[java-sig-commits] [tomcat: 30/66] adding cve-2010-2227.patch and resolving rhbz#575341
Ivan Afonichev
van at fedoraproject.org
Wed May 25 21:30:58 UTC 2011
commit 1bb926e7cc43b48aafd7309cbd64eaa25f372d13
Author: david knox <dknox at 78-97-42-72.skybeam.com>
Date: Tue Oct 5 09:34:55 2010 -0600
adding cve-2010-2227.patch and resolving rhbz#575341
tomcat6-6.0-CVE-2010-2227.patch | 138 +++++++++++++++++++++++++++++++++++++++
tomcat6.spec | 14 +++-
2 files changed, 148 insertions(+), 4 deletions(-)
---
diff --git a/tomcat6-6.0-CVE-2010-2227.patch b/tomcat6-6.0-CVE-2010-2227.patch
new file mode 100644
index 0000000..4f00c89
--- /dev/null
+++ b/tomcat6-6.0-CVE-2010-2227.patch
@@ -0,0 +1,138 @@
+--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig 2010-07-12 11:52:05.981133000 -0400
++++ java/org/apache/coyote/http11/Http11AprProcessor.java 2010-07-12 11:59:39.205913000 -0400
+@@ -78,6 +78,12 @@
+ protected static StringManager sm =
+ StringManager.getManager(Constants.Package);
+
++ /**
++ * Tracks how many internal filters are in the filter library so they
++ * are skipped whe looking for pluggable filters
++ */
++ private int pluggableFilterIndex = Integer.MAX_VALUE;
++
+
+ // ----------------------------------------------------------- Constructors
+
+@@ -1736,6 +1742,8 @@
+ //inputBuffer.addFilter(new GzipInputFilter());
+ outputBuffer.addFilter(new GzipOutputFilter());
+
++ pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+ }
+
+
+@@ -1754,7 +1762,7 @@
+ (inputFilters[Constants.CHUNKED_FILTER]);
+ contentDelimitation = true;
+ } else {
+- for (int i = 2; i < inputFilters.length; i++) {
++ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+ if (inputFilters[i].getEncodingName()
+ .toString().equals(encodingName)) {
+ inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig 2010-07-12 12:00:05.720580000 -0400
++++ java/org/apache/coyote/http11/Http11NioProcessor.java 2010-07-12 12:19:36.465303000 -0400
+@@ -81,6 +81,12 @@
+ */
+ protected SSLSupport sslSupport;
+
++ /**
++ * Tracks how many internal filters are in the filter library so they
++ * are skipped whe looking for pluggable filters
++ */
++ private int pluggableFilterIndex = Integer.MAX_VALUE;
++
+ // ----------------------------------------------------------- Constructors
+
+
+@@ -1763,6 +1769,8 @@
+ //inputBuffer.addFilter(new GzipInputFilter());
+ outputBuffer.addFilter(new GzipOutputFilter());
+
++ pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+ }
+
+
+@@ -1781,7 +1789,7 @@
+ (inputFilters[Constants.CHUNKED_FILTER]);
+ contentDelimitation = true;
+ } else {
+- for (int i = 2; i < inputFilters.length; i++) {
++ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+ if (inputFilters[i].getEncodingName()
+ .toString().equals(encodingName)) {
+ inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11Processor.java.orig 2010-07-12 12:20:42.784634000 -0400
++++ java/org/apache/coyote/http11/Http11Processor.java 2010-07-12 12:23:14.996732000 -0400
+@@ -76,6 +76,11 @@
+ protected static boolean isSecurityEnabled =
+ org.apache.coyote.Constants.IS_SECURITY_ENABLED;
+
++ /**
++ * Tracks how many internal filters are in the filter library so they
++ * are skipped whe looking for pluggable filters
++ */
++ private int pluggableFilterIndex = Integer.MAX_VALUE;
+ // ------------------------------------------------------------ Constructor
+
+
+@@ -1642,6 +1647,7 @@
+ //inputBuffer.addFilter(new GzipInputFilter());
+ outputBuffer.addFilter(new GzipOutputFilter());
+
++ pluggableFilterIndex = inputBuffer.filterLibrary.length;
+ }
+
+
+@@ -1660,7 +1666,7 @@
+ (inputFilters[Constants.CHUNKED_FILTER]);
+ contentDelimitation = true;
+ } else {
+- for (int i = 2; i < inputFilters.length; i++) {
++ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+ if (inputFilters[i].getEncodingName()
+ .toString().equals(encodingName)) {
+ inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig 2010-01-19 08:43:40.000000000 -0500
++++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-07-12 13:00:50.374586000 -0400
+@@ -102,10 +102,14 @@
+ }
+
+ public void recycle() {
+- if (buffered.getBuffer().length > 65536) {
+- buffered = null;
+- } else {
+- buffered.recycle();
++ if (buffered != null)
++ {
++ if (buffered.getBuffer().length > 65536)
++ {
++ buffered = null;
++ } else {
++ buffered.recycle();
++ }
+ }
+ tempRead.recycle();
+ hasRead = false;
+
+--- webapps/docs/changelog.xml.orig 2010-07-12 16:08:24.000000000 -0600
++++ webapps/docs/changelog.xml 2010-07-12 16:12:43.000000000 -0600
+@@ -40,6 +40,16 @@
+ Correct TCK failures with security manager caused by the original fix
+ for <bug>47774</bug>. (markt)
+ </fix>
++ <fix>
++ Arange filter logic (jgclere)
++ Several flaws in the handling of the 'Transfer-Encoding' header
++ were found that prevented the recycling of a buffer. A remote
++ attacker could trigger this flaw which would cause subsequent
++ requests to fail and/or information to leak between requests.
++ This flaw is mitigated if Tomcat is behind a reverse proxy
++ (such as Apache httpd 2.2) as the proxy should reject the
++ invalid transfer encoding header.
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Other">
diff --git a/tomcat6.spec b/tomcat6.spec
index bab33f6..2b79798 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -55,7 +55,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -74,10 +74,11 @@ Source9: jsp-api-OSGi-MANIFEST.MF
Source10: %{name}-%{major_version}.%{minor_version}-log4j.properties
Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
+Patch2: %{name}-%{major_version}.%{minor_version}-CVE-2010-2227.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildArch: noarch
BuildRequires: ant
-BuildRequires: ant-trax
+BuildRequires: ant-nodeps
BuildRequires: ecj
BuildRequires: findutils
BuildRequires: jakarta-commons-collections
@@ -214,13 +215,14 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
pushd %{packdname}
%patch0 -p0
%patch1 -p0
+%patch2 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
popd
%build
export CLASSPATH=
-export OPT_JAR_LIST="ant/ant-trax"
+export OPT_JAR_LIST="ant/ant-nodeps"
pushd %{packdname}
# we don't care about the tarballs and we're going to replace
# tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar
@@ -597,7 +599,11 @@ fi
%{appdir}/sample
%changelog
-* Fri Jul 02 2010 David Knox <dknox at rehat.com> 0:6.0.26-9
+* Mon Oct 04 2010 David Knox <dknox at redhat.com> 0:6.0.26-10
+- ant-nodeps is breaking the build. Put ant-nodeps on the
+- OPT_JAR_LIST
+
+* Fri Oct 01 2010 David Knox <dknox at rehat.com> 0:6.0.26-9
- Resolves rhbz#575341 - Additionally created instances of Tomcat
- are broken
More information about the java-sig-commits
mailing list