Re: On tomcat FTBFS.

To: debian-lts@lists.debian.org
Subject: Re: On tomcat FTBFS.
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 8 Aug 2019 00:50:26 +0200
Message-id: <[🔎] 1a103618-bfe3-2bac-7add-2f2d5a5a8025@beuc.net>
In-reply-to: <[🔎] e02660fe-12e1-51b6-5510-f8bed03e6b3e@beuc.net>
References: <3dbda69d-92be-cc4c-9723-5a3ce53798ae@disroot.org> <[🔎] 27c6b4c0-1876-9b28-df6e-fb5d51bfc1b5@beuc.net> <[🔎] e02660fe-12e1-51b6-5510-f8bed03e6b3e@beuc.net>

Hi,

So I reworked CVE-2017-5647, which involved 5 new commits related to
non-blocking I/O (NIO2 and COMET).
Stable build.

Then I got upstream to renew their new certs that were expiring tomorrow (!)
https://bz.apache.org/bugzilla/show_bug.cgi?id=63648
and had to fix-up the SSL client tests accordingly (new client DN).

At last we have a working package that passes the testsuite.
How would you smoke-test it?
https://www.beuc.net/tmp/debian-lts/tomcat8/

(Now maybe I can start working on the actual CVEs :))

Cheers!
Sylvain

On 07/08/2019 12:29, Sylvain Beucler wrote:
> Hi,
>
> It appears that the CVE-2017-5647 fix lacked this pre-requisite:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=57799
> https://svn.apache.org/viewvc?view=revision&revision=1712081
>
> The test case is not flacky anymore, I'm going to test full builds again.
>
> Cheers!
> Sylvain
>
> On 07/08/2019 00:45, Sylvain Beucler wrote:
>> Hi Markus,
>>
>> I'm investigating tomcat8's FTBFS and I confirm Abhijith's findings in a
>> Jessie VM:
>>
>> - test catalina/connector/TestSendFile.java fails with nio2 connector
>> but is not reliable and will report success ~1 out of 10 even with lots
>> of exceptions; catalina.log will report header parsing error and return 400
>>
>> - it passes reliably without CVE-2017-5647.patch
>>
>> - the test certificate did expire on 2019-02-27 but changing the date to
>> 2019-01-01 and rebuilding does not impact these results
>> (incidentally the test certs seems to depend on an external CA
>> ca-test.tomcat.apache.org, fixing the certs will require switching to
>> the new-style local CA in tomcat8 - if fixing the certs is needed)
>>
>> As you fixed CVE-2017-5647 as well as generated the last jessie upload,
>> I would be interested in your take on this :)
>> TestSendFile only got trivial changes, so I guess I'll look for a fix in
>> later changes affecting files modified by CVE-2017-5647.
>> Still, I'm surprised updates were built given this situation - did
>> everybody got lucky with the flacky test or did I miss something?
>>
>> Cheers!
>> Sylvain
>>
>> On 27/07/2019 20:30, Abhijith PA wrote:
>>> Hi,
>>>
>>>
>>> I don't think the link you gave on commit [fe932dd39d] is the reason for
>>> FTBFS. I tried building on a VM that matches the certificate date and it
>>> was successful. I also tried disabling all ssl related tests and was fine.
>>>
>>> While doing these all I found TestSendFile test is the culprit. In
>>> CVE-2017-5647 security patch a good amount of changes is applied for
>>> SendFile*.java and *Nio2*.java. These are mostly about conditions on how
>>> long the socket of sendfile keep active and to take away from it. But I
>>> couldn't see any those change in its test file. Please take a look on
>>> the attached patch. :)
>>>
>>>
>>> --abhijith

Reply to:

Follow-Ups:
- Re: On tomcat FTBFS.
  - From: Markus Koschany <apo@debian.org>

References:
- Re: On tomcat FTBFS.
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: On tomcat FTBFS.
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: On tomcat FTBFS.
Next by Date: July LTS Report
Previous by thread: Re: On tomcat FTBFS.
Next by thread: Re: On tomcat FTBFS.
Index(es):
- Date
- Thread