Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10

tomcat7 in oneiric is vulnerable to the following CVEs:

CVE-2011-3375
CVE-2011-3376
CVE-2011-4858
CVE-2012-0022
CVE-2012-2733
CVE-2012-3546
CVE-2012-4431
CVE-2012-4534
CVE-2012-5568
CVE-2012-5885
CVE-2012-5886
CVE-2012-5887

See the CVE tracker for more information:
http://people.canonical.com/~ubuntu-security/cve/pkg/tomcat7.html

Do you think you could prepare a debdiff that fixes all those issues, instead of just the single one?

Thanks!

Yeah, I will look that I can prepare one debdiff with all the fixes.

Unsubscribing ubuntu-security-sponsors for now, please re-subscribe when a new debdiff is available. Thanks!

Here is an updated debdiff with all the fixes.

Please note: CVE-2011-4858 is resolved through patch for CVE-2012-0022. CVE-2012-5568 is seen as a non-issue for tomcat (see http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat)

Is the formating of the changelog okay like this?

From CVE-2012-2733 on Precise is affected too. Should I create a new bug for it or add a future debdiff here?
As well some CVEs affect as well tomcat6. Same question: new bug or add here?

Just to make it easier, please add any extra CVEs for tomcat7 to this bug and create a separate bug for tomcat6. I'll adjust the summary and description.

As for CVE-2012-2733, there is no upstream fix that I am aware of, so feel free to skip it (unless you find a patch for it-- if so, please let us know :).

Unsubscribing ubuntu-security-sponsors for now-- please resubscribe when you resubmit. Thanks again for your work on this! :)

Jamie,

Thanks for the info. There is a fix for CVE-2012-2733 for tomcat7 from upstream (see http://svn.apache.org/viewvc?view=revision&revision=1350301).

Did you see the new debdiff for oneiric in comment #5? All the fixes for the CVEs I am aware of should be in it (as well CVE-2012-2733). Please let me know if the changelog is okay like that and of course if there are any other improvements/changes I should make. As soon as that one is approved I will upload the precise debdiff.

Thanks

Oh yes, you are of course right. I was thinking of CVE-2012-5568. Reviewing oneiric now. Thanks!

Thanks for your work on this! I have some comments though:
* the patches have DEP-3 comments (great!) but they point to a web page. I think it would be much better to include that URL in the description, then use an Origin stanza for the commits, and 'Bug: <url to upstream bug>'. If you are backporting patches, you should use 'Origin: backport, <commit url>' and the description should discuss your backporting. This will greatly speed up sponsoring, especially for non-trivial patchsets like this one
* looking at the patch commits most of them seem fine, but could you explain CVE-2012-0022.patch and CVE-2012-3439.patch a bit more?

You also didn't note the testing performed. I recalled that tomcat7 has a testsuite but that it wasn't enabled in the build in Ubuntu 11.10 and 12.04 LTS. After applying your patches, I ran the testsuite and it fails with:
test-compile:
    [mkdir] Created dir: /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses
    [javac] Compiling 152 source files to /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses
    [javac] /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java:263: cannot find symbol
    [javac] symbol : method setCnonceCacheSize(int)
    [javac] location: class org.apache.catalina.authenticator.DigestAuthenticator
    [javac] authenticator.setCnonceCacheSize(100);
    [javac] ^
    [javac] Note: Some input files use or override a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] 1 error

BUILD FAILED

In an effort to make this easier to test going forward, I have created debdiffs for oneiric and precise (attached) that add a 'testsuite' target. In essence, you would:
1. apply your patches
2. as root in a chroot:
# apt-get build-dep tomcat7
# apt-get install junit4 libjstl1.1-java libjakarta-taglibs-standard-java
3. as a normal user in the same chroot:
$ debian/rules testsuite

See debian/README.source in my attached debdiff for details (and a known testsuite failure).

NAK until the testsuite failures are addressed. As per our sponsoring procedures, I am assigning you to the bug and unsubscribing ubuntu-security-sponsors. Please resubscribe when you have updated debdiffs that pass the testsuite. Thanks again for your work on this!

When you submit your new debdiffs, please include my testsuite additions for future use (the testsuite is enabled in the build and shouldn't change the build in any way-- it just adds a new target to make testing easier). Thanks!

