Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 586966 (CVE-2016-3092) - <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package can result in denial of service (CVE-2016-3092)
Summary: <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package ...
Alias: CVE-2016-3092
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on: CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-6817, CVE-2016-8735
Blocks: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
  Show dependency tree
Reported: 2016-06-24 15:38 UTC by Agostino Sarubbo
Modified: 2020-08-28 03:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-24 15:38:50 UTC
From ${URL} :

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart 
boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

External references:

Upstream fixes:

Tomcat 8.5.x:

Tomcat 8.0.x:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2016-07-14 08:35:03 UTC
none of the 8.5.x versions in the tree is affected by this issue. and according to the log at it seems the first unaffected version is 8.0.36. anyway, there are some bugs reported against this version that block stabilization so these should be fixed first i guess.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-07-14 08:43:29 UTC
CVE-2016-3092 (
  The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
  in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
  and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
  a denial of service (CPU consumption) via a long boundary string.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-14 08:53:44 UTC
8.5.x is currently unstable.

@maintainer(s), please let us know if you are ready to stabilize the unaffected versions.  If so, please call for stabilization in this bug or let us know.  Thank you.

GLSA Vote: Yes.  Given the blocked bug this will require a GLSA.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 01:47:18 UTC
We will do stabilization in bug 598324.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:30:01 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:02:25 UTC
This issue was resolved and addressed in
 GLSA 201705-09 at
by GLSA coordinator Yury German (BlueKnight).