[tomcat6/f16] Resolves: CVE-2011-3190

Dave Knox dknox at fedoraproject.org
Tue Sep 27 18:26:09 UTC 2011 

commit dbbbab0ce1b3b181698cc55cc345541461f49aab
Author: David Knox <dknox at dknox-laptop.(none)>
Date:   Tue Sep 27 12:26:29 2011 -0600

    Resolves: CVE-2011-3190

 tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch |   76 ++++++++++++++++++++++++
 tomcat6.spec                                   |    7 ++-
 2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
new file mode 100644
index 0000000..054eb9c
--- /dev/null
+++ b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
@@ -0,0 +1,76 @@
+--- java/org/apache/coyote/ajp/AjpProcessor.java.orig	2011-09-26 13:28:39.720088399 -0600
++++ java/org/apache/coyote/ajp/AjpProcessor.java	2011-09-26 13:36:15.972057199 -0600
+@@ -408,11 +408,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
+-                    if(log.isDebugEnabled()) {
+-                        log.debug("Unexpected message: "+type);
+-                    }
+-                    continue;
++						 // Unexpected packet type. Unread body packets should
++						 // have been swallowed in finish()
++						 if (log.isDebugEnabled()) {
++							 log.debug("Unexpected message: " + type);
++						 }
++						 error = true;
++						 break;
+                 }
+ 
+                 request.setStartTime(System.currentTimeMillis());
+@@ -1038,6 +1040,11 @@
+ 
+         finished = true;
+ 
++		  // Swallow the unread body packet if present
++		  if (first && request.getContentLengthLong() > 0) {
++			  receive();
++		  }
++
+         // Add the end message
+         output.write(endMessageArray);
+ 
+--- java/org/apache/coyote/ajp/AjpAprProcessor.java.orig	2011-09-26 13:29:02.955086810 -0600
++++ java/org/apache/coyote/ajp/AjpAprProcessor.java	2011-09-26 13:40:47.311038644 -0600
+@@ -390,11 +390,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
++                    // Unexpect packet type. Unread body packets
++						  // should have been swallowed in finish().
+                     if(log.isDebugEnabled()) {
+                         log.debug("Unexpected message: "+type);
+                     }
+-                    continue;
++						  error = true;
++						  break;
+                 }
+ 
+                 keptAlive = true;
+@@ -1033,6 +1035,11 @@
+ 
+         finished = true;
+ 
++		  // Swallow the unread body packet if present
++		  if (first && request.getContentLengthLong() > 0) {
++			  receive();
++		  }
++
+         // Add the end message
+         if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+             flush();
+--- webapps/docs/changelog.xml.orig	2011-09-26 13:29:57.025083112 -0600
++++ webapps/docs/changelog.xml	2011-09-26 13:45:05.305021003 -0600
+@@ -67,6 +67,10 @@
+   </subsection>
+   <subsection name="Coyote">
+     <changelog>
++	   <fix>
++		  <bug>51698</bug>: Fix CVE-2011-3190 Prevent AJP message injection
++		  (markt)
++		</fix>
+       <fix>
+         <bug>49795</bug>: Backport AprEndpoint shutdown improvements, to make
+         it more robust. (mturk/kkolinko)
diff --git a/tomcat6.spec b/tomcat6.spec
index c7c4076..0028c46 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -53,7 +53,7 @@
 Name:          tomcat6
 Epoch:         0
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       16%{?dist}
+Release:       17%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group:         Networking/Daemons
@@ -79,6 +79,7 @@ Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
 #Patch2:        %{name}-%{major_version}.%{minor_version}-rhbz-674601.patch
 Patch3:        %{name}-6.0.32-CVE-2011-2204-rhbz-717016.patch
 Patch4: 			tomcat6-6.0.32-CVE-2011-2526-rhbz-720948.patch
+Patch5: 			tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
 
 BuildArch:     noarch
 
@@ -233,6 +234,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 # %patch2 -p0
 %patch3 -p0
 %patch4 -p0
+%patch5 -p0
 
 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -628,6 +630,9 @@ fi
 %{appdir}/sample
 
 %changelog
+* Tue Sep 27 2011 David Knox <dknox at redhat.com> 0:6.0.32-17
+- Resolves: CVE-2011-3190 rhbz 738502
+
 * Wed Sep 21 2011 David Knox <dknox at redhat.com> 0:6.0.32-16
 - Resolves: conversion to systemd rhbz 719283
 - Fixed group permission g+x on basedir (/var/lib/tomcat6)

More information about the scm-commits mailing list