Bug#864630: marked as done (stretch-pu: package tomcat8)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 24 Jun 2017 06:24:55 +0200
with message-id <[🔎] 20170624042455.2rskkyjb6vf3huk6@eldamar.local>
and subject line Re: Bug#864630: unblock: tomcat8/8.5.14-2
has caused the Debian Bug report #864630,
regarding stretch-pu: package tomcat8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864630
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: tomcat8/8.5.14-2
• From: Emmanuel Bourg <ebourg@apache.org>
• Date: Sun, 11 Jun 2017 22:59:24 +0200
• Message-id: <[🔎] 149721476460.21009.10601587592316945104.reportbug@icare.ariane-software.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tomcat8, the version 8.5.14-2 contains a fix
for CVE-2017-5664 (#864447).

Thank you,

Emmanuel Bourg

diff --git a/debian/changelog b/debian/changelog
index 363623db..9045d407 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat8 (8.5.14-2) unstable; urgency=high
+
+  * Team upload.
+  * Fixed CVE-2017-5664: Static error pages can be overwritten if the
+    DefaultServlet is configured to permit writes (Closes: #864447)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Jun 2017 12:28:34 +0200
+
 tomcat8 (8.5.14-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2017-5664.patch b/debian/patches/CVE-2017-5664.patch
new file mode 100644
index 00000000..44476c9b
--- /dev/null
+++ b/debian/patches/CVE-2017-5664.patch
@@ -0,0 +1,56 @@
+Description: CVE-2017-5664: Static error pages can be overwritten
+ if the DefaultServlet is configured to permit writes.
+Origin: backport, https://svn.apache.org/r1793469
+                  https://svn.apache.org/r1793488
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -407,6 +407,18 @@
+     }
+ 
+ 
++    @Override
++    protected void service(HttpServletRequest req, HttpServletResponse resp)
++            throws ServletException, IOException {
++
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++        } else {
++            super.service(req, resp);
++        }
++    }
++
++
+     /**
+      * Process a GET request for the specified resource.
+      *
+@@ -794,7 +806,7 @@
+             return;
+         }
+ 
+-        boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
++        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+ 
+         boolean included = false;
+         // Check if the conditions specified in the optional If headers are
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -30,6 +30,7 @@
+ import java.util.TimeZone;
+ import java.util.Vector;
+ 
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -315,6 +316,11 @@
+             return;
+         }
+ 
++        if (req.getDispatcherType() == DispatcherType.ERROR) {
++            doGet(req, resp);
++            return;
++        }
++
+         final String method = req.getMethod();
+ 
+         if (debug > 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 1b369897..fe0ccaef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 0018-fix-manager-webapp.patch
 0019-add-distribution-to-error-page.patch
 0021-dont-test-unsupported-ciphers.patch
+CVE-2017-5664.patch

--- End Message ---

--- Begin Message ---

• To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 864630-done@bugs.debian.org
• Cc: Emmanuel Bourg <ebourg@apache.org>, 864630@bugs.debian.org, team@security.debian.org
• Subject: Re: Bug#864630: unblock: tomcat8/8.5.14-2
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 24 Jun 2017 06:24:55 +0200
• Message-id: <[🔎] 20170624042455.2rskkyjb6vf3huk6@eldamar.local>
• In-reply-to: <[🔎] 1497718551.2645.31.camel@adam-barratt.org.uk>
• References: <[🔎] 149721476460.21009.10601587592316945104.reportbug@icare.ariane-software.com> <[🔎] 1497718551.2645.31.camel@adam-barratt.org.uk>

Control: tags -1 - moreinfo

Hi

On Sat, Jun 17, 2017 at 05:55:51PM +0100, Adam D. Barratt wrote:
> retitle 864630 stretch-pu: package tomcat8
> user release.debian.org@packages.debian.org
> usertags 864630 = pu
> tags 864630 + stretch moreinfo
> thanks
> 
> On Sun, 2017-06-11 at 22:59 +0200, Emmanuel Bourg wrote:
> > Please unblock package tomcat8, the version 8.5.14-2 contains a fix
> > for CVE-2017-5664 (#864447).
> 
> Unfortunately this didn't get picked up before the release.
> 
> Turning it into a proto-pu request for now, and CCing the Security Team
> to see how they'd like to handle the update in stretch.

This has been released with DSA 3891-1.

Regards,
Salvatore

--- End Message ---