Multiple open vulnerabilities in tomcat6 in quantal

Bug #1166649 reported by Christian Kuersteiner on 2013-04-09
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

Tomcat6 on quantal and raring include multiple vulnerabilities.

See http://people.canonical.com/~ubuntu-security/cve/pkg/tomcat6.html

I prepared a patch but want to test it first. Is there a testsuite available in tomcat6 and is it enabled?

information type: Private Security → Public Security
Jamie Strandboge (jdstrand) wrote :

There seems to be, yes. I see a test/ directory and references to junit. In theory, should be able to update the packaging like we did with tomcat7. You might want to discuss with with jamespage in #ubuntu-server as ISTR he looked at the testsuite at one point (I'm not sure about that though).

Changed in tomcat6 (Ubuntu):
status: New → Triaged

Sitting too long on this patch for quantal and could not really enable the testsuite I thought I just drop it here. Even with some hints from jamespage I could not run the built in tests and didn't really had enough time to look further in it.
The changes are all done as in upstream and it builds and installs fine. Didn't see any problems from basic testing.

Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff!

Since Marc just updated precise, I compared your patches to his and noticed a few things:
 * 0016-CVE-2012-3439.patch should be renamed 0013-CVE-2012-588x.patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog)
 * 0016-CVE-2012-3439.patch had some additional whitespace changes not in the upstream patch
 * 0016-CVE-2012-3439.patch does not match the changes in http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1380829&r2=1380828&pathrev=1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque.equals):
@@ -587,7 +623,7 @@
             }

             // Validate the opaque string
- if (!this.opaque.equals(opaque)) {
+ if (!opaque.equals(opaqueReceived)) {
                 return false;
             }
 * 0014-CVE-2012-4431.patch has additional whitespace changes
 * 0015-CVE-2012-4534.patch has additional whitespace and typo changes
 * debian/changelog is not formatted in the normal manner, with one stanza per CVE

It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this!

Changed in tomcat6 (Ubuntu):
status: Triaged → In Progress
Changed in tomcat6 (Ubuntu Quantal):
status: New → In Progress
Changed in tomcat6 (Ubuntu Saucy):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

FYI, this passed QRT/scripts/test-tomcat6.py

Changed in tomcat6 (Ubuntu Quantal):
status: In Progress → Fix Committed
summary: - Multiple open vulnerabilities in tomcat6 in quantal and raring
+ Multiple open vulnerabilities in tomcat6 in quantal
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.35-5ubuntu0.1

---------------
tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low

  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067
 -- Jamie Strandboge <email address hidden> Tue, 28 May 2013 15:11:06 -0500

Changed in tomcat6 (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers