Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586966 (CVE-2016-3092)

Summary: <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package can result in denial of service (CVE-2016-3092)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1349468
See Also: https://bugs.gentoo.org/show_bug.cgi?id=739350
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 598324    
Bug Blocks: 575796    

Description Agostino Sarubbo gentoo-dev 2016-06-24 15:38:50 UTC
From ${URL} :

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart 
boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

External references:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html

Upstream fixes:

Tomcat 8.5.x:

http://svn.apache.org/viewvc?view=revision&revision=1743722

Tomcat 8.0.x:

http://svn.apache.org/viewvc?view=revision&revision=1743738


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Ć ulc gentoo-dev 2016-07-14 08:35:03 UTC
none of the 8.5.x versions in the tree is affected by this issue. and according to the log at http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.36_(markt) it seems the first unaffected version is 8.0.36. anyway, there are some bugs reported against this version that block stabilization so these should be fixed first i guess.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-07-14 08:43:29 UTC
CVE-2016-3092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092):
  The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
  in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
  and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
  a denial of service (CPU consumption) via a long boundary string.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-14 08:53:44 UTC
8.5.x is currently unstable.

@maintainer(s), please let us know if you are ready to stabilize the unaffected versions.  If so, please call for stabilization in this bug or let us know.  Thank you.

GLSA Vote: Yes.  Given the blocked bug this will require a GLSA.
Comment 4 Thomas Deutschmann gentoo-dev 2016-11-19 01:47:18 UTC
We will do stabilization in bug 598324.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:30:01 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:02:25 UTC
This issue was resolved and addressed in
 GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09
by GLSA coordinator Yury German (BlueKnight).