[tomcat6/f15] resolves CVE-2011-2526
Dave Knox
dknox at fedoraproject.org
Wed Jul 27 20:07:34 UTC 2011
commit efc1e427d4823c538ebd11bac98b9a951140219a
Author: David Knox <dknox at dknox-laptop.(none)>
Date: Wed Jul 27 14:07:28 2011 -0600
resolves CVE-2011-2526
tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch | 160 ++++++++++++++++++++++++
tomcat6.spec | 8 +-
2 files changed, 166 insertions(+), 2 deletions(-)
---
diff --git a/tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch b/tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch
new file mode 100644
index 0000000..4559528
--- /dev/null
+++ b/tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch
@@ -0,0 +1,160 @@
+--- java/org/apache/catalina/connector/LocalStrings.properties.orig 2011-07-21 14:38:36.066590266 -0600
++++ java/org/apache/catalina/connector/LocalStrings.properties 2011-07-21 14:40:11.039590297 -0600
+@@ -62,6 +62,7 @@
+ coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
+ coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
+ coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request
++coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile
+
+ requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
+
+--- java/org/apache/catalina/connector/Request.java.orig 2011-07-21 14:45:27.499590401 -0600
++++ java/org/apache/catalina/connector/Request.java 2011-07-21 14:53:50.242590565 -0600
+@@ -18,7 +18,7 @@
+
+ package org.apache.catalina.connector;
+
+-
++import java.io.File;
+ import java.io.InputStream;
+ import java.io.IOException;
+ import java.io.BufferedReader;
+@@ -1454,6 +1454,26 @@
+ if (readOnlyAttributes.containsKey(name)) {
+ return;
+ }
++
++ // Do the security check before any updates are made
++ if (Globals.IS_SECURITY_ENABLED &&
++ name.equals("org.apache.tomcat.sendfile.filename")) {
++ // Use the canonical file name to avoid any possible symlink
++ // and relative path issues
++ String canonicalPath;
++ try {
++ canonicalPath = new File(value.toString()).getCanonicalPath();
++ } catch (IOException e) {
++ throw new SecurityException(sm.getString(
++ "coyoteRequest.sendFileNotCanonical", value), e);
++ }
++ // Sendfile is performed in Tomcat's security context so need to
++ // check if the web app is permitted to access the file while
++ // still in the webapp's security context
++ System.getSecurityManager().checkRead(canonicalPath);
++ // Update value so the canonical path is used
++ value = canonicalPath;
++ }
+
+ oldValue = attributes.put(name, value);
+ if (oldValue != null) {
+--- java/org/apache/catalina/servlets/DefaultServlet.java.orig 2011-07-21 14:58:15.679590652 -0600
++++ java/org/apache/catalina/servlets/DefaultServlet.java 2011-07-21 14:59:43.550590680 -0600
+@@ -1619,7 +1619,6 @@
+ request.setAttribute("org.apache.tomcat.sendfile.start", new Long(range.start));
+ request.setAttribute("org.apache.tomcat.sendfile.end", new Long(range.end + 1));
+ }
+- request.setAttribute("org.apache.tomcat.sendfile.token", this);
+ return true;
+ } else {
+ return false;
+--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig 2011-07-21 15:01:56.656590723 -0600
++++ java/org/apache/coyote/http11/Http11AprProcessor.java 2011-07-21 15:10:59.578590900 -0600
+@@ -910,8 +910,19 @@
+ sendfileData.socket = socket;
+ sendfileData.keepAlive = keepAlive;
+ if (!endpoint.getSendfile().add(sendfileData)) {
+- openSocket = true;
+- break;
++ if (sendfileData.socket == 0) {
++ // Didn't send all the data but the socket is
++ // no longer set. Something went wrong. Close the
++ // connection. Too late to set status code.
