Hi, a bug was reported against tomcat8 and tomcat7 in Jessie and it seems the issue is related to our latest security updates. We would like to address this regression as soon as possible because this one can be triggered remotely and cause a denial-of-service.
I have attached the debdiffs for tomcat8 and tomcat7 to this email. I will update the changelogs later. Regards, Markus
diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog --- tomcat7-7.0.56/debian/changelog 2017-01-05 18:16:41.000000000 +0100 +++ tomcat7-7.0.56/debian/changelog 2017-02-10 03:30:38.000000000 +0100 @@ -1,3 +1,10 @@ +tomcat7 (7.0.56-3+deb8u8) UNRELEASED; urgency=medium + + * Team upload. + * Add BZ57544-infinite-loop.patch + + -- Markus Koschany <a...@debian.org> Fri, 10 Feb 2017 03:30:38 +0100 + tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high * Fixed CVE-2016-8745: A bug in the error handling of the send file code for diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch --- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch 2017-02-10 03:30:38.000000000 +0100 @@ -0,0 +1,48 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 10 Feb 2017 03:01:38 +0100 +Subject: BZ57544 infinite loop + +Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551 +Origin: https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788 +--- + java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java +index eda3609..a1251d6 100644 +--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java ++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java +@@ -225,15 +225,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + request.recycle(); + + // Copy leftover bytes to the beginning of the buffer +- if (lastValid - pos > 0) { +- int npos = 0; +- int opos = pos; +- while (lastValid - opos > opos - npos) { +- System.arraycopy(buf, opos, buf, npos, opos - npos); +- npos += pos; +- opos += pos; +- } +- System.arraycopy(buf, opos, buf, npos, lastValid - opos); ++ if (lastValid - pos > 0 && pos > 0) { ++ System.arraycopy(buf, pos, buf, 0, lastValid - pos); ++ lastValid = lastValid - pos; ++ pos = 0; + } + + // Recycle filters +@@ -242,12 +237,9 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + } + + // Reset pointers +- lastValid = lastValid - pos; +- pos = 0; + lastActiveFilter = -1; + parsingHeader = true; + swallowInput = true; +- + } + + diff -Nru tomcat7-7.0.56/debian/patches/series tomcat7-7.0.56/debian/patches/series --- tomcat7-7.0.56/debian/patches/series 2017-01-05 18:13:55.000000000 +0100 +++ tomcat7-7.0.56/debian/patches/series 2017-02-10 03:30:38.000000000 +0100 @@ -38,3 +38,4 @@ BZ-57377.patch CVE-2016-8735.patch CVE-2016-8745.patch +BZ57544-infinite-loop.patch
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog --- tomcat8-8.0.14/debian/changelog 2017-01-06 00:39:34.000000000 +0100 +++ tomcat8-8.0.14/debian/changelog 2017-02-10 01:08:51.000000000 +0100 @@ -1,3 +1,10 @@ +tomcat8 (8.0.14-1+deb8u7) UNRELEASED; urgency=medium + + * Team upload. + * Add BZ57544-infinite-loop.patch + + -- Markus Koschany <a...@debian.org> Fri, 10 Feb 2017 01:08:51 +0100 + tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high * Fixed CVE-2016-8745: A bug in the error handling of the send file code for diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch --- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch 2017-02-10 01:08:51.000000000 +0100 @@ -0,0 +1,48 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 10 Feb 2017 01:06:54 +0100 +Subject: BZ57544 infinite loop + +Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304 +Origin: https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788 +--- + java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java +index 33d4b3b..2aef369 100644 +--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java ++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java +@@ -235,15 +235,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + request.recycle(); + + // Copy leftover bytes to the beginning of the buffer +- if (lastValid - pos > 0) { +- int npos = 0; +- int opos = pos; +- while (lastValid - opos > opos - npos) { +- System.arraycopy(buf, opos, buf, npos, opos - npos); +- npos += pos; +- opos += pos; +- } +- System.arraycopy(buf, opos, buf, npos, lastValid - opos); ++ if (lastValid - pos > 0 && pos > 0) { ++ System.arraycopy(buf, pos, buf, 0, lastValid - pos); ++ lastValid = lastValid - pos; ++ pos = 0; + } + + // Recycle filters +@@ -252,12 +247,9 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + } + + // Reset pointers +- lastValid = lastValid - pos; +- pos = 0; + lastActiveFilter = -1; + parsingHeader = true; + swallowInput = true; +- + } + + diff -Nru tomcat8-8.0.14/debian/patches/series tomcat8-8.0.14/debian/patches/series --- tomcat8-8.0.14/debian/patches/series 2017-01-06 00:39:34.000000000 +0100 +++ tomcat8-8.0.14/debian/patches/series 2017-02-10 01:08:51.000000000 +0100 @@ -33,3 +33,4 @@ BZ-57377.patch CVE-2016-8735.patch CVE-2016-8745.patch +BZ57544-infinite-loop.patch
signature.asc
Description: OpenPGP digital signature
