[tomcat6/f16] Resolves: CVE-2011-3190
Dave Knox
dknox at fedoraproject.org
Tue Sep 27 18:26:09 UTC 2011
commit dbbbab0ce1b3b181698cc55cc345541461f49aab
Author: David Knox <dknox at dknox-laptop.(none)>
Date: Tue Sep 27 12:26:29 2011 -0600
Resolves: CVE-2011-3190
tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch | 76 ++++++++++++++++++++++++
tomcat6.spec | 7 ++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
new file mode 100644
index 0000000..054eb9c
--- /dev/null
+++ b/tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
@@ -0,0 +1,76 @@
+--- java/org/apache/coyote/ajp/AjpProcessor.java.orig 2011-09-26 13:28:39.720088399 -0600
++++ java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-26 13:36:15.972057199 -0600
+@@ -408,11 +408,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
+- if(log.isDebugEnabled()) {
+- log.debug("Unexpected message: "+type);
+- }
+- continue;
++ // Unexpected packet type. Unread body packets should
++ // have been swallowed in finish()
++ if (log.isDebugEnabled()) {
++ log.debug("Unexpected message: " + type);
++ }
++ error = true;
++ break;
+ }
+
+ request.setStartTime(System.currentTimeMillis());
+@@ -1038,6 +1040,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ output.write(endMessageArray);
+
+--- java/org/apache/coyote/ajp/AjpAprProcessor.java.orig 2011-09-26 13:29:02.955086810 -0600
++++ java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-26 13:40:47.311038644 -0600
+@@ -390,11 +390,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
++ // Unexpect packet type. Unread body packets
++ // should have been swallowed in finish().
+ if(log.isDebugEnabled()) {
+ log.debug("Unexpected message: "+type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ keptAlive = true;
+@@ -1033,6 +1035,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+ flush();
+--- webapps/docs/changelog.xml.orig 2011-09-26 13:29:57.025083112 -0600
++++ webapps/docs/changelog.xml 2011-09-26 13:45:05.305021003 -0600
+@@ -67,6 +67,10 @@
+ </subsection>
+ <subsection name="Coyote">
+ <changelog>
++ <fix>
++ <bug>51698</bug>: Fix CVE-2011-3190 Prevent AJP message injection
++ (markt)
++ </fix>
+ <fix>
+ <bug>49795</bug>: Backport AprEndpoint shutdown improvements, to make
+ it more robust. (mturk/kkolinko)
diff --git a/tomcat6.spec b/tomcat6.spec
index c7c4076..0028c46 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -53,7 +53,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 16%{?dist}
+Release: 17%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -79,6 +79,7 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
#Patch2: %{name}-%{major_version}.%{minor_version}-rhbz-674601.patch
Patch3: %{name}-6.0.32-CVE-2011-2204-rhbz-717016.patch
Patch4: tomcat6-6.0.32-CVE-2011-2526-rhbz-720948.patch
+Patch5: tomcat6-6.0.32-CVE-2011-3190-rhbz-738502.patch
BuildArch: noarch
@@ -233,6 +234,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
# %patch2 -p0
%patch3 -p0
%patch4 -p0
+%patch5 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -628,6 +630,9 @@ fi
%{appdir}/sample
%changelog
+* Tue Sep 27 2011 David Knox <dknox at redhat.com> 0:6.0.32-17
+- Resolves: CVE-2011-3190 rhbz 738502
+
* Wed Sep 21 2011 David Knox <dknox at redhat.com> 0:6.0.32-16
- Resolves: conversion to systemd rhbz 719283
- Fixed group permission g+x on basedir (/var/lib/tomcat6)
More information about the scm-commits
mailing list