From 1bb926e7cc43b48aafd7309cbd64eaa25f372d13 Mon Sep 17 00:00:00 2001
From: david knox <dknox@78-97-42-72.skybeam.com>
Date: Oct 05 2010 15:34:55 +0000
Subject: adding cve-2010-2227.patch and resolving rhbz#575341


---

diff --git a/tomcat6-6.0-CVE-2010-2227.patch b/tomcat6-6.0-CVE-2010-2227.patch
new file mode 100644
index 0000000..4f00c89
--- /dev/null
+++ b/tomcat6-6.0-CVE-2010-2227.patch
@@ -0,0 +1,138 @@
+--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2010-07-12 11:52:05.981133000 -0400
++++ java/org/apache/coyote/http11/Http11AprProcessor.java	2010-07-12 11:59:39.205913000 -0400
+@@ -78,6 +78,12 @@
+     protected static StringManager sm =
+         StringManager.getManager(Constants.Package);
+ 
++   /**
++    * Tracks how many internal filters are in the filter library so they
++    * are skipped whe looking for pluggable filters
++    */
++   private int pluggableFilterIndex = Integer.MAX_VALUE;
++
+ 
+     // ----------------------------------------------------------- Constructors
+ 
+@@ -1736,6 +1742,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+     }
+ 
+ 
+@@ -1754,7 +1762,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2010-07-12 12:00:05.720580000 -0400
++++ java/org/apache/coyote/http11/Http11NioProcessor.java	2010-07-12 12:19:36.465303000 -0400
+@@ -81,6 +81,12 @@
+      */
+     protected SSLSupport sslSupport;
+ 
++   /**
++    * Tracks how many internal filters are in the filter library so they
++    * are skipped whe looking for pluggable filters
++    */
++   private int pluggableFilterIndex = Integer.MAX_VALUE;
++
+     // ----------------------------------------------------------- Constructors
+ 
+ 
+@@ -1763,6 +1769,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+     }
+ 
+ 
+@@ -1781,7 +1789,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/Http11Processor.java.orig	2010-07-12 12:20:42.784634000 -0400
++++ java/org/apache/coyote/http11/Http11Processor.java	2010-07-12 12:23:14.996732000 -0400
+@@ -76,6 +76,11 @@
+     protected static boolean isSecurityEnabled = 
+ 	org.apache.coyote.Constants.IS_SECURITY_ENABLED;
+ 
++   /**
++    * Tracks how many internal filters are in the filter library so they
++    * are skipped whe looking for pluggable filters
++    */
++   private int pluggableFilterIndex = Integer.MAX_VALUE;
+     // ------------------------------------------------------------ Constructor
+ 
+ 
+@@ -1642,6 +1647,7 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+     }
+ 
+ 
+@@ -1660,7 +1666,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig	2010-01-19 08:43:40.000000000 -0500
++++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2010-07-12 13:00:50.374586000 -0400
+@@ -102,10 +102,14 @@
+     }
+ 
+     public void recycle() {
+-        if (buffered.getBuffer().length > 65536) {
+-            buffered = null;
+-        } else {
+-            buffered.recycle();
++        if (buffered != null)
++        {
++           if (buffered.getBuffer().length > 65536)
++           {
++              buffered = null;
++           } else {
++              buffered.recycle();
++           }
+         }
+         tempRead.recycle();
+         hasRead = false;
+
+--- webapps/docs/changelog.xml.orig	2010-07-12 16:08:24.000000000 -0600
++++ webapps/docs/changelog.xml	2010-07-12 16:12:43.000000000 -0600
+@@ -40,6 +40,16 @@
+         Correct TCK failures with security manager caused by the original fix
+         for <bug>47774</bug>. (markt)
+       </fix>
++      <fix>
++         Arange filter logic (jgclere) 
++         Several flaws in the handling of the 'Transfer-Encoding' header 
++         were found that prevented the recycling of a buffer. A remote 
++         attacker could trigger this flaw which would cause subsequent 
++         requests to fail and/or information to leak between requests. 
++         This flaw is mitigated if Tomcat is behind a reverse proxy 
++         (such as Apache httpd 2.2) as the proxy should reject the 
++         invalid transfer encoding header.
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Other">
diff --git a/tomcat6.spec b/tomcat6.spec
index bab33f6..2b79798 100644
--- a/tomcat6.spec
+++ b/tomcat6.spec
@@ -55,7 +55,7 @@
 Name: tomcat6
 Epoch: 0
 Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group: Networking/Daemons
@@ -74,10 +74,11 @@ Source9: jsp-api-OSGi-MANIFEST.MF
 Source10: %{name}-%{major_version}.%{minor_version}-log4j.properties
 Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
+Patch2: %{name}-%{major_version}.%{minor_version}-CVE-2010-2227.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildArch: noarch
 BuildRequires: ant
-BuildRequires: ant-trax
+BuildRequires: ant-nodeps
 BuildRequires: ecj
 BuildRequires: findutils
 BuildRequires: jakarta-commons-collections
@@ -214,13 +215,14 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 pushd %{packdname}
 %patch0 -p0
 %patch1 -p0
+%patch2 -p0
 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
 popd
 
 %build
 export CLASSPATH=
-export OPT_JAR_LIST="ant/ant-trax"
+export OPT_JAR_LIST="ant/ant-nodeps"
 pushd %{packdname}
    # we don't care about the tarballs and we're going to replace
    # tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar
@@ -597,7 +599,11 @@ fi
 %{appdir}/sample
 
 %changelog
-* Fri Jul 02 2010 David Knox <dknox@rehat.com> 0:6.0.26-9
+* Mon Oct 04 2010 David Knox <dknox@redhat.com> 0:6.0.26-10
+- ant-nodeps is breaking the build. Put ant-nodeps on the 
+- OPT_JAR_LIST
+
+* Fri Oct 01 2010 David Knox <dknox@rehat.com> 0:6.0.26-9
 - Resolves rhbz#575341 - Additionally created instances of Tomcat 
 - are broken