Bug 12899 - tomcat new security issue CVE-2014-0050
: tomcat new security issue CVE-2014-0050
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/585187/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-27 18:39 CET by David Walser
Modified: 2014-02-28 20:03 CET (History)
5 users (show)

See Also:
Source RPM: tomcat-7.0.41-4.2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-27 18:39:53 CET
+++ This bug was initially created as a clone of Bug #12653 +++

Details on an issue in apache-commons-fileupload were released on February 6:
http://seclists.org/fulldisclosure/2014/Feb/41

As tomcat (tomcat7) bundles it, it is also affected.  It will be fixed in version 7.0.51, when released.  There is also a link to the upstream revision that fixes the issue on the tomcat7 security page:
http://tomcat.apache.org/security-7.html

This CVE might be split, as was requested here:
http://openwall.com/lists/oss-security/2014/02/07/3

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-27 18:45:29 CET
The issue is fixed upstream in Tomcat 7.0.52, which doesn't build.

I tried building tomcat 7.0.52 locally in Mageia 4 and got:
BUILD FAILED
/home/david/tomcat/BUILD/apache-tomcat-7.0.52-src/build.xml:1784 The java.7.home property must be set for javadoc build

I found the upstream commit in tomcat to fix this:
http://svn.apache.org/viewvc?view=revision&revision=1565169

The tomcat commit applies cleanly to tomcat 7.0.47 in Mageia 4 and Cauldron, and only needed one "public" removed to apply to 7.0.41 in Mageia 3.  I added it in SVN and built it.

The QA team has determined that tomcat in Mageia 4 is not working:
https://bugs.mageia.org/show_bug.cgi?id=12653#c17

Just for the sake of posterity, the Mageia 3 tomcat update might also fix CVE-2013-1976, as I indicated here:
https://bugs.mageia.org/show_bug.cgi?id=10201#c23

I'm not *sure* whether it was affected, so I didn't mention it in the advisory.

Here is the basis of the advisory we can use once this is fixed.

Advisory:
========================

Updated tomcat packages fix security vulnerability:

It was discovered that the Apache Commons FileUpload package for Java could
enter an infinite loop while processing a multipart request with a crafted
Content-Type, resulting in a denial-of-service condition (CVE-2014-0050).

Tomcat 7 includes an embedded copy of the Apache Commons FileUpload package,
and was affected as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://seclists.org/fulldisclosure/2014/Feb/41
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.52
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-5.mga3
tomcat-admin-webapps-7.0.41-5.mga3
tomcat-docs-webapp-7.0.41-5.mga3
tomcat-javadoc-7.0.41-5.mga3
tomcat-jsvc-7.0.41-5.mga3
tomcat-jsp-2.2-api-7.0.41-5.mga3
tomcat-lib-7.0.41-5.mga3
tomcat-servlet-3.0-api-7.0.41-5.mga3
tomcat-el-2.2-api-7.0.41-5.mga3
tomcat-webapps-7.0.41-5.mga3
tomcat-7.0.47-1.1.mga4
tomcat-admin-webapps-7.0.47-1.1.mga4
tomcat-docs-webapp-7.0.47-1.1.mga4
tomcat-javadoc-7.0.47-1.1.mga4
tomcat-jsvc-7.0.47-1.1.mga4
tomcat-jsp-2.2-api-7.0.47-1.1.mga4
tomcat-lib-7.0.47-1.1.mga4
tomcat-servlet-3.0-api-7.0.47-1.1.mga4
tomcat-el-2.2-api-7.0.47-1.1.mga4
tomcat-webapps-7.0.47-1.1.mga4

from SRPMS:
tomcat-7.0.41-5.mga3.src.rpm
tomcat-7.0.47-1.1.mga4.src.rpm
Comment 2 Thomas Backlund 2014-02-27 20:18:32 CET
tomcat in mga4 fixed:

tomcat-7.0.47-1.2.mga4.noarch.rpm
tomcat-admin-webapps-7.0.47-1.2.mga4.noarch.rpm
tomcat-docs-webapp-7.0.47-1.2.mga4.noarch.rpm
tomcat-el-2.2-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-javadoc-7.0.47-1.2.mga4.noarch.rpm
tomcat-jsp-2.2-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-jsvc-7.0.47-1.2.mga4.noarch.rpm
tomcat-lib-7.0.47-1.2.mga4.noarch.rpm
tomcat-servlet-3.0-api-7.0.47-1.2.mga4.noarch.rpm
tomcat-webapps-7.0.47-1.2.mga4.noarch.rpm
Comment 3 Thomas Backlund 2014-02-27 21:30:26 CET
works on mga3 x86_64 and mga4 x86_64

tested by installing the tomcat-webapps and confirming the examples work
Comment 4 claire robinson 2014-02-27 21:56:22 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Comment 5 claire robinson 2014-02-28 10:51:23 CET
Testing complete mga3 32
Comment 6 claire robinson 2014-02-28 16:49:17 CET
Testing complete mga4 32
Comment 7 claire robinson 2014-02-28 16:54:24 CET
Advisory uploaded. Validating (really)

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 8 Thomas Backlund 2014-02-28 20:03:02 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0110.html

Note You need to log in before you can comment on or make changes to this bug.