From 73015d96d27e45ec2146303d7923317ea67ceaa8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 10 2014 12:50:48 +0000 Subject: import tomcat-7.0.42-5.el7_0 --- diff --git a/SOURCES/tomcat-7.0.42-CVE-2013-4286.patch b/SOURCES/tomcat-7.0.42-CVE-2013-4286.patch index 5555cfb..d5b48a0 100644 --- a/SOURCES/tomcat-7.0.42-CVE-2013-4286.patch +++ b/SOURCES/tomcat-7.0.42-CVE-2013-4286.patch @@ -38,8 +38,8 @@ (hId == -1 && tmpMB.equalsIgnoreCase("Content-Type"))) { // just read the content-type header, so set it --- java/org/apache/coyote/http11/AbstractHttp11Processor.java.orig 2014-03-14 17:13:46.514347000 -0400 -+++ java/org/apache/coyote/http11/AbstractHttp11Processor.java 2014-03-14 17:13:46.353345000 -0400 -@@ -1277,10 +1277,20 @@ ++++ java/org/apache/coyote/http11/AbstractHttp11Processor.java 2014-04-16 12:21:12.524505000 -0400 +@@ -1277,10 +1277,30 @@ // Parse content-length header long contentLength = request.getContentLengthLong(); @@ -48,6 +48,10 @@ - (inputFilters[Constants.IDENTITY_FILTER]); - contentDelimitation = true; + if (contentLength >= 0) { ++ if (getLog().isDebugEnabled()) { ++ getLog().debug("ContentLength="+contentLength); ++ getLog().debug(request.toString()); ++ } + if (contentDelimitation) { + // contentDelimitation being true at this point indicates that + // chunked encoding is being used but chunked encoding should @@ -56,10 +60,16 @@ + // so remove it. + headers.removeHeader("content-length"); + request.setContentLength(-1); ++ if (getLog().isDebugEnabled()) { ++ getLog().debug("ContentLength=-1"); ++ } + } else { + getInputBuffer().addActiveFilter + (inputFilters[Constants.IDENTITY_FILTER]); + contentDelimitation = true; ++ if (getLog().isDebugEnabled()) { ++ getLog().debug("ContentDelimitation=true"); ++ } + } } diff --git a/SOURCES/tomcat-7.0.42-CVE-2013-4322.patch b/SOURCES/tomcat-7.0.42-CVE-2013-4322.patch index d814c39..bb3803c 100644 --- a/SOURCES/tomcat-7.0.42-CVE-2013-4322.patch +++ b/SOURCES/tomcat-7.0.42-CVE-2013-4322.patch @@ -130,8 +130,17 @@ processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests()); processor.setKeepAliveTimeout(proto.getKeepAliveTimeout()); --- java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.orig 2014-03-17 16:08:12.213985000 -0400 -+++ java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-03-18 13:13:49.468583000 -0400 -@@ -118,9 +118,29 @@ ++++ java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-04-15 19:51:43.729201000 -0400 +@@ -39,6 +39,8 @@ + */ + public class ChunkedInputFilter implements InputFilter { + ++ private static final org.apache.juli.logging.Log log ++ = org.apache.juli.logging.LogFactory.getLog(ChunkedInputFilter.class); + + // -------------------------------------------------------------- Constants + +@@ -118,9 +120,29 @@ */ private Request request; @@ -162,7 +171,7 @@ } // ---------------------------------------------------- InputBuffer Methods -@@ -250,6 +270,8 @@ +@@ -250,6 +272,8 @@ endChunk = false; needCRLFParse = false; trailingHeaders.recycle(); @@ -171,7 +180,7 @@ } -@@ -299,7 +321,7 @@ +@@ -299,7 +323,7 @@ int result = 0; boolean eol = false; boolean readDigit = false; @@ -180,8 +189,11 @@ while (!eol) { -@@ -311,9 +333,13 @@ +@@ -309,11 +333,17 @@ + } + if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) { ++ log.info("EOL is true"); parseCRLF(false); eol = true; - } else if (buf[pos] == Constants.SEMI_COLON) { @@ -193,20 +205,20 @@ + // These need to be processed as part of parsing the extensions. + extension = true; + extensionSize++; ++ log.info("SEMI_COLON"); + } else if (!extension) { //don't read data after the trailer int charValue = HexUtils.getDec(buf[pos]); if (charValue != -1) { -@@ -325,13 +351,20 @@ +@@ -323,15 +353,22 @@ + } else { + //we shouldn't allow invalid, non hex characters //in the chunked header ++ log.info("Returning false"); return false; } - } - -- // Parsing the CRLF increments pos -- if (!eol) { -- pos++; -- } + } else { + // Extension 'parsing' + // Note that the chunk-extension is neither parsed nor @@ -216,15 +228,15 @@ + throw new IOException("maxExtensionSize exceeded"); + } + } -+ } - -+ // Parsing the CRLF increments pos -+ if (!eol) { -+ pos++; + // Parsing the CRLF increments pos + if (!eol) { + pos++; + } +- } if (!readDigit) -@@ -489,12 +522,17 @@ +@@ -489,12 +526,17 @@ chr = buf[pos]; if ((chr == Constants.SP) || (chr == Constants.HT)) { pos++; diff --git a/SOURCES/tomcat-7.0.42-CVE-2014-0050.patch b/SOURCES/tomcat-7.0.42-CVE-2014-0050.patch index 8ce8a51..522cbd5 100644 --- a/SOURCES/tomcat-7.0.42-CVE-2014-0050.patch +++ b/SOURCES/tomcat-7.0.42-CVE-2014-0050.patch @@ -56,8 +56,8 @@ /** --- java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.orig 2014-03-17 18:30:01.512626000 -0400 -+++ java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2014-03-17 18:41:15.868033000 -0400 -@@ -278,8 +278,7 @@ ++++ java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2014-04-16 13:23:35.983099000 -0400 +@@ -278,10 +278,9 @@ * @param pNotifier The notifier, which is used for calling the * progress listener, if any. * @@ -65,8 +65,11 @@ - * MultipartStream.ProgressNotifier) + * @throws IllegalArgumentException If the buffer size is too small */ - MultipartStream(InputStream input, +- MultipartStream(InputStream input, ++ public MultipartStream(InputStream input, byte[] boundary, + int bufSize, + ProgressNotifier pNotifier) { @@ -292,8 +291,12 @@ // We prepend CR/LF to the boundary to chop trailing CR/LF from diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec index 18db988..e20b68b 100644 --- a/SPECS/tomcat.spec +++ b/SPECS/tomcat.spec @@ -54,7 +54,7 @@ Name: tomcat Epoch: 0 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 4%{?dist} +Release: 5%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -688,6 +688,12 @@ fi %changelog +* Wed Apr 16 2014 David Knox - 0:7.0.42-5 +- Related: CVE-2013-4286 +- Related: CVE-2013-4322 +- Related: CVE-2014-0050 +- revisit patches for above. + * Thu Mar 20 2014 David Knox - 0:7.0.42-4 - Related: rhbz#1056696 correct packaging for sbin tomcat