I see. Thanks for the further comments. I will see that I can fix this and prepare a new debdiff.

I updated the DEP-3 comments according to your input. I hope it's easier now to understand the patches I made. For some patches I didn't find the according upstream bugs so I left them out. As far as I see is the Bug-field optional.

The testsuite additions are now included. I got one error (failure in TestAsyncContextImpl) when I run the tests. However I could not determine the error to any changes of my patch. I ran the tests in a VM and wondering if that might cause the problem.

Let me know if there are some further problems. Thanks.

Thanks for the updated debdiff. Unfortunately, I am also getting the following additional test suite failure:

output/build/logs/TEST-org.apache.catalina.core.TestAsyncContextImpl.BIO.txt:
Tests run: 32, Failures: 1, Errors: 0, Time elapsed: 75.853 sec

This definitely needs to be tracked down before we can ACK the debdiff and upload it to Oneiric to make sure we do not regress our users.

I am unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the group once the regression has been tracked down and a corrected debdiff has been attached.

Thanks.

Finally the tests run without any errors. I hope everything is okay now with the patch. Thanks for your patience anyway.

Thanks for reworking this. This is quite the patch set! :)

I can confirm that it run the testsuite with no added failures or errors. Comparing the buildlogs also looks good. In reviewing these:
CVE-2011-3375.patch - ACK
CVE-2011-3376.patch - ACK
CVE-2012-0022.patch - ACK (had some whitespace changes, but ok)
CVE-2012-2733.patch - ACK
CVE-2012-3439.patch - not all commits are mentioned in the patch
CVE-2012-3546.patch - ACK
CVE-2012-4431.patch - ACK
CVE-2012-4534.patch - ACK

Can you comment more on CVE-2012-3439.patch? I compared it to upstream's http://svn.apache.org/viewvc?view=rev&rev=1377807 as per your DEP-3 comments, but there were quite a few changes. You mentioned that you "Cherrypicked changes in TesterDigestAuthenticatorPerformance.java to adapt to the changes made in the other files since test cases for 7.0.30 are completely different to the one in 7.0.21", which is fine, but those cherrypicked commits should also be listed.

Thanks for all your hard work on this. We're close! :)

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after commenting/resbumitting.

I rewrote the description on CVE-2012-3439.patch and fixed the whitespace changes in CVE-2012-0022.patch as far as I saw them.

CVE-2012-3439 gave me quite some headache since the testcases upstream changed already before a lot and it was hard to adopt to the oneiric version. Either I would have to try to backport all the changes from upstream which might mean to change more or less the whole TesterDigestAuthenticatorPerformance.java and cause some further errors because of some changes done somewhere else. Or I leave the testcases as they are and just adopt the needed changes made in the methods in DigestAuthenticator.java.
I went with the second option since the actual security bug was patched in DigestAuthenticator.java. This let me omit the inclusion of ConcurrentMessageDigest.java since this class is just used in the updated testcases. I think it was the rigth decision but let me know if you think different.

This just as an additional information to the DEP-3 description in CVE-2012-3439.patch.

Thanks Christian.

I updated the timestamp in the changelog, otherwise looked good to me.

Thanks, this was a beast.

This bug was fixed in the package tomcat7 - 7.0.21-1ubuntu0.1

---------------
tomcat7 (7.0.21-1ubuntu0.1) oneiric-security; urgency=low

  [Christian Kuersteiner]
  * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
    (LP: #1115053)
    - debian/patches/CVE-2012-0022.patch: Fix for Denial of service. Based on
      upstream patch.
    - CVE-2012-0022, CVE-2011-4858
    - debian/patches/CVE-2011-3375.patch: Fix for information disclosure. Based
      on upstream patch.
    - CVE-2011-3375
    - debian/patches/CVE-2011-3376.patch: Fix for privilege escalation. Based on
      upstream patch.
    - CVE-2011-3376
    - debian/patches/CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
      Service. Based on upstream patch.
    - CVE-2012-2733
    - debian/patches/CVE-2012-3546.patch: Fix for bypass of security
      constraints. Based on upstream patch.
    - CVE-2012-3546
    - debian/patches/CVE-2012-4431.patch: Fix for bypass of CSRF prevention
      filter. Based on upstream patch.
    - CVE-2012-4431
    - debian/patches/CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
      Service Vulnerability. Based on upstream patch.
    - CVE-2012-4534
    - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
      weaknesses. Based on upstream patch.
    - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887

