diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog --- tomcat6-6.0.35/debian/changelog 2014-07-24 19:39:55.000000000 +0000 +++ tomcat6-6.0.35/debian/changelog 2015-06-22 12:19:25.000000000 +0000 @@ -1,3 +1,30 @@ +tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium + + * SECURITY UPDATE: HTTP request smuggling or denial of service via + streaming with malformed chunked transfer encoding (LP: #1449975) + - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n + in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, + java/org/apache/coyote/http11/filters/LocalStrings.properties. + - CVE-2014-0227 + * SECURITY UPDATE: denial of service via aborted upload attempts + (LP: #1449975) + - debian/patches/CVE-2014-0230.patch: limit amount of data in + java/org/apache/coyote/Constants.java, + java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, + java/org/apache/coyote/http11/filters/IdentityInputFilter.java, + java/org/apache/coyote/http11/filters/LocalStrings.properties, + webapps/docs/config/systemprops.xml. + - CVE-2014-0230 + * SECURITY UPDATE: SecurityManager bypass via Expression Language + - debian/patches/CVE-2014-7810.patch: handle classes that may not be + accessible but have accessible interfaces in + java/javax/el/BeanELResolver.java, remove unnecessary code in + java/org/apache/jasper/runtime/PageContextImpl.java, + java/org/apache/jasper/security/SecurityClassLoad.java. + - CVE-2014-7810 + + -- Marc Deslauriers Mon, 22 Jun 2015 08:16:23 -0400 + tomcat6 (6.0.35-1ubuntu3.5) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size diff -Nru tomcat6-6.0.35/debian/patches/CVE-2014-0227.patch tomcat6-6.0.35/debian/patches/CVE-2014-0227.patch --- tomcat6-6.0.35/debian/patches/CVE-2014-0227.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/CVE-2014-0227.patch 2015-06-22 12:17:49.000000000 +0000 @@ -0,0 +1,407 @@ +Description: fix HTTP request smuggling or denial of service via + streaming with malformed chunked transfer encoding +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1476544 +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1603628 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 +Bug-Debian:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785312 + +Index: tomcat6-6.0.35/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-22 07:44:51.000000000 -0400 ++++ tomcat6-6.0.35/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-22 07:45:06.673870039 -0400 +@@ -14,7 +14,6 @@ + * See the License for the specific language governing permissions and + * limitations under the License. + */ +- + package org.apache.coyote.http11.filters; + + import java.io.EOFException; +@@ -29,6 +28,7 @@ + import org.apache.coyote.http11.InputFilter; + import org.apache.tomcat.util.buf.MessageBytes; + import org.apache.tomcat.util.http.MimeHeaders; ++import org.apache.tomcat.util.res.StringManager; + + /** + * Chunked input filter. Parses chunked data according to +@@ -39,9 +39,11 @@ + */ + public class ChunkedInputFilter implements InputFilter { + ++ private static final StringManager sm = StringManager.getManager( ++ ChunkedInputFilter.class.getPackage().getName()); + +- // -------------------------------------------------------------- Constants + ++ // -------------------------------------------------------------- Constants + + protected static final String ENCODING_NAME = "chunked"; + protected static final ByteChunk ENCODING = new ByteChunk(); +@@ -49,7 +51,6 @@ + + // ----------------------------------------------------- Static Initializer + +- + static { + ENCODING.setBytes(ENCODING_NAME.getBytes(), 0, ENCODING_NAME.length()); + } +@@ -57,7 +58,6 @@ + + // ----------------------------------------------------- Instance Variables + +- + /** + * Next buffer in the pipeline. + */ +@@ -120,6 +120,11 @@ + + + /** ++ * Flag that indicates if an error has occurred. ++ */ ++ private boolean error; ++ ++ /** + * Flag set to true if the next call to doRead() must parse a CRLF pair + * before doing anything else. + */ +@@ -130,13 +135,10 @@ + * Request being parsed. + */ + private Request request; +- +- // ------------------------------------------------------------- Properties + + + // ---------------------------------------------------- InputBuffer