Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I would like to update tomcat-native in Stretch. It is currently affected by CVE-2018-8019 and CVE-2018-8020. The security team marked both issues as no-dsa. Please find attached the debdiff. Regards, Markus
diff -Nru tomcat-native-1.2.12/debian/changelog tomcat-native-1.2.12/debian/changelog --- tomcat-native-1.2.12/debian/changelog 2018-02-11 21:16:59.000000000 +0100 +++ tomcat-native-1.2.12/debian/changelog 2018-09-28 23:51:20.000000000 +0200 @@ -1,3 +1,15 @@ +tomcat-native (1.2.12-2+deb9u2) stretch; urgency=high + + * Team upload. + * Fix CVE-2018-8019 and CVE-2018-8020. + When using an OCSP responder Tomcat Native did not correctly handle invalid + responses. This allowed for revoked client certificates to be incorrectly + identified. It was therefore possible for users to authenticate with + revoked certificates when using mutual TLS. Users not using OCSP checks are + not affected by this vulnerability. + + -- Markus Koschany <a...@debian.org> Fri, 28 Sep 2018 23:51:20 +0200 + tomcat-native (1.2.12-2+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch --- tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch 2018-09-28 23:51:20.000000000 +0200 @@ -0,0 +1,88 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 28 Sep 2018 22:59:06 +0200 +Subject: CVE-2018-8019 + +Origin: https://svn.apache.org/r1832832 +--- + native/src/sslutils.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +diff --git a/native/src/sslutils.c b/native/src/sslutils.c +index 035c2b0..f7af4af 100644 +--- a/native/src/sslutils.c ++++ b/native/src/sslutils.c +@@ -35,7 +35,7 @@ extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); + #define ASN1_OID 0x06 + #define ASN1_STRING 0x86 + static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx); +-static int ssl_ocsp_request(X509 *cert, X509 *issuer); ++static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx); + #endif + + /* _________________________________________________________________ +@@ -519,21 +519,22 @@ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx) + } + + /* if we can't get the issuer, we cannot perform OCSP verification */ +- if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) { +- r = ssl_ocsp_request(cert, issuer); +- if (r == OCSP_STATUS_REVOKED) { ++ issuer = X