  [ Jamie Strandboge ]
  * allow for easily running the testsuite:
    - debian/control: add testsuite build-depends
    - debian/rules:
      + add 'testsuite' target
      + add ANT_TS_ARGS for use in the testsuite target
      + cleanup the testsuite
    - add debian/README.source for information on how to use the testsuite
 -- Christian Kuersteiner <email address hidden> Fri, 15 Mar 2013 15:40:27 -0700

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after a precise debdiff has been attached. Thanks!

This is the precise patch. Hopefully it goes smoother this time ;)

Note that I got certificate errors when I run the testsuite (in TestClientCert.BIO.txt, TestClientCert.NIO.txt, TestCustomSSL.BIO.txt, TestCustomSSL.NIO.txt, TestSSL.BIO.txt and TestSSL.NIO.txt). However I got the exact same errors/failures already before my changes applied.

Thanks for your debdiff for Ubuntu 12.04. I verified it against upstream and it looks good. The build log looks fine and after several runs through the testsuite, I've noted the intermittent tests in QRT (this took a while and was a bit frustrating). Uploading to the security PPA now. While publish when it is done building.

This bug was fixed in the package tomcat7 - 7.0.26-1ubuntu1.2

---------------
tomcat7 (7.0.26-1ubuntu1.2) precise-security; urgency=low

  [Christian Kuersteiner]
  * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
    (LP: #1115053)
    - debian/patches/0013-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
      Service. Based on upstream patch.
    - CVE-2012-2733
    - debian/patches/0014-CVE-2012-3546.patch: Fix for bypass of security
      constraints. Based on upstream patch.
    - CVE-2012-3546
    - debian/patches/0015-CVE-2012-4431.patch: Fix for bypass of CSRF prevention
      filter. Based on upstream patch.
    - CVE-2012-4431
    - debian/patches/0016-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
      Service Vulnerability. Based on upstream patch.
    - CVE-2012-4534
    - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
      weaknesses. Based on upstream patch.
    - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887

  [ Jamie Strandboge ]
  * allow for easily running the testsuite:
    - debian/control: add testsuite build-depends
    - debian/rules:
      + add 'testsuite' target
      + add ANT_TS_ARGS for use in the testsuite target
      + cleanup the testsuite
    - add debian/README.source for information on how to use the testsuite
 -- Christian Kuersteiner <email address hidden> Tue, 19 Mar 2013 14:48:19 +0100

Jamie,

There seems to be a problem with the updated package.

See https://plus.google.com/112659624466139657672/posts/cMaEhQbcdGL

I guess the precise package cause the problem. Was there anything added regarding startup?

There was nothing added to the package regarding startup. The user reports after using update-rc.d to manage when tomcat7 would start, when upgrading, they are added back. Note that the update-rc.d manpage states: "Please note that this program was designed for use in package maintainer scripts and, accordingly, has only the very limited functionality required by such scripts. System administrators are not encouraged to use update-rc.d to manage runlevels." This is arguably a problem in the tomcat7 packaging, not a problem with this security update. Looking at /var/lib/dpkg/info/tomcat7.postinst, dh_installinit will unconditionally add the files back. Often, server software is packaged such that the initscript will honor /etc/default/.... /etc/default/tomcat7 does exist, but there is no setting in there to short circuit startup.

As I understand the current tomcat7 packaging after looking at it for a few minutes, rather than using update-rc.d, the user should either edit settings in /etc/tomcat7 or add an 'exit 0' to /etc/init.d/tomcat7 if tomcat7 should be installed but not started.

One could also adjust the scripts to stop. Again, from the man page:
       A common system administration error is to delete the links with the
       thought that this will "disable" the service, i.e., that this will
       prevent the service from being started. However, if all links have
       been deleted then the next time the package is upgraded, the package’s
       postinst script will run update-rc.d again and this will reinstall
       links at their factory default locations. The correct way to disable
       services is to configure the service as stopped in all runlevels in
       which it is started by default. In the System V init system this means
       renaming the service’s symbolic links from S to K.