From 0d6b705c2004236057cbf0ca7ce6ae4aef8533a0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 19 Jul 2016 15:56:42 +0200 Subject: [PATCH] - up to 7.0.70; add patch that fixes CVE-2016-5388 --- tomcat-CVE-2016-5388.patch | 12 ++++++++++++ tomcat-build.patch | 33 +++++++++++++++++++++++++++++++++ tomcat.spec | 8 ++++++-- 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 tomcat-CVE-2016-5388.patch create mode 100644 tomcat-build.patch diff --git a/tomcat-CVE-2016-5388.patch b/tomcat-CVE-2016-5388.patch new file mode 100644 index 0000000..d856006 --- /dev/null +++ b/tomcat-CVE-2016-5388.patch @@ -0,0 +1,12 @@ +--- apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java.orig 2016-06-15 18:45:50.000000000 +0200 ++++ apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java 2016-07-19 15:35:56.656316104 +0200 +@@ -1107,7 +1107,8 @@ public final class CGIServlet extends Ht + //REMIND: change character set + //REMIND: I forgot what the previous REMIND means + if ("AUTHORIZATION".equalsIgnoreCase(header) || +- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) { ++ "PROXY_AUTHORIZATION".equalsIgnoreCase(header) || ++ "PROXY".equalsIgnoreCase(header)) { + //NOOP per CGI specification section 11.2 + } else { + envp.put("HTTP_" + header.replace('-', '_'), diff --git a/tomcat-build.patch b/tomcat-build.patch new file mode 100644 index 0000000..403779e --- /dev/null +++ b/tomcat-build.patch @@ -0,0 +1,33 @@ +--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:43:44.000000000 +0200 ++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:48:19.615551746 +0200 +@@ -1836,7 +1836,7 @@ Apache Tomcat ${version} native binaries + encoding="ISO-8859-1" + docencoding="ISO-8859-1" + charset="ISO-8859-1" +- additionalparam="-breakiterator -notimestamp" ++ additionalparam="-Xdoclint:none -breakiterator -notimestamp" + maxmemory="512m" + failonerror="true" + executable="${java.7.home}/bin/javadoc"> +--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:48:55.000000000 +0200 ++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:52:07.842156930 +0200 +@@ -1857,7 +1857,7 @@ Apache Tomcat ${version} native binaries + encoding="ISO-8859-1" + docencoding="ISO-8859-1" + charset="ISO-8859-1" +- additionalparam="-breakiterator -notimestamp" ++ additionalparam="-Xdoclint:none -breakiterator -notimestamp" + maxmemory="512m" + failonerror="true" + executable="${java.7.home}/bin/javadoc"> +--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:52:27.000000000 +0200 ++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:53:28.337957151 +0200 +@@ -1919,7 +1919,7 @@ Apache Tomcat ${version} native binaries + encoding="ISO-8859-1" + docencoding="ISO-8859-1" + charset="ISO-8859-1" +- additionalparam="-breakiterator -notimestamp" ++ additionalparam="-Xdoclint:none -breakiterator -notimestamp" + maxmemory="512m" + failonerror="true" + executable="${java.7.home}/bin/javadoc"> diff --git a/tomcat.spec b/tomcat.spec index fd824c6..40284e7 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -15,12 +15,12 @@ Summary: Web server and Servlet/JSP Engine, RI for Servlet %{servletapiver}/JSP %{jspapiver} API Summary(pl.UTF-8): Serwer www i silnik Servlet/JSP będący wzorcową implementacją API Servlet %{servletapiver}/JSP %{jspapiver} Name: tomcat -Version: 7.0.69 +Version: 7.0.70 Release: 1 License: Apache v2.0 Group: Networking/Daemons/Java Source0: http://www.apache.org/dist/tomcat/tomcat-7/v%{version}/src/apache-%{name}-%{version}-src.tar.gz -# Source0-md5: c055311b06f3f314b7cf7932ab31bd4a +# Source0-md5: 0f56c888df5002cce25fce91634a65c9 Source1: apache-%{name}.init Source2: apache-%{name}.sysconfig Source3: %{name}-build.properties @@ -40,6 +40,8 @@ Patch3: %{name}-catalina.policy-javadir.patch Patch4: %{name}-userdir.patch Patch5: logging.patch Patch6: jcl.patch +Patch7: %{name}-build.patch +Patch8: tomcat-CVE-2016-5388.patch Patch100: jcl-build.xml.patch URL: http://tomcat.apache.org/ BuildRequires: ant >= 1.5.3 @@ -269,6 +271,8 @@ javax.servlet.http, javax.servlet.jsp i java.servlet.jsp.tagext). %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 # Prepare java-commmons-logging sources install -d output/extras/logging -- 2.43.0