Bug 12899

Summary: tomcat new security issue CVE-2014-0050
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dmorganec, ennael1, qa-bugs, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/585187/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: tomcat-7.0.41-4.2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-02-27 18:39:53 CET 
+++ This bug was initially created as a clone of Bug #12653 +++

Details on an issue in apache-commons-fileupload were released on February 6:
http://seclists.org/fulldisclosure/2014/Feb/41

As tomcat (tomcat7) bundles it, it is also affected.  It will be fixed in version 7.0.51, when released.  There is also a link to the upstream revision that fixes the issue on the tomcat7 security page:
http://tomcat.apache.org/security-7.html

This CVE might be split, as was requested here:
http://openwall.com/lists/oss-security/2014/02/07/3

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-27 18:45:29 CET 
The issue is fixed upstream in Tomcat 7.0.52, which doesn't build.

I tried building tomcat 7.0.52 locally in Mageia 4 and got:
BUILD FAILED
/home/david/tomcat/BUILD/apache-tomcat-7.0.52-src/build.xml:1784 The java.7.home property must be set for javadoc build

I found the upstream commit in tomcat to fix this:
http://svn.apache.org/viewvc?view=revision&revision=1565169

The tomcat commit applies cleanly to tomcat 7.0.47 in Mageia 4 and Cauldron, and only needed one "public" removed to apply to 7.0.41 in Mageia 3.  I added it in SVN and built it.

The QA team has determined that tomcat in Mageia 4 is not working:
https://bugs.mageia.org/show_bug.cgi?id=12653#c17

Just for the sake of posterity, the Mageia 3 tomcat update might also fix CVE-2013-1976, as I indicated here:
https://bugs.mageia.org/show_bug.cgi?id=10201#c23

I'm not *sure* whether it was affected, so I didn't mention it in the advisory.

Here is the basis of the advisory we can use once this is fixed.

Advisory:
========================

Updated tomcat packages fix security vulnerability:

It was discovered that the Apache Commons FileUpload package for Java could
enter an infinite loop while processing a multipart request with a crafted
Content-Type, resulting in a denial-of-service condition (CVE-2014-0050).

Tomcat 7 includes an embedded copy of the Apache Commons FileUpload package,
and was affected as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://seclists.org/fulldisclosure/2014/Feb/41
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.52
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-5.mga3
tomcat-admin-webapps-7.0.41-5.mga3
tomcat-docs-webapp-7.0.41-5.mga3
tomcat-javadoc-7.0.41-5.mga3
tomcat-jsvc-7.0.41-5.mga3
tomcat-jsp-2.2-api-7.0.41-5.mga3
tomcat-lib-7.0.41-5.mga3
tomcat-servlet-3.0-api-7.0.41-5.mga3
tomcat-el-2.2-api-7.0.41-5.mga3
tomcat-webapps-7.0.41-5.mga3
tomcat-7.0.47-1.1.mga4
tomcat-admin-webapps-7.0.47-1.1.mga4
tomcat-docs-webapp-7.0.47-1.1.mga4
tomcat-javadoc-7.0.47-1.1.mga4
tomcat-jsvc-7.0.47-1.1.mga4
tomcat-jsp-2.2-api-7.0.47-1.1.mga4
tomcat-lib-7.0.47-1.1.mga4
tomcat-servlet-3.0-api-7.0.47-1.1.mga4
tomcat-el-2.2-api-7.0.47-1.1.mga4
tomcat-webapps-7.0.47-1.1.mga4

from SRPMS:
tomcat-7.0.41-5.mga3.src.rpm
tomcat-7.0.47-1.1.mga4.src.rpm

Assignee: bugsquad => dmorganec
Source RPM: apache-commons-fileupload-1.2.2-10.mga3.src.rpm, tomcat-7.0.41-4.mga3.src.rpm => tomcat-7.0.41-4.mga3.src.rpm
Whiteboard: (none) => MGA3TOO

David Walser 2014-02-27 18:48:08 CET

Depends on: 12653 => (none)

David Walser 2014-02-27 18:49:34 CET

CC: (none) => qa-bugs

Comment 2 Thomas Backlund 2014-02-27 20:18:32 CET 
tomcat in mga4 fixed:

tomcat-7.0.47-1.2.mga4.noarch.rpm
tomcat-admin-webapps-7.0.47-1.2.mga4.noarch.rpm
tomcat-docs-webapp-7.0.47-1.2.mga4.noarch.rpm
tomcat-el-2.2-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-javadoc-7.0.47-1.2.mga4.noarch.rpm
tomcat-jsp-2.2-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-jsvc-7.0.47-1.2.mga4.noarch.rpm
tomcat-lib-7.0.47-1.2.mga4.noarch.rpm
tomcat-servlet-3.0-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-webapps-7.0.47-1.2.mga4.noarch.rpm

CC: (none) => tmb
Assignee: dmorganec => qa-bugs
Source RPM: tomcat-7.0.41-4.mga3.src.rpm => tomcat-7.0.41-4.2.mga3.src.rpm

Comment 3 Thomas Backlund 2014-02-27 21:30:26 CET 
works on mga3 x86_64 and mga4 x86_64

tested by installing the tomcat-webapps and confirming the examples work

Whiteboard: MGA3TOO => MGA3TOO mga3-64-ok mga4-64-ok

Comment 4 claire robinson 2014-02-27 21:56:22 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Whiteboard: MGA3TOO mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Comment 5 claire robinson 2014-02-28 10:51:23 CET 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 6 claire robinson 2014-02-28 16:49:17 CET 
Testing complete mga4 32

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2014-02-28 16:54:24 CET 
Advisory uploaded. Validating (really)

Could sysadmin please push to 3 & 4 updates

Thanks

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 8 Thomas Backlund 2014-02-28 20:03:02 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0110.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED