Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package tomcat8, the version 8.5.14-2 contains a fix for CVE-2017-5664 (#864447). Thank you, Emmanuel Bourg
diff --git a/debian/changelog b/debian/changelog index 363623db..9045d407 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +tomcat8 (8.5.14-2) unstable; urgency=high + + * Team upload. + * Fixed CVE-2017-5664: Static error pages can be overwritten if the + DefaultServlet is configured to permit writes (Closes: #864447) + + -- Emmanuel Bourg <ebo...@apache.org> Thu, 08 Jun 2017 12:28:34 +0200 + tomcat8 (8.5.14-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2017-5664.patch b/debian/patches/CVE-2017-5664.patch new file mode 100644 index 00000000..44476c9b --- /dev/null +++ b/debian/patches/CVE-2017-5664.patch @@ -0,0 +1,56 @@ +Description: CVE-2017-5664: Static error pages can be overwritten + if the DefaultServlet is configured to permit writes. +Origin: backport, https://svn.apache.org/r1793469 + https://svn.apache.org/r1793488 +--- a/java/org/apache/catalina/servlets/DefaultServlet.java ++++ b/java/org/apache/catalina/servlets/DefaultServlet.java +@@ -407,6 +407,18 @@ + } + + ++ @Override ++ protected void service(HttpServletRequest req, HttpServletResponse resp) ++ throws ServletException, IOException { ++ ++ if (req.getDispatcherType() == DispatcherType.ERROR) { ++ doGet(req, resp); ++ } else { ++ super.service(req, resp); ++ } ++ } ++ ++ + /** + * Process a GET request for the specified resource. + * +@@ -794,7 +806,7 @@ + return; + } + +- boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST; ++ boolean isError = DispatcherType.ERROR == request.getDispatcherType(); + + boolean included = false; + // Check if the conditions specified in the optional If headers are +--- a/java/org/apache/catalina/servlets/WebdavServlet.java ++++ b/java/org/apache/catalina/servlets/WebdavServlet.java +@@ -30,6 +30,7 @@ + import java.util.TimeZone; + import java.util.Vector; + ++import javax.servlet.DispatcherType; + import javax.servlet.RequestDispatcher; + import javax.servlet.ServletContext; + import javax.servlet.ServletException; +@@ -315,6 +316,11 @@ + return; + } + ++ if (req.getDispatcherType() == DispatcherType.ERROR) { ++ doGet(req, resp); ++ return; ++ } ++ + final String method = req.getMethod(); + + if (debug > 0) { diff --git a/debian/patches/series b/debian/patches/series index 1b369897..fe0ccaef 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ 0018-fix-manager-webapp.patch 0019-add-distribution-to-error-page.patch 0021-dont-test-unsupported-ciphers.patch +CVE-2017-5664.patch
