diff -u tomcat5.5-5.5.26/debian/rules tomcat5.5-5.5.26/debian/rules --- tomcat5.5-5.5.26/debian/rules +++ tomcat5.5-5.5.26/debian/rules @@ -2,7 +2,7 @@ SHELL = /bin/bash -JAVA_HOME := /usr/lib/jvm/java-gcj +JAVA_HOME := /usr/lib/jvm/default-java DEB_JARS_BASE := /usr/share/java JAVACMD := $(JAVA_HOME)/bin/java @@ -55,7 +55,7 @@ dh_installchangelogs dh_installdocs dh_installexamples - dh_installinit -- defaults 90 10 + dh_installinit -- start 90 2 3 4 5 . stop 10 1 . dh_installcron --name=tomcat55 # Prune files that should not be installed at all. rm -f build/dist/bin/{*.bat,commons-*.jar} diff -u tomcat5.5-5.5.26/debian/control tomcat5.5-5.5.26/debian/control --- tomcat5.5-5.5.26/debian/control +++ tomcat5.5-5.5.26/debian/control @@ -1,10 +1,11 @@ Source: tomcat5.5 Section: web Priority: optional -Maintainer: Debian Java Maintainers +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Arnaud Vandyck , Marcus Better , Michael Koch Build-Depends: debhelper (>= 5.0.0) -Build-Depends-Indep: java-gcj-compat-dev, ant, ant-optional, libcommons-beanutils-java, libcommons-daemon-java, libcommons-digester-java, libcommons-el-java, libcommons-fileupload-java, libcommons-httpclient-java, libcommons-launcher-java, libcommons-logging-java, libcommons-modeler-java (>= 2.0), liblog4j1.2-java, libmx4j-java, libstruts1.2-java, libxerces2-java, libxalan2-java, junit, unzip, libgnumail-java +Build-Depends-Indep: default-jdk, libecj-java, ant, ant-optional, libcommons-beanutils-java, libcommons-daemon-java, libcommons-digester-java, libcommons-el-java, libcommons-fileupload-java, libcommons-httpclient-java, libcommons-launcher-java, libcommons-logging-java, libcommons-modeler-java (>= 2.0), liblog4j1.2-java, libmx4j-java, libstruts1.2-java, libxerces2-java, libxalan2-java, junit, unzip, libgnumail-java Standards-Version: 3.7.3 Homepage: http://tomcat.apache.org Vcs-Svn: svn://svn.debian.org/pkg-java/trunk/tomcat5.5 @@ -12,8 +13,8 @@ Package: tomcat5.5 Architecture: all -Depends: java-gcj-compat-dev (>= 1.0.30-5) | java2-runtime, libtomcat5.5-java (>= ${source:Version}), adduser (>= 3.34), libecj-java, jsvc (>= 1.0.2~svn20061127-6) -Suggests: java-virtual-machine, libapache2-mod-jk, tomcat5.5-webapps (>= ${source:Version}), tomcat5.5-admin (>= ${source:Version}) +Depends: libtomcat5.5-java (>= ${source:Version}), adduser (>= 3.34), jsvc (>= 1.0.2~svn20061127-6) +Suggests: libapache2-mod-jk, tomcat5.5-webapps (>= ${source:Version}), tomcat5.5-admin (>= ${source:Version}) Conflicts: tomcat5.5-admin (<= 5.5.20-5) Description: Servlet and JSP engine Apache Tomcat is the reference implementation for the Java Servlet @@ -25,7 +26,7 @@ Package: libtomcat5.5-java Architecture: all -Depends: libxerces2-java, libservlet2.4-java, libcommons-el-java, ant, libcommons-launcher-java, libcommons-logging-java, libcommons-modeler-java (>= 2.0), libmx4j-java, libcommons-collections3-java, libcommons-dbcp-java, libcommons-pool-java +Depends: default-jre-headless | java2-runtime-headless, libecj-java, libxerces2-java, libservlet2.4-java, libcommons-el-java, ant, libcommons-launcher-java, libcommons-logging-java, libcommons-modeler-java (>= 2.0), libmx4j-java, libcommons-collections3-java, libcommons-dbcp-java, libcommons-pool-java Suggests: tomcat5.5 Description: Java Servlet engine -- core libraries Apache Tomcat is the reference implementation for the Java Servlet diff -u tomcat5.5-5.5.26/debian/tomcat5.5.postinst tomcat5.5-5.5.26/debian/tomcat5.5.postinst --- tomcat5.5-5.5.26/debian/tomcat5.5.postinst +++ tomcat5.5-5.5.26/debian/tomcat5.5.postinst @@ -25,7 +25,6 @@ chmod -R 770 /etc/tomcat5.5 chmod 750 /var/log/tomcat5.5 /etc/tomcat5.5 chmod 700 /var/cache/tomcat5.5 - ln -sf /etc/tomcat5.5 /var/lib/tomcat5.5/conf # Moving conffiles. if dpkg --compare-versions "$2" le "5.5.25-4"; then diff -u tomcat5.5-5.5.26/debian/changelog tomcat5.5-5.5.26/debian/changelog --- tomcat5.5-5.5.26/debian/changelog +++ tomcat5.5-5.5.26/debian/changelog @@ -1,3 +1,20 @@ +tomcat5.5 (5.5.26-3ubuntu1) intrepid; urgency=low + + * Fix tomcat5.5 Java environment to match status of Java in intrepid: + - control: Moved Java runtime deps to libtomcat5.5-java + - control: Depends on default-jre-headless | java2-runtime-headless + - tomcat5.5.init: Fix JVM list to match java2-runtime-headless + - rules, control: Builds with default-jdk, libecj-java build-dep added + - Fixes LP: #212521, LP: #179447 + * tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking + * rules, tomcat5.5.init: implement TearDown spec + * tomcat5.5.install: don't install catalina.policy (LP: #112626) + * Fix CVE-2008-1232 cross-site scripting vulnerability (LP: #256926) + * Fix CVE-2008-2370 information disclosure vulnerability (LP: #256922) + * Fix CVE-2008-2938 directory traversal (LP: #256802) + + -- Thierry Carrez Wed, 10 Sep 2008 12:00:09 +0200 + tomcat5.5 (5.5.26-3) unstable; urgency=high * CVE-2008-1947: Fix XSS issue in host-manager web application. diff -u tomcat5.5-5.5.26/debian/tomcat5.5.init tomcat5.5-5.5.26/debian/tomcat5.5.init --- tomcat5.5-5.5.26/debian/tomcat5.5.init +++ tomcat5.5-5.5.26/debian/tomcat5.5.init @@ -13,7 +13,7 @@ # Should-Start: $named # Should-Stop: $named # Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 +# Default-Stop: 1 # Short-Description: Start Tomcat. # Description: Start the Tomcat servlet engine. ### END INIT INFO @@ -48,17 +48,12 @@ # The first existing directory is used for JAVA_HOME (if JAVA_HOME is not # defined in $DEFAULT) -JDK_DIRS="/usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/j2sdk1.5-sun /usr/lib/j2sdk1.5-ibm /usr/lib/j2sdk1.4-sun /usr/lib/j2sdk1.4-blackdown /usr/lib/j2se/1.4 /usr/lib/j2sdk1.4-ibm /usr/lib/j2sdk1.3-sun /usr/lib/j2sdk1.3-blackdown /usr/lib/jvm/java-gcj /usr/lib/kaffe" +JDK_DIRS="/usr/lib/jvm/default-java /usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-cacao /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/jvm/java-gcj" # Look for the right JVM to use for jdir in $JDK_DIRS; do if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then - JAVA_HOME_TMP="$jdir" - # checks for a real JDK like environment, needed to check if - # really the java-gcj-compat-dev package is installed - if [ -r "$jdir/bin/jdb" ]; then - JAVA_HOME="$JAVA_HOME_TMP" - fi + JAVA_HOME="$jdir" fi done export JAVA_HOME diff -u tomcat5.5-5.5.26/debian/tomcat5.5.install tomcat5.5-5.5.26/debian/tomcat5.5.install --- tomcat5.5-5.5.26/debian/tomcat5.5.install +++ tomcat5.5-5.5.26/debian/tomcat5.5.install @@ -3,7 +3,6 @@ build/dist/conf/logging.properties /etc/tomcat5.5/ build/dist/conf/catalina.properties /etc/tomcat5.5/ build/dist/conf/server-minimal.xml /etc/tomcat5.5/ -build/dist/conf/catalina.policy /etc/tomcat5.5/ build/dist/conf/tomcat-users.xml /etc/tomcat5.5/ build/dist/conf/context.xml /etc/tomcat5.5/ build/dist/conf/web.xml /etc/tomcat5.5/ only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java +++ tomcat5.5-5.5.26/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java @@ -429,11 +429,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java +++ tomcat5.5-5.5.26/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java @@ -448,11 +448,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/jk/java/org/apache/jk/common/JkInputStream.java +++ tomcat5.5-5.5.26/connectors/jk/java/org/apache/jk/common/JkInputStream.java @@ -279,7 +279,10 @@ outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS); outputMsg.appendInt( res.getStatus() ); - String message=res.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = res.getMessage(); + } if( message==null ){ message= HttpMessages.getMessage(res.getStatus()); } else { only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java +++ tomcat5.5-5.5.26/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java @@ -942,7 +942,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/coyote/src/java/org/apache/coyote/Constants.java +++ tomcat5.5-5.5.26/connectors/coyote/src/java/org/apache/coyote/Constants.java @@ -53,4 +53,12 @@ public static final int STAGE_ENDED = 7; + /** + * If true, custom HTTP status messages will be used in