Hello security team, I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The patch is identical to the Jessie / Sid fix. Do you consider this vulnerability important enough for a DSA or do you prefer a point release update?
Regards, Markus [1] https://bugs.debian.org/758086
diff -Nru commons-httpclient-3.1/debian/ant.properties commons-httpclient-3.1/debian/ant.properties --- commons-httpclient-3.1/debian/ant.properties 2011-08-30 11:42:03.000000000 +0200 +++ commons-httpclient-3.1/debian/ant.properties 2015-04-15 21:24:54.000000000 +0200 @@ -1,5 +1,5 @@ # JSSE stub classes required for build lib.dir=/usr/share/java #jsse.jar=/usr/share/java/jsse.jar -ant.build.javac.source=1.4 -ant.build.javac.target=1.4 +ant.build.javac.source=1.5 +ant.build.javac.target=1.5 diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog --- commons-httpclient-3.1/debian/changelog 2012-12-06 14:41:48.000000000 +0100 +++ commons-httpclient-3.1/debian/changelog 2015-04-15 21:24:54.000000000 +0200 @@ -1,3 +1,20 @@ +commons-httpclient (3.1-10.2+deb7u1) wheezy-security; urgency=high + + * Team upload. + * Add CVE-2014-3577.patch. (Closes: #758086) + It was found that the fix for CVE-2012-6153 was incomplete: the code added + to check that the server hostname matches the domain name in a subject's + Common Name (CN) field in X.509 certificates was flawed. A + man-in-the-middle attacker could use this flaw to spoof an SSL server using + a specially crafted X.509 certificate. The fix for CVE-2012-6153 was + intended to address the incomplete patch for CVE-2012-5783. The issue is + now completely resolved by applying this patch and the + 06_fix_CVE-2012-5783.patch. + * Change java.source and java.target ant properties to 1.5, otherwise + commons-httpclient will not compile with this patch. + + -- Markus Koschany <a...@gambaru.de> Wed, 15 Apr 2015 21:24:48 +0200 + commons-httpclient (3.1-10.2) unstable; urgency=low * Non-maintainer upload. diff -Nru commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch --- commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 1970-01-01 01:00:00.000000000 +0100 +++ commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 2015-04-15 21:24:54.000000000 +0200 @@ -0,0 +1,110 @@ +From: Markus Koschany <a...@gambaru.de> +Date: Mon, 23 Mar 2015 22:45:14 +0100 +Subject: CVE-2014-3577 + +It was found that the fix for CVE-2012-6153 was incomplete: the code added to +check that the server hostname matches the domain name in a subject's Common +Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker +could use this flaw to spoof an SSL server using a specially crafted X.509 +certificate. +The fix for CVE-2012-6153 was intended to address the incomplete patch for +CVE-2012-5783. This means the issue is now completely resolved by applying +this patch and the 06_fix_CVE-2012-5783.patch. + +References: + +upstream announcement: +https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 + +Fedora-Fix: +http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch + +CentOS-Fix: +https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch + +Debian-Bug: https://bugs.debian.org/758086 +Forwarded: not-needed, already fixed +--- + .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++++-------- + 1 file changed, 37 insertions(+), 20 deletions(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index fa0acc7..e6ce513 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -44,9 +44,15 @@ import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; ++import java.util.NoSuchElementException; + import java.util.regex.Pattern; + ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + return dots; + } + +- private static String getCN(X509Certificate cert) { +- // Note: toString() seems to do a better job than getName() +- // +- // For example, getName() gives me this: +- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- // +- // whereas toString() gives me this: +- // EMAILADDRESS=juliusdav...@cucbc.com +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- +- return getCN(subjectPrincipal); +- ++ private static String getCN(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCN(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; ++ } + } +- private static String getCN(String subjectPrincipal) { +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- return tok.substring(3); ++ ++ private static String extractCN(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { ++ return null; ++ } ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List<Rdn> rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ return value.toString(); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } + } + } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); + } + return null; + } diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series --- commons-httpclient-3.1/debian/patches/series 2012-12-05 17:34:20.000000000 +0100 +++ commons-httpclient-3.1/debian/patches/series 2015-04-15 21:24:54.000000000 +0200 @@ -5,3 +5,4 @@ 04_fix_classpath.patch 05_osgi_metadata 06_fix_CVE-2012-5783.patch +CVE-2014-3577.patch
signature.asc
Description: OpenPGP digital signature
