[tomcat6/f14] Resolves: CvE-2011-3190 rhbz 738502
Dave Knox
dknox at fedoraproject.org
Wed Sep 28 15:34:48 UTC 2011
commit 5317a5570d4012abfced3eefcc83439fa5b441eb
Author: David Knox <dknox at dknox-laptop.(none)>
Date: Wed Sep 28 09:35:04 2011 -0600
Resolves: CvE-2011-3190 rhbz 738502
tomcat6-6.0.26-CVE-2011-3190-rhbz-738502.patch | 76 ++++++++++++++++++++++++
tomcat6.spec | 7 ++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/tomcat6-6.0.26-CVE-2011-3190-rhbz-738502.patch b/tomcat6-6.0.26-CVE-2011-3190-rhbz-738502.patch
new file mode 100644
index 0000000..c7d3885
--- /dev/null
+++ b/tomcat6-6.0.26-CVE-2011-3190-rhbz-738502.patch
@@ -0,0 +1,76 @@
+--- java/org/apache/coyote/ajp/AjpAprProcessor.java.orig 2011-09-27 16:28:15.041443551 -0600
++++ java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-27 16:32:49.870424757 -0600
+@@ -390,11 +390,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
++ // Unexpected packet type. Unread body packets
++ // should have been swallowed in finish()
+ if(log.isDebugEnabled()) {
+ log.debug("Unexpected message: "+type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ keptAlive = true;
+@@ -1026,6 +1028,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packets if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+ flush();
+--- java/org/apache/coyote/ajp/AjpProcessor.java.orig 2011-09-27 16:28:40.884441784 -0600
++++ java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-27 16:37:29.429405596 -0600
+@@ -408,11 +408,13 @@
+ }
+ continue;
+ } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+- // Usually the servlet didn't read the previous request body
++ // Unexpected packet type. Unread body packets
++ // should have been swallowed in finish()
+ if(log.isDebugEnabled()) {
+ log.debug("Unexpected message: "+type);
+ }
+- continue;
++ error = true;
++ break;
+ }
+
+ request.setStartTime(System.currentTimeMillis());
+@@ -1031,6 +1033,11 @@
+
+ finished = true;
+
++ // Swallow the unread body packet if present
++ if (first && request.getContentLengthLong() > 0) {
++ receive();
++ }
++
+ // Add the end message
+ output.write(endMessageArray);
+
+--- webapps/docs/changelog.xml.orig 2011-09-27 16:28:53.511440919 -0600
++++ webapps/docs/changelog.xml 2011-09-27 16:40:46.379392173 -0600
+@@ -99,6 +99,13 @@
+ </fix>
+ </changelog>
+ </subsection>
++ <subsection name="Coyote">
++ <changelog>
++ <fix>
++ <bug>51698</bug> Fix CVE-2011-3190 Prevent AJP message injection
++ </fix>
++ </changelog>
++ </subsection>
+ <subsection name="Webapps">
+ <changelog>
+ <add>
diff --git a/tomcat6.spec b/tomcat6.spec
index e61e827..89ef970 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -55,7 +55,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 26%{?dist}
+Release: 27%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -81,6 +81,7 @@ Patch5: %{name}-%{major_version}.%{minor_version}.26-CVE-2010-3718.patch
Patch6: %{name}-%{major_version}.%{minor_version}.26-CVE-2011-0013.patch
Patch7: %{name}-6.0.26-CVE-2011-2204-rhbz-717016.patch
Patch8: %{name}-6.0.26-CVE-2011-2526-rhbz-721087.patch
+Patch9: %{name}-6.0.26-CVE-2011-3190-rhbz-738502.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildArch: noarch
@@ -235,6 +236,7 @@ pushd %{packdname}
%patch6 -p0
%patch7 -p0
%patch8 -p0
+%patch9 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -646,6 +648,9 @@ fi
%{appdir}/sample
%changelog
+* Tue Sep 27 2011 David Knox <dknox at redhat.com> 0:6.0.26-27
+- Resolves CVE-2011-3190 rhbz 738502
+
* Mon Sep 26 2011 David Knox <dknox at redhat.com> 0:6.0.26-26
- Resolves rhbz 640134 - JAVA_HOME setting
More information about the scm-commits
mailing list