Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 469434 (CVE-2012-3544) - <www-servers/tomcat-{6.0.37,7.0.42}: multiple vulnerabilities (CVE-2012-3544,CVE-2013-{2067,2071})
Summary: <www-servers/tomcat-{6.0.37,7.0.42}: multiple vulnerabilities (CVE-2012-3544,...
Status: RESOLVED FIXED
Alias: CVE-2012-3544
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-11 12:26 UTC by Agostino Sarubbo
Modified: 2014-12-15 00:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-11 12:26:10 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=961783 :

A denial of service flaw was found in the way chunked transfer encoding input filter of Apache 
Tomcat, an Apache Servlet/JSP Engine, processed CRLF sequences at the end of data chunks in certain 
circumstances. When the chunked transfer encoding was enabled, a remote attacker could issue a 
specially-crafted request that, when processed would lead to (limited) denial of service of the 
Apache Tomcat server.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1476592 

* for Apache Tomcat 7:x:
  http://svn.apache.org/viewvc?view=rev&rev=1378702
  http://svn.apache.org/viewvc?view=rev&rev=1378921
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-11 12:26:15 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=961779 :

A session fixation flaw was found in the way FormAuthenticator module of Apache Tomcat, an Apache 
Servlet/JSP Engine, performed authentication requests management in certain circumstances (the most 
recent authentication request was associated with current user's session). An attacker could use 
this flaw to inject (and possibly successfully to complete) an authentication request, that would 
be executed using the credentials of the victim.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1417891
* for Apache Tomcat 7.x:
  http://svn.apache.org/viewvc?view=rev&rev=1408044
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-11 12:26:18 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=961803 :

An information disclosure flaw was found in the way asynchronous context implementation of Apache 
Tomcat, an Apache Servlet/JSP Engine, performed request information management in certain 
circumstances (formerly certain elements of a previous request might have been exposed to the 
current request). If an application used AsyncListeners that threw RuntimeExceptions, a remote 
attacker could use this flaw to possibly obtain sensitive information.

Upstream bug report:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54178

Relevant upstream patch (including testcase):
http://svn.apache.org/viewvc?view=rev&rev=1471372


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 3 Chris Reffett gentoo-dev Security 2013-07-07 03:13:13 UTC
First one fixed since 7.0.40/doesn't seem to affect 6.0.x, second one fixed in 7.0.33/6.0.37. Not sure which revisions were the first to fix the third issue, but the latest 6.0.x and 7.0.x have the requisite fixes. @java team: please ack stabilization.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 22:49:20 UTC
CVE-2013-2071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071):
  java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
  before 7.0.40 does not properly handle the throwing of a RuntimeException in
  an AsyncListener in an application, which allows context-dependent attackers
  to obtain sensitive request information intended for other applications in
  opportunistic circumstances via an application that records the requests
  that it processes.

CVE-2013-2067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067):
  java/org/apache/catalina/authenticator/FormAuthenticator.java in the form
  authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before
  7.0.33 does not properly handle the relationships between authentication
  requirements and sessions, which allows remote attackers to inject a request
  into a session by sending this request during completion of the login form,
  a variant of a session fixation attack.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 00:03:20 UTC
CVE-2012-3544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544):
  Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly
  handle chunk extensions in chunked transfer coding, which allows remote
  attackers to cause a denial of service by streaming data.
Comment 6 Chris Reffett gentoo-dev Security 2013-10-04 18:18:13 UTC
Maintainer timeout. Arches, please test and mark stable:
=www-servers/tomcat-6.0.37
Target arches: amd64 ppc ppc64 x86
=www-servers/tomcat-7.0.42
Target arches: amd64 ppc ppc64 x86
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-05 10:38:27 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-06 07:57:57 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-07 19:38:31 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-07 19:49:35 UTC
ppc64 stable
Comment 11 Sean Amoss gentoo-dev Security 2013-10-07 22:05:01 UTC
Added to existing GLSA request. 

Maintainers, please drop vulnerable versions.
Comment 12 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-08 19:50:25 UTC
+  08 Oct 2013; Tom Wijsman <TomWij@gentoo.org> -tomcat-6.0.36.ebuild,
+  -tomcat-7.0.32.ebuild, -tomcat-7.0.39.ebuild, -tomcat-7.0.41.ebuild:
+  Dropped vulnerable versions (CVE-2012-3544,CVE-2013-{2067,2071}) for security
+  bug #469434.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:08 UTC
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).