Ubuntu
tomcat7 package

tomcat7 7.0.52-1ubuntu0.8 crashes on startup with TOMCAT7_SECURITY=yes

  1. Trusty (14.04)
  2. Bug #1659589
Bug #1659589 reported by Marcus Seyffert
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Precise
Fix Released
Undecided
Marc Deslauriers
tomcat7 (Ubuntu)
Trusty
Fix Released
Undecided
Marc Deslauriers

Bug Description

After the update to tomcat7 (7.0.52-1ubuntu0.8) I noticed that tomcat won't start.

There is a problem with the creation of catalina.policy.

This patch will fix this issue:

diff -u /etc/init.d/tomcat7.fail /etc/init.d/tomcat7
--- /etc/init.d/tomcat7.fail 2017-01-26 15:36:50.738215201 +0100
+++ /etc/init.d/tomcat7 2017-01-26 15:11:00.682615313 +0100
@@ -118,7 +118,7 @@
        exit 1
 fi

-POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
+POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"

 if [ -z "$CATALINA_TMPDIR" ]; then
        CATALINA_TMPDIR="$JVM_TMP"

Additional Informations:

lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04

apt-cache policy tomcat7
tomcat7:
  Installiert: 7.0.52-1ubuntu0.8
  Installationskandidat: 7.0.52-1ubuntu0.8
  Versionstabelle:
 *** 7.0.52-1ubuntu0.8 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     7.0.52-1 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
thank you for your report and your help to make Ubuntu better!

I checked Xenial and it was fine for tomcat7 and 8 already containing that change.

That came in via 7.0.72-2.
It was also that way back in time at 7.0.14-1
I found what changed it for Trusty:
7.0.52-1ubuntu0.8 driven by Marc Deslauriers as part of a security update.

I'd subscribe him to share his thoughts on it.

Changed in tomcat7 (Ubuntu):
status: New → Invalid
Changed in tomcat7 (Ubuntu Trusty):
status: New → Confirmed
tags: added: regression-update
Revision history for this message
Benjamin Baumer (bbaumer-abm) wrote :

Hi,

I searched in the Packages tomcat7 and tomcat7-common from Trusty and Xenial and can't find anything that is creating or using the Directory /var/lib/tomcat7/policy ($CATALINA_BASE/policy).

My suggestion is that Marc like to move the generated Policy Files out of $CATALINA_BASE/work/ which is a symlink to /var/cache/tomcat7. /var/cache/tomcat7 is writable by the tomcat User.

But the patch is incomplete.catalina.sh still hands $CATALINA_BASE/work/catalina.policy to Java.

This bug blocks installing a Security-Update. In my opinion this is a Security Issue too and needs to be fixed asap.

Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Trusty):
status: New → Invalid
Changed in tomcat6 (Ubuntu):
status: New → Invalid
Changed in tomcat7 (Ubuntu Precise):
status: New → Invalid
Changed in tomcat6 (Ubuntu Precise):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat7 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded Ubuntu 12.04 LTS and Ubuntu 14.04 LTS packages to fix this issue to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please test them and let me know if they solve the issue for you, and I will release them as security regression fixes.

Thanks!

Revision history for this message
Benjamin Baumer (bbaumer-abm) wrote :

Tests with install after purge and update are ok.
The packages in security team PPA fix this issue for me.

Look forward to see them in release.

Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for testing them! I'll release them today.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.35-1ubuntu3.10

---------------
tomcat6 (6.0.35-1ubuntu3.10) precise-security; urgency=medium

  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0010-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat6/policy location.
    - debian/tomcat6.postrm: remove policy directory.

 -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:45:15 -0500

Changed in tomcat6 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.52-1ubuntu0.9

---------------
tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium

  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

 -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:40:22 -0500

Changed in tomcat7 (Ubuntu Trusty):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
no longer affects: tomcat6 (Ubuntu)
no longer affects: tomcat6 (Ubuntu Trusty)
no longer affects: tomcat7 (Ubuntu)
no longer affects: tomcat7 (Ubuntu Precise)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.