor_version}-rhbz-674601.patch
Patch3: %{name}-6.0.32-CVE-2011-2204-rhbz-717016.patch
-Patch4: tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch
+Patch4: %{name}-6.0.32-CVE-2011-2526-rhbz-721087.patch
+Patch5: %{name}-6.0.32-CVE-2011-3190-rhbz-738502.patch
BuildArch: noarch
@@ -231,6 +232,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
# %patch2 -p0
%patch3 -p0
%patch4 -p0
+%patch5 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -622,6 +624,9 @@ fi
%{_initrddir}/%{name}
%changelog
+* Mon Sep 26 2011 David Knox <dknox at redhat.com> 0:6.0.32-17
+- Resolves CVE-2011-3190 rhbz 738502
+
* Thu Sep 9 2011 David Knox <dknox at redhat.com> 0:6.0.32-16
- Resolves: rhbz 719283 - provide native systemd unit file
- Resolves: incorrect permissions on basedir
More information about the scm-commits
mailing list