Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621048 (CVE-2017-5664)

Summary: www-servers/tomcat: Security constrained bypass in error page mechanism
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Whiteboard: B3 [ebuild cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-06-06 15:57:33 UTC
From ${URL} :

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are 
forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. 
Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal 
of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Ć ulc gentoo-dev 2019-02-10 14:34:01 UTC
none of the affected versions is in the tree:

$ PORTDIR=/usr/src/gentoo.git/ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    https://tomcat.apache.org/
Location:    /usr/src/gentoo.git/www-servers/tomcat
Keywords:    7.0.92:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.0.52:8: amd64
Keywords:    8.0.53:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    8.5.31:8.5: amd64
Keywords:    8.5.37:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    9.0.7:9: amd64
Keywords:    9.0.14:9: 
Keywords:    9.0.16:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
License:     Apache-2.0