diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog --- tomcat6-6.0.35/debian/changelog 2011-12-13 06:47:05.000000000 +0000 +++ tomcat6-6.0.35/debian/changelog 2012-02-13 14:04:07.000000000 +0000 @@ -1,3 +1,10 @@ +tomcat6 (6.0.35-1ubuntu1) precise; urgency=low + + * debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression + from the CVE-2012-0022 security fix that went into 6.0.35. + + -- Marc Deslauriers Mon, 13 Feb 2012 09:03:18 -0500 + tomcat6 (6.0.35-1) unstable; urgency=low [ Miguel Landaeta ] diff -Nru tomcat6-6.0.35/debian/control tomcat6-6.0.35/debian/control --- tomcat6-6.0.35/debian/control 2011-12-13 06:47:05.000000000 +0000 +++ tomcat6-6.0.35/debian/control 2012-02-13 14:05:51.000000000 +0000 @@ -1,7 +1,8 @@ Source: tomcat6 Section: java Priority: optional -Maintainer: Debian Java Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Torsten Werner , Ludovic Claude , Michael Koch , Damien Raude-Morvan , Miguel Landaeta , diff -Nru tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch --- tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/0011-CVE-2012-0022-regression-fix.patch 2012-02-13 14:04:42.000000000 +0000 @@ -0,0 +1,83 @@ +Description: fix regression from the CVE-2012-0022 security fix that + went into 6.0.35. +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1229027 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=52384 + +Index: tomcat6-6.0.35/java/org/apache/tomcat/util/http/LocalStrings.properties +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/tomcat/util/http/LocalStrings.properties 2011-11-12 03:36:55.000000000 -0500 ++++ tomcat6-6.0.35/java/org/apache/tomcat/util/http/LocalStrings.properties 2012-02-13 09:03:10.865891860 -0500 +@@ -17,6 +17,7 @@ + parameters.copyFail=Failed to create copy of original parameter values for debug logging purposes + parameters.decodeFail.debug=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored. + parameters.decodeFail.info=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values. ++parameters.emptyChunk=Empty parameter chunk ignored + parameters.invalidChunk=Invalid chunk starting at byte [{0}] and ending at byte [{1}] with a value of [{2}] ignored + parameters.maxCountFail=More than the maximum number of request parameters (GET plus POST) for a single request ([{0}]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector. + parameters.multipleDecodingFail=Character decoding failed. A total of [{0}] failures were detected but only the first was logged. Enable debug level logging for this logger to log all failures. +Index: tomcat6-6.0.35/java/org/apache/tomcat/util/http/Parameters.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/tomcat/util/http/Parameters.java 2011-11-25 16:11:35.000000000 -0500 ++++ tomcat6-6.0.35/java/org/apache/tomcat/util/http/Parameters.java 2012-02-13 09:03:10.889891861 -0500 +@@ -314,6 +314,15 @@ + } + + if (nameEnd <= nameStart ) { ++ if (valueStart == -1) { ++ // && ++ if (log.isDebugEnabled()) { ++ log.debug(sm.getString("parameters.emptyChunk")); ++ } ++ // Do not flag as error ++ continue; ++ } ++ // &=foo& + if (log.isInfoEnabled()) { + if (valueEnd >= nameStart && log.isDebugEnabled()) { + String extract = null; +@@ -341,7 +350,11 @@ + } + + tmpName.setBytes(bytes, nameStart, nameEnd - nameStart); +- tmpValue.setBytes(bytes, valueStart, valueEnd - valueStart); ++ if (valueStart >= 0) { ++ tmpValue.setBytes(bytes, valueStart, valueEnd - valueStart); ++ } else { ++ tmpValue.setBytes(bytes, 0, 0); ++ } + + // Take copies as if anything goes wrong originals will be + // corrupted. This means original values can be logged. +@@ -349,7 +362,11 @@ + if (log.isDebugEnabled()) { + try { + origName.append(bytes, nameStart, nameEnd - nameStart); +- origValue.append(bytes, valueStart, valueEnd - valueStart); ++ if (valueStart >= 0) { ++ origValue.append(bytes, valueStart, valueEnd - valueStart); ++ } else { ++ origValue.append(bytes, 0, 0); ++ } + } catch (IOException ioe) { + // Should never happen... + log.error(sm.getString("parameters.copyFail"), ioe); +@@ -366,11 +383,15 @@ + tmpName.setCharset(charset); + name = tmpName.toString(); + +- if (decodeValue) { +- urlDecode(tmpValue); ++ if (valueStart >= 0) { ++ if (decodeValue) { ++ urlDecode(tmpValue); ++ } ++ tmpValue.setCharset(charset); ++ value = tmpValue.toString(); ++ } else { ++ value = ""; + } +- tmpValue.setCharset(charset); +- value = tmpValue.toString(); + + addParam(name, value); + } catch (IOException e) { diff -Nru tomcat6-6.0.35/debian/patches/series tomcat6-6.0.35/debian/patches/series --- tomcat6-6.0.35/debian/patches/series 2011-12-13 06:47:05.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/series 2012-02-13 14:01:30.000000000 +0000 @@ -7,3 +7,4 @@ 0007-add-OSGi-headers-to-servlet-api.patch 0008-add-OSGI-headers-to-jsp-api.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch +0011-CVE-2012-0022-regression-fix.patch