Methods + +- + /** + * Read bytes. + * +@@ -146,11 +148,12 @@ + * whichever is greater. If the filter does not do request body length + * control, the returned value should be -1. + */ +- public int doRead(ByteChunk chunk, Request req) +- throws IOException { +- +- if (endChunk) ++ public int doRead(ByteChunk chunk, Request req) throws IOException { ++ if (endChunk) { + return -1; ++ } ++ ++ checkError(); + + if(needCRLFParse) { + needCRLFParse = false; +@@ -159,7 +162,7 @@ + + if (remaining <= 0) { + if (!parseChunkHeader()) { +- throw new IOException("Invalid chunk header"); ++ throwIOException(sm.getString("chunkedInputFilter.invalidHeader")); + } + if (endChunk) { + parseEndChunk(); +@@ -170,7 +173,9 @@ + int result = 0; + + if (pos >= lastValid) { +- readBytes(); ++ if (readBytes() < 0) { ++ throwIOException(sm.getString("chunkedInputFilter.eos")); ++ } + } + + if (remaining > (lastValid - pos)) { +@@ -194,13 +199,11 @@ + } + + return result; +- + } + + + // ---------------------------------------------------- InputFilter Methods + +- + /** + * Read the content length from the request. + */ +@@ -212,16 +215,13 @@ + /** + * End the current request. + */ +- public long end() +- throws IOException { +- ++ public long end() throws IOException { + // Consume extra bytes : parse the stream until the end chunk is found + while (doRead(readChunk, null) >= 0) { + } + + // Return the number of extra bytes which were consumed +- return (lastValid - pos); +- ++ return lastValid - pos; + } + + +@@ -229,7 +229,7 @@ + * Amount of bytes still available in a buffer. + */ + public int available() { +- return (lastValid - pos); ++ return lastValid - pos; + } + + +@@ -254,6 +254,7 @@ + trailingHeaders.setLimit(org.apache.coyote.Constants.MAX_TRAILER_SIZE); + } + extensionSize = 0; ++ error = false; + } + + +@@ -268,12 +269,10 @@ + + // ------------------------------------------------------ Protected Methods + +- + /** + * Read bytes from the previous buffer. + */ +- protected int readBytes() +- throws IOException { ++ protected int readBytes() throws IOException { + + int nRead = buffer.doRead(readChunk, null); + pos = readChunk.getStart(); +@@ -281,7 +280,6 @@ + buf = readChunk.getBytes(); + + return nRead; +- + } + + +@@ -294,8 +292,7 @@ + * we should not parse F23IAMGONNAMESSTHISUP34CRLF as a valid header + * according to spec + */ +- protected boolean parseChunkHeader() +- throws IOException { ++ protected boolean parseChunkHeader() throws IOException { + + int result = 0; + boolean eol = false; +@@ -336,7 +333,7 @@ + extensionSize++; + if (org.apache.coyote.Constants.MAX_EXTENSION_SIZE > -1 && + extensionSize > org.apache.coyote.Constants.MAX_EXTENSION_SIZE) { +- throw new IOException("maxExtensionSize exceeded"); ++ throwIOException(sm.getString("chunkedInputFilter.maxExtension")); + } + } + +@@ -344,21 +341,22 @@ + if (!eol) { + pos++; + } +- + } + +- if (readDigit == 0 || result < 0) ++ if (readDigit == 0 || result < 0) { + return false; ++ } + +- if (result == 0) ++ if (result == 0) { + endChunk = true; ++ } + + remaining = result; +- if (remaining < 0) ++ if (remaining < 0) { + return false; ++ } + + return true; +- + } + + +@@ -385,26 +383,27 @@ + boolean crfound = false; + + while (!eol) { +- + if (pos >= lastValid) { +- if (readBytes() <= 0) +- throw new IOException("Invalid CRLF"); ++ if (readBytes() <= 0) { ++ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoData")); ++ } + } + + if (buf[pos] == Constants.CR) { +- if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered."); ++ if (crfound) { ++ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfCRCR")); ++ } + crfound = true; + } else if (buf[pos] == Constants.LF) { + if (!tolerant && !crfound) { +- throw new IOException("Invalid CRLF, no CR character encountered."); ++ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoCR")); + } + eol = true; + } else { +- throw new IOException("Invalid CRLF"); ++ throwIOException(sm.getString("chunkedInputFilter.invalidCrlf")); + } + + pos++; +- + } + } + +@@ -413,8 +412,7 @@ + * Parse end chunk data. + */ + protected boolean parseEndChunk() throws IOException { +- +- // Handle option trailer headers ++ // Handle optional