headers. + */ + public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER = + Boolean.valueOf(System.getProperty( + "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", + "false")).booleanValue(); + } only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java +++ tomcat5.5-5.5.26/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java @@ -264,6 +264,13 @@ } } + // Check that the URI is still normalized + if (!checkNormalize(req.decodedURI())) { + res.setStatus(400); + res.setMessage("Invalid URI character encoding"); + throw new IOException("Invalid URI character encoding"); + } + // Parse cookies parseCookies(req, request); @@ -654,6 +661,67 @@ } + /** + * Check that the URI is normalized following character decoding. + *

+ * This method checks for "\", 0, "//", "/./" and "/../". This method will + * return false if sequences that are supposed to be normalized are still + * present in the URI. + * + * @param uriMB URI to be checked (should be chars) + */ + public static boolean checkNormalize(MessageBytes uriMB) { + + CharChunk uriCC = uriMB.getCharChunk(); + char[] c = uriCC.getChars(); + int start = uriCC.getStart(); + int end = uriCC.getEnd(); + + int pos = 0; + + // Check for '\' and 0 + for (pos = start; pos < end; pos++) { + if (c[pos] == '\\') { + return false; + } + if (c[pos] == 0) { + return false; + } + } + + // Check for "//" + for (pos = start; pos < (end - 1); pos++) { + if (c[pos] == '/') { + if (c[pos + 1] == '/') { + return false; + } + } + } + + // Check for ending with "/." or "/.." + if (((end - start) >= 2) && (c[end - 1] == '.')) { + if ((c[end - 2] == '/') + || ((c[end - 2] == '.') + && (c[end - 3] == '/'))) { + return false; + } + } + + // Check for "/./" + if (uriCC.indexOf("/./", 0, 3, 0) >= 0) { + return false; + } + + // Check for "/../" + if (uriCC.indexOf("/../", 0, 4, 0) >= 0) { + return false; + } + + return true; + + } + + // ------------------------------------------------------ Protected Methods only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java +++ tomcat5.5-5.5.26/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java @@ -379,10 +379,21 @@ throw new IllegalArgumentException (sm.getString ("applicationContext.requestDispatcher.iae", path)); + + // Get query string + String queryString = null; + int pos = path.indexOf('?'); + if (pos >= 0) { + queryString = path.substring(pos + 1); + path = path.substring(0, pos); + } + path = normalize(path); if (path == null) return (null); + pos = path.length(); + // Retrieve the thread local URI MessageBytes uriMB = (MessageBytes) localUriMB.get(); if (uriMB == null) { @@ -394,15 +405,6 @@ uriMB.recycle(); } - // Get query string - String queryString = null; - int pos = path.indexOf('?'); - if (pos >= 0) { - queryString = path.substring(pos + 1); - } else { - pos = path.length(); - } - // Retrieve the thread local mapping data MappingData mappingData = (MappingData) localMappingData.get(); if (mappingData == null) { only in patch2: unchanged: --- tomcat5.5-5.5.26.orig/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java +++ tomcat5.5-5.5.26/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java @@ -119,8 +119,7 @@ || (requestPathMB.equalsIgnoreCase("/META-INF")) || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0)) || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -136,8 +135,7 @@ // Select the Wrapper to be used for this Request Wrapper wrapper = request.getWrapper(); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -206,13 +204,12 @@ * application, but currently that code runs at the wrapper level rather * than the context level. * - * @param requestURI The request URI for the requested resource * @param response The response we are creating */ - private void notFound(String requestURI, HttpServletResponse response) { + private void notFound(HttpServletResponse response) { try { - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI); + response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (IllegalStateException e) { ; } catch (IOException e) {