++ if (log.isDebugEnabled()) {
++ log.debug(sm.getString(
++ "http11processor.sendfile.error"));
++ }
++ error = true;
++ } else {
++ openSocket = true;
++ }
++ break;
+ }
+ }
+
+--- java/org/apache/coyote/http11/LocalStrings.properties.orig 2011-07-21 15:12:16.585590926 -0600
++++ java/org/apache/coyote/http11/LocalStrings.properties 2011-07-21 15:13:56.801590957 -0600
+@@ -56,6 +56,7 @@
+ http11processor.socket.info=Exception getting socket information
+ http11processor.socket.ssl=Exception getting SSL attributes
+ http11processor.socket.timeout=Error setting socket timeout
++http11processor.socket.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points
+
+ #
+ # InternalInputBuffer
+--- java/org/apache/tomcat/util/net/AprEndpoint.java.orig 2011-07-21 15:15:08.276590983 -0600
++++ java/org/apache/tomcat/util/net/AprEndpoint.java 2011-07-21 15:17:32.799591029 -0600
+@@ -1812,7 +1812,9 @@
+ data.pos, data.end - data.pos, 0);
+ if (nw < 0) {
+ if (!(-nw == Status.EAGAIN)) {
+- destroySocket(data.socket);
++ Pool.destroy(data.socket);
++ // No need to close the socket, this will be done by
++ // calling code since data.socket == 0
+ data.socket = 0;
+ return false;
+ } else {
+--- java/org/apache/tomcat/util/net/NioEndpoint.java.orig 2011-07-21 15:18:57.305591056 -0600
++++ java/org/apache/tomcat/util/net/NioEndpoint.java 2011-07-21 15:22:26.916591126 -0600
+@@ -1734,6 +1734,13 @@
+ sd.pos += written;
+ sd.length -= written;
+ attachment.access();
++ } else {
++ // Unusual not to be able to transfer any bytes
++ // Check the length was set correctly
++ if (sd.fchannel.size() <= sd.pos) {
++ throw new IOException("Sendfile configured to " +
++ "send more data than was available");
++ }
+ }
+ }
+ if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
+@@ -1758,6 +1765,7 @@
+ log.debug("Send file connection is being closed");
+ }
+ cancelledKey(sk,SocketStatus.STOP,false);
++ return false;
+ }
+ } else if ( attachment.interestOps() == 0 && reg ) {
+ if (log.isDebugEnabled()) {
+--- STATUS.txt.orig 2011-07-21 15:23:42.352591150 -0600
++++ STATUS.txt 2011-07-21 15:26:59.525591214 -0600
+@@ -88,3 +88,10 @@
+ The updated patch fixes a race condition.
+ We can stall this item until we get some feedback about 7.0.5.
+ -1:
++
++* Fix various sendfile issues. CVE-2011-2526
++ This is a port of r115380, r1145383, r1145383, r1145571, r1145694 and
++ r1146005
++ http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch
++ +1: markt, jfclere, kfujino
++ -1:
+--- webapps/docs/changelog.xml.orig 2011-07-21 15:27:46.745591229 -0600
++++ webapps/docs/changelog.xml 2011-07-21 15:31:05.344591193 -0600
+@@ -421,6 +421,15 @@
+ that causes the NIO poller to fail, preventing the processing of further
+ requests. (markt)
+ </fix>
++ <fix>
++ Fix CVE-2011-2526. Protect against infinite loops (HTTP NIO) and
++ crashes (HTTP APR) if sendfile is configured to send more data than
++ is available in the file (markt)
++ </fix>
++ <fix>
++ Prevent NPEs when a socket is closed in non-error conditions after
++ sendfile processing when using the HTTP NIO connector (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
diff --git a/tomcat6.spec b/tomcat6.spec
index 284be73..bbe81a4 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -53,7 +53,7 @@
Name: tomcat6
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: Networking/Daemons
@@ -75,7 +75,7 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
# Contained in 6.0.32
#Patch2: %{name}-%{major_version}.%{minor_version}-rhbz-674601.patch
Patch3: %{name}-6.0.32-CVE-2011-2204-rhbz-717016.patch
-
+Patch4: tomcat6-6.0.32-CVE-2011-2526-rhbz-721087.patch
BuildArch: noarch
@@ -214,6 +214,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch1 -p0
#%patch2 -p0
%patch3 -p0
+%patch4 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -583,6 +584,9 @@ fi
%{appdir}/sample
%changelog
+* Wed Jul 27 2011 David Knox <dknox at redhat.com> 0:6.0.32-6
+- Resolves: CVE-2011-2526
+
* Tue Jul 5 2011 David Knox <dknox at redhat.com> 0:6.0.32-5
- Resolves rhbz 677414 - change %preun so erasing work
- and temp dirs occurs only on removal. Add recreation of
More information about the scm-commits
mailing list