trailer headers + while (parseHeader()) { + // Loop until we run out of headers + } +@@ -430,8 +428,9 @@ + + // Read new bytes if needed + if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ if (readBytes() <0) { ++ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); ++ } + } + + chr = buf[pos]; +@@ -455,8 +454,9 @@ + + // Read new bytes if needed + if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ if (readBytes() <0) { ++ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); ++ } + } + + chr = buf[pos]; +@@ -496,8 +496,9 @@ + + // Read new bytes if needed + if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ if (readBytes() <0) { ++ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); ++ } + } + + chr = buf[pos]; +@@ -508,7 +509,7 @@ + if (trailingHeaders.getLimit() != -1) { + int newlimit = trailingHeaders.getLimit() -1; + if (trailingHeaders.getEnd() > newlimit) { +- throw new IOException("Exceeded maxTrailerSize"); ++ throwIOException(sm.getString("chunkedInputFilter.maxTrailer")); + } + trailingHeaders.setLimit(newlimit); + } +@@ -523,8 +524,9 @@ + + // Read new bytes if needed + if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ if (readBytes() <0) { ++ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); ++ } + } + + chr = buf[pos]; +@@ -548,8 +550,9 @@ + + // Read new bytes if needed + if (pos >= lastValid) { +- if (readBytes() <0) +- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); ++ if (readBytes() <0) { ++ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); ++ } + } + + chr = buf[pos]; +@@ -570,4 +573,23 @@ + + return true; + } ++ ++ ++ private void throwIOException(String msg) throws IOException { ++ error = true; ++ throw new IOException(msg); ++ } ++ ++ ++ private void throwEOFException(String msg) throws IOException { ++ error = true; ++ throw new EOFException(msg); ++ } ++ ++ ++ private void checkError() throws IOException { ++ if (error) { ++ throw new IOException(sm.getString("chunkedInputFilter.error")); ++ } ++ } + } +Index: tomcat6-6.0.35/java/org/apache/coyote/http11/filters/LocalStrings.properties +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ tomcat6-6.0.35/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-22 07:45:32.842136462 -0400 +@@ -0,0 +1,25 @@ ++# Licensed to the Apache Software Foundation (ASF) under one or more ++# contributor license agreements. See the NOTICE file distributed with ++# this work for additional information regarding copyright ownership. ++# The ASF licenses this file to You under the Apache License, Version 2.0 ++# (the "License"); you may not use this file except in compliance with ++# the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++chunkedInputFilter.error=No data available due to previous error ++chunkedInputFilter.eos=Unexpected end of stream while reading request body ++chunkedInputFilter.eosTrailer=Unexpected end of stream while reading trailer headers ++chunkedInputFilter.invalidCrlf=Invalid end of line sequence (character other than CR or LF found) ++chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR) ++chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF) ++chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) ++chunkedInputFilter.invalidHeader=Invalid chunk header ++chunkedInputFilter.maxExtension=maxExtensionSize exceeded ++chunkedInputFilter.maxTrailer=maxTrailerSize exceeded +\ No newline at end of file diff -Nru tomcat6-6.0.35/debian/patches/CVE-2014-0230.patch tomcat6-6.0.35/debian/patches/CVE-2014-0230.patch --- tomcat6-6.0.35/debian/patches/CVE-2014-0230.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/CVE-2014-0230.patch 2015-06-22 12:18:36.000000000 +0000 @@ -0,0 +1,133 @@ +Description: fix denial of service via aborted upload attempts +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1659537 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785316 + +Index: tomcat6-6.0.35/java/org/apache/coyote/Constants.