[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864630: unblock: tomcat8/8.5.14-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tomcat8, the version 8.5.14-2 contains a fix
for CVE-2017-5664 (#864447).

Thank you,

Emmanuel Bourg

diff --git a/debian/changelog b/debian/changelog
index 363623db..9045d407 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat8 (8.5.14-2) unstable; urgency=high
+
+  * Team upload.
+  * Fixed CVE-2017-5664: Static error pages can be overwritten if the
+    DefaultServlet is configured to permit writes (Closes: #864447)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Jun 2017 12:28:34 +0200
+
 tomcat8 (8.5.14-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2017-5664.patch b/debian/patches/CVE-2017-5664.patch
new file mode 100644
index 00000000..44476c9b
--- /dev/null
+++ b/debian/patches/CVE-2017-5664.patch
@@ -0,0 +1,56 @@
+Description: CVE-2017-5664: Static error pages can be overwritten
+ if the DefaultServlet is configured to permit writes.
+Origin: backport, https://svn.apache.org/r1793469
+                  https://svn.apache.org/r1793488
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -407,6 +407,18 @@
+     }
+ 
+ 
++    @Override
++    protected void service(HttpServletRequest req, HttpServletResponse resp)
++            throws ServletException, IOException {
++
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++        } else {
++            super.service(req, resp);
++        }
++    }
++
++
+     /**
+      * Process a GET request for the specified resource.
+      *
+@@ -794,7 +806,7 @@
+             return;
+         }
+ 
+-        boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
++        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+ 
+         boolean included = false;
+         // Check if the conditions specified in the optional If headers are
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -30,6 +30,7 @@
+ import java.util.TimeZone;
+ import java.util.Vector;
+ 
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -315,6 +316,11 @@
+             return;
+         }
+ 
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++            return;
++        }
++
+         final String method = req.getMethod();
+ 
+         if (debug > 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 1b369897..fe0ccaef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 0018-fix-manager-webapp.patch
 0019-add-distribution-to-error-page.patch
 0021-dont-test-unsupported-ciphers.patch
+CVE-2017-5664.patch
Reply to: