You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/02/23 17:12:21 UTC

[Bug 56180] New: Bugfix 55943 changed backward compatibility in classloading

https://issues.apache.org/bugzilla/show_bug.cgi?id=56180

            Bug ID: 56180
           Summary: Bugfix 55943 changed backward compatibility in
                    classloading
           Product: Tomcat 7
           Version: 7.0.52
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: ksmster@gmail.com

Between Tomcat 7.0.50 and Tomcat 7.0.52 changed logic of class loading which
may prevent to protect against CVE-2014-0050

My usecase:
1. I have 
jcl-over-slf4j-1.7.5.jar
jul-to-slf4j.jar
log4j-over-slf4j-1.7.5.jar
logback-classic.jar
logback-core.jar
slf4j-api.jar
in Tomcat lib folder.

2. With help of setenv.sh I've add this jars to classpath
  export
CLASSPATH="${CATALINA_HOME}/conf/:${CATALINA_HOME}/lib/jul-to-slf4j.jar:${CATALINA_HOME}/lib/slf4j-api.jar:${CATALINA_HOME}/lib/logback-classic.jar:${CATALINA_HOME}/lib/logback-core.jar:${CATALINA_HOME}/lib/mail.jar:${JAVA_HOME}/lib/tools.jar"

3. After update to tomcat 7.0.52 I've got 

Caused by: java.lang.LinkageError: loader constraint violation: when resolving
method
"org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()Lorg/slf4j/ILoggerFactory;"
the class loader (instance of org/apache/catalina/loader/WebappClassLoader) of
the current class, org/slf4j/LoggerFactory, and the class loader (instance of
sun/misc/Launcher$AppClassLoader) for resolved class,
org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type
LoggerFactory; used in the signature
    at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:299)
~[slf4j-api.jar:1.7.5]
    at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:269)
~[slf4j-api.jar:1.7.5]
    at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:281)
~[slf4j-api.jar:1.7.5]
    at com.codenvy.inject.ModuleScanner.<clinit>(ModuleScanner.java:36)
~[na:na]
    at java.lang.Class.forName0(Native Method) ~[na:1.7.0_51]
    at java.lang.Class.forName(Class.java:270) ~[na:1.7.0_51]
    at
org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
~[catalina.jar:7.0.52]
    at
org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
~[catalina.jar:7.0.52]
    at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1543)
~[ca

Note. See comment in issue. I assume he have the same problem
https://issues.apache.org/bugzilla/show_bug.cgi?id=55943#c8

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56180] Bugfix 55943 changed backward compatibility in classloading

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56180

--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Sergey Kabashnyuk from comment #0)
> 2. With help of setenv.sh I've add this jars to classpath
>   export
> CLASSPATH="${CATALINA_HOME}/conf/:${CATALINA_HOME}/lib/jul-to-slf4j.jar:
> ${CATALINA_HOME}/lib/slf4j-api.jar:${CATALINA_HOME}/lib/logback-classic.jar:
> ${CATALINA_HOME}/lib/logback-core.jar:${CATALINA_HOME}/lib/mail.jar:
> ${JAVA_HOME}/lib/tools.jar"
> 

For starters, move the mentioned libraries from ${CATALINA_HOME}/lib to
somewhere else (so that they are not present twice in System and Common
classloaders)
and make sure that your web application does not have another (third) copy of
them.

>From security risks point of view, you would better avoid having the whole
"conf" on the classpath either.

http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56180] Bugfix 55943 changed backward compatibility in classloading

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56180

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
See this thread for a full discussion of this topic:
http://markmail.org/thread/mid36pgk7nckp2rr

It looks like you should be adding those JARs to the endorsed dir rather than
to the class path.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org