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/coyote/Constants.java 2015-06-22 07:45:45.670267063 -0400 ++++ tomcat6-6.0.35/java/org/apache/coyote/Constants.java 2015-06-22 07:48:43.644078698 -0400 +@@ -85,4 +85,13 @@ + Integer.parseInt(System.getProperty( + "org.apache.coyote.MAX_EXTENSION_SIZE", + "8192")); ++ ++ /** ++ * Limit on the length of request body Tomcat will swallow if it is not ++ * read during normal request processing. Defaults to 2MB. ++ */ ++ public static final int MAX_SWALLOW_SIZE = ++ Integer.parseInt(System.getProperty( ++ "org.apache.coyote.MAX_SWALLOW_SIZE", ++ "2097152")); + } +Index: tomcat6-6.0.35/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-22 07:45:45.734267715 -0400 ++++ tomcat6-6.0.35/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-22 07:48:46.036103043 -0400 +@@ -216,8 +216,15 @@ + * End the current request. + */ + public long end() throws IOException { ++ int maxSwallowSize = org.apache.coyote.Constants.MAX_SWALLOW_SIZE; ++ long swallowed = 0; ++ int read = 0; + // Consume extra bytes : parse the stream until the end chunk is found +- while (doRead(readChunk, null) >= 0) { ++ while ((read = doRead(readChunk, null)) >= 0) { ++ swallowed += read; ++ if (maxSwallowSize > -1 && swallowed > maxSwallowSize) { ++ throwIOException(sm.getString("inputFilter.maxSwallow")); ++ } + } + + // Return the number of extra bytes which were consumed +Index: tomcat6-6.0.35/java/org/apache/coyote/http11/filters/IdentityInputFilter.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/coyote/http11/filters/IdentityInputFilter.java 2007-04-27 13:04:36.000000000 -0400 ++++ tomcat6-6.0.35/java/org/apache/coyote/http11/filters/IdentityInputFilter.java 2015-06-22 07:48:48.308126167 -0400 +@@ -20,7 +20,7 @@ + import java.io.IOException; + + import org.apache.tomcat.util.buf.ByteChunk; +- ++import org.apache.tomcat.util.res.StringManager; + import org.apache.coyote.InputBuffer; + import org.apache.coyote.Request; + import org.apache.coyote.http11.InputFilter; +@@ -32,9 +32,11 @@ + */ + public class IdentityInputFilter implements InputFilter { + ++ private static final StringManager sm = StringManager.getManager( ++ IdentityInputFilter.class.getPackage().getName()); + +- // -------------------------------------------------------------- Constants + ++ // -------------------------------------------------------------- Constants + + protected static final String ENCODING_NAME = "identity"; + protected static final ByteChunk ENCODING = new ByteChunk(); +@@ -150,17 +152,25 @@ + } + + +- /** +- * End the current request. +- */ +- public long end() +- throws IOException { ++ public long end() throws IOException { ++ ++ final int maxSwallowSize = org.apache.coyote.Constants.MAX_SWALLOW_SIZE; ++ final boolean maxSwallowSizeExceeded = (maxSwallowSize > -1 && remaining > maxSwallowSize); ++ long swallowed = 0; + + // Consume extra bytes. + while (remaining > 0) { ++ + int nread = buffer.doRead(endChunk, null); + if (nread > 0 ) { ++ swallowed += nread; + remaining = remaining - nread; ++ if (maxSwallowSizeExceeded && swallowed > maxSwallowSize) { ++ // Note: We do not fail early so the client has a chance to ++ // read the response before the connection is closed. See: ++ // http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html#appendix ++ throw new IOException(sm.getString("inputFilter.maxSwallow")); ++ } + } else { // errors are handled higher up. + remaining = 0; + } +Index: tomcat6-6.0.35/java/org/apache/coyote/http11/filters/LocalStrings.properties +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-22 07:45:45.734267715 -0400 ++++ tomcat6-6.0.35/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-22 07:48:50.584149332 -0400 +@@ -22,4 +22,6 @@ + chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) + chunkedInputFilter.invalidHeader=Invalid chunk header + chunkedInputFilter.maxExtension=maxExtensionSize exceeded +-chunkedInputFilter.maxTrailer=maxTrailerSize exceeded +\ No newline at end of file ++chunkedInputFilter.maxTrailer=maxTrailerSize exceeded ++ ++inputFilter.maxSwallow=maxSwallowSize exceeded +Index: tomcat6-6.0.35/webapps/docs/config/systemprops.xml +=================================================================== +--- tomcat6-6.0.35.orig/webapps/docs/config/systemprops.xml 2015-06-22 07:45:45.674267104 -0400 ++++ tomcat6-6.0.35/webapps/docs/config/systemprops.xml 2015-06-22 07:48:53.004173962 -0400 +@@ -395,6 +395,14 @@ +

If not specified, the default value of 8192 will be used.

