Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 225477 (CVE-2008-1947) - www-servers/tomcat <5.5.27 <6.0.18 Information disclosure and XSS (CVE-2008-{1232,1947,2370,2938})
Summary: www-servers/tomcat <5.5.27 <6.0.18 Information disclosure and XSS (CVE-2008-{...
Alias: CVE-2008-1947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
: 234441 237409 (view as bug list)
Depends on: 234684 237409
  Show dependency tree
Reported: 2008-06-08 23:02 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-26 18:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

www-servers:tomcat-5.5.27:20080911-193515.log (www-servers:tomcat-5.5.27:20080911-193515.log,13.76 KB, text/plain)
2008-09-11 19:40 UTC, Markus Meier
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-08 23:02:47 UTC
CVE-2008-1947 (
  Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through
  5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary
  web script or HTML via the name parameter (aka the hostname attribute) to
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-06-08 23:05:02 UTC
"Fixed in Apache Tomcat 6.0.SVN

    low: Cross-site scripting CVE-2008-1947

    The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

    Affects: 6.0.0-6.0.16"
"Fixed in Apache Tomcat 5.5.SVN

    low: Cross-site scripting CVE-2008-1947

    The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

    Affects: 5.5.9-5.5.26"
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-06-16 15:53:08 UTC
Seems like a re-occurrence of bug 182262, and

There have been warnings in the ebuild for manager and example apps for a while now. I don't see a reason or need to take further action. At least till upstream releases another version. Hopefully with a fix, but with the re-occurrence of bugs relating to unescaped stuff. I would just assume leave the warnings for a period even beyond upstream addressing the issue. As I have since the last bug, and here we have another :)
Comment 3 Anton Bolshakov 2008-08-01 22:43:19 UTC
The new version is out. It fixes another vulnerability:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27 
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-02 12:12:12 UTC
wltjr, there's a 6.0.18 release fixing the three issues. For 5.5, there is none yet. Do you know if there is one planned for the near future?
Comment 5 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-08-02 20:50:22 UTC
I added 6.0.18, I am traveling on business I have no info on 5.5.x at this time. I will comment when I have more info there.
Comment 6 Anton Bolshakov 2008-08-12 02:48:19 UTC
One more critical vulnerability has been published:

Title: Apache Tomcat Directory Traversal Vulnerability
Severity: High
Impact: Remote File Disclosure 
Solution: upgrade to 6.0.18

I guess 6.0.18 should go stable as soon as possible.
Comment 7 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-08-13 22:23:28 UTC
*** Bug 234441 has been marked as a duplicate of this bug. ***
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-08-14 11:29:23 UTC
Stabling of =www-servers/tomcat-6.0.18 is handled in blocking bug. We're still waiting for the 5.5* release.
Comment 9 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-08-15 21:17:45 UTC
5.5.x might see a new release sometime first part of next week.
Comment 10 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-08-27 11:29:38 UTC
6.0.18 is stable now, I think we can close the other bug, but will let someone from security do that. This one can remain.

Still waiting on upstream for 5.5.x. They are having issues with patching and building. Present status is discussion under a thread on the tomcat -dev ml called

 5.5.27 blocker: URIEncoding UTF-8 broken for 5.5.trunk

So once they resolve that, can build 5.5.27 or what ever version when released. Not much I can do. I don't think I can even patch the one in tree, based on what I am seeing going on with upstream. They aren't having an easy time, so I doubt I will do any better :)
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-08-27 13:50:25 UTC
(In reply to comment #10)
> Still waiting on upstream for 5.5.x. They are having issues with patching and
> building. 

Thanks, please keep us updated when the issue is resolved.
Comment 12 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-08-29 12:25:19 UTC
5.5.27 release testing binaries are out. A full release should be coming in a couple days. I will bump as soon as upstream stamps and releases 5.5.27 sources.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 15:15:47 UTC
Anyone able to bump to 5.5.27 ?
Comment 14 Miroslav Šulc gentoo-dev 2008-09-11 17:29:36 UTC
As wltjr does not maintain tomcat anymore, I bumped tomcat to 5.5.27. I suppose this bug should be closed so closing it. If not then pls reopen it.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 17:53:47 UTC
Miroslav, please do not close security bugs. Also, we're usually handling stablings on the bug itself.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 17:54:08 UTC
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 17:54:37 UTC
*** Bug 237409 has been marked as a duplicate of this bug. ***
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 17:56:37 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 19 Markus Meier gentoo-dev 2008-09-11 19:40:11 UTC
Created attachment 165211 [details]

fails on amd64/x86 with ibm-jdk-1.{4,6}.

www-servers/tomcat-5.5.27 [5.5.26] USE="doc examples java5 source test -admin*"

GENTOO_VM=ibm-jdk-bin-1.6  CLASSPATH="" JAVA_HOME="/opt/ibm-jdk-bin-"
JAVACFLAGS="-source 1.5 -target 1.5" COMPILER="javac"

Portage (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, x86_64)
System uname: x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Thu, 11 Sep 2008 19:00:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-O2 -pipe"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl acpi alsa amd64 apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl sse sse2 ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Comment 20 Miroslav Šulc gentoo-dev 2008-09-12 10:12:49 UTC
The same problem occurs with tomcat-5.5.26 which was made stable. The problem is tomcat uses Sun specific packages so tomcat will build only with Sun JDKs. I'll look for a solution that will fail more user friendly.
Comment 21 Miroslav Šulc gentoo-dev 2008-09-12 17:14:16 UTC
The problem with com.sun.* packages should be fixed in CVS now. Please also stabilize java-virtuals/jdk-with-com-sun-20080505-r1, I had to add blackdown-jdk-1.4.2 to the virtuals so a 1.4 JDK with com.sun.* packages is available on amd64 systems.
Comment 22 Markus Meier gentoo-dev 2008-09-17 21:46:13 UTC
amd64/x86 stable, thanks for the quick responses in #gentoo-java. all arches done.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 22:00:11 UTC
both 5.5 and 6.0 are stable, now time to vote... I vote NO glsa.
Comment 24 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 01:54:08 UTC
Shouldn't 5.5.26 get masked?
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:40:55 UTC
NO as well, closing.