+ + ++ ++

Limits the length of a request body Tomcat will swallow if it is not ++ read during normal request processing. If the value is -1, no ++ limit will be imposed.

++

If not specified, the default value of 2097152 (2MB) will ++ be used.

++ ++ + +

If this is false it will override the + useNaming attribute for all diff -Nru tomcat6-6.0.35/debian/patches/CVE-2014-7810.patch tomcat6-6.0.35/debian/patches/CVE-2014-7810.patch --- tomcat6-6.0.35/debian/patches/CVE-2014-7810.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/CVE-2014-7810.patch 2015-06-22 12:34:52.000000000 +0000 @@ -0,0 +1,209 @@ +Description: fix SecurityManager bypass via Expression Language +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1645366 +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1659538 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787010 + +Index: tomcat6-6.0.35/java/javax/el/BeanELResolver.java +=================================================================== +--- tomcat6-6.0.35.orig/java/javax/el/BeanELResolver.java 2015-06-22 08:33:36.428447924 -0400 ++++ tomcat6-6.0.35/java/javax/el/BeanELResolver.java 2015-06-22 08:33:36.428447924 -0400 +@@ -188,25 +188,49 @@ + return null; + } + +- protected final static class BeanProperties { +- private final Map properties; ++ protected final static class BeanProperties { ++ private final Map properties; + +- private final Class type; ++ private final Class type; + +- public BeanProperties(Class type) throws ELException { +- this.type = type; +- this.properties = new HashMap(); +- try { +- BeanInfo info = Introspector.getBeanInfo(this.type); +- PropertyDescriptor[] pds = info.getPropertyDescriptors(); +- for (int i = 0; i < pds.length; i++) { +- this.properties.put(pds[i].getName(), new BeanProperty( +- type, pds[i])); +- } +- } catch (IntrospectionException ie) { +- throw new ELException(ie); +- } +- } ++ public BeanProperties(Class type) throws ELException { ++ this.type = type; ++ this.properties = new HashMap(); ++ try { ++ BeanInfo info = Introspector.getBeanInfo(this.type); ++ PropertyDescriptor[] pds = info.getPropertyDescriptors(); ++ for (PropertyDescriptor pd: pds) { ++ this.properties.put(pd.getName(), new BeanProperty(type, pd)); ++ } ++ if (System.getSecurityManager() != null) { ++ // When running with SecurityManager, some classes may be ++ // not accessible, but have accessible interfaces. ++ populateFromInterfaces(type); ++ } ++ } catch (IntrospectionException ie) { ++ throw new ELException(ie); ++ } ++ } ++ ++ private void populateFromInterfaces(Class aClass) throws IntrospectionException { ++ Class interfaces[] = aClass.getInterfaces(); ++ if (interfaces.length > 0) { ++ for (Class ifs : interfaces) { ++ BeanInfo info = Introspector.getBeanInfo(ifs); ++ PropertyDescriptor[] pds = info.getPropertyDescriptors(); ++ for (PropertyDescriptor pd : pds) { ++ if (!this.properties.containsKey(pd.getName())) { ++ this.properties.put(pd.getName(), new BeanProperty( ++ this.type, pd)); ++ } ++ } ++ } ++ } ++ Class superclass = aClass.getSuperclass(); ++ if (superclass != null) { ++ populateFromInterfaces(superclass); ++ } ++ } + + private BeanProperty get(ELContext ctx, String name) { + BeanProperty property = this.properties.get(name); +Index: tomcat6-6.0.35/java/org/apache/jasper/runtime/PageContextImpl.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/jasper/runtime/PageContextImpl.java 2015-06-22 08:33:36.428447924 -0400 ++++ tomcat6-6.0.35/java/org/apache/jasper/runtime/PageContextImpl.java 2015-06-22 08:34:43.945169479 -0400 +@@ -5,9 +5,9 @@ + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at +- * ++ * + * http://www.apache.org/licenses/LICENSE-2.0 +- * ++ * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@@ -59,7 +59,7 @@ + /** + * Implementation of the PageContext class from the JSP spec. Also doubles as a + * VariableResolver for the EL. +- * ++ * + * @author Anil K. Vijendran + * @author Larry Cable + * @author Hans Bergsten +@@ -70,7 +70,7 @@ + */ + public class PageContextImpl extends PageContext { + +- private static final JspFactory jspf = JspFactory.getDefaultFactory(); ++ private static final JspFactory jspf = JspFactory.getDefaultFactory(); + + private BodyContentImpl[] outs; + +@@ -96,12 +96,12 @@ + private transient ServletResponse response; + + private transient HttpSession session; +- ++ + private transient ELContextImpl elContext; + + private boolean isIncluded; +- +- ++ ++ + // initial output stream + private transient JspWriter out; + +@@ -137,7 +137,7 @@ + this.errorPageURL = errorPageURL; + this.request = request; + this.response = response; +- ++ + // initialize application context + this.applicationContext = JspApplicationContextImpl.getInstance(context); + +@@ -586,7 +586,7 @@ + * Returns the exception associated with this page context, if any.

+ * Added wrapping for Throwables to avoid ClassCastException: see Bugzilla + * 31171 for details. +- * ++ * + * @return The Exception associated with this page context, if any. + */ + public Exception getException() { +@@ -894,7 +894,7 @@ + * go away once the EL interpreter moves out of JSTL and into its own + * project. For now, this is necessary because the standard machinery is too + * slow. +- * ++ * + * @param expression + * The expression to be evaluated + * @param expectedType +@@ -906,37 +906,15 @@ + * @return The result of the evaluation + */ + public static Object proprietaryEvaluate(final String expression, +- final Class expectedType, final PageContext pageContext, ++ final Class expectedType, final PageContext pageContext, + final ProtectedFunctionMapper functionMap, final boolean escape) + throws ELException { + Object retValue; + final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory(); +- if (SecurityUtil.isPackageProtectionEnabled()) { +- try { +- retValue = AccessController +- .doPrivileged(new PrivilegedExceptionAction() { +- +- public Object run() throws Exception { +- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); +- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); +- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); +- return ve.getValue(ctx); +- } +- }); +- } catch (PrivilegedActionException ex) { +- Exception realEx = ex.getException(); +- if (realEx instanceof ELException) { +- throw (ELException) realEx; +- } else { +- throw new ELException(realEx); +- } +- } +- } else { +- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); +- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); +- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); +- retValue = ve.getValue(ctx); +- } ++ ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); ++ ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); ++ ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); ++ retValue = ve.getValue(ctx); + if (escape && retValue != null) { + retValue = XmlEscape(retValue.toString()); + } +Index: tomcat6-6.0.35/java/org/apache/jasper/security/SecurityClassLoad.java +=================================================================== +--- tomcat6-6.0.35.orig/java/org/apache/jasper/security/SecurityClassLoad.java 2015-06-22 08:33:36.428447924 -0400 ++++ tomcat6-6.0.35/java/org/apache/jasper/security/SecurityClassLoad.java 2015-06-22 08:33:36.428447924 -0400 +@@ -93,8 +93,6 @@ + "runtime.PageContextImpl$11"); + loader.loadClass( basePackage + + "runtime.PageContextImpl$12"); +- loader.loadClass( basePackage + +- "runtime.PageContextImpl$13"); + + loader.loadClass( basePackage + + "runtime.JspContextWrapper"); diff -Nru tomcat6-6.0.35/debian/patches/series tomcat6-6.0.35/debian/patches/series --- tomcat6-6.0.35/debian/patches/series 2014-07-24 19:37:39.000000000 +0000 +++ tomcat6-6.0.35/debian/patches/series 2015-06-22 12:11:24.000000000 +0000 @@ -21,3 +21,6 @@ CVE-2014-0075.patch CVE-2014-0096.patch CVE-2014-0099.patch +CVE-2014-0227.patch +CVE-2014-0230.patch +CVE-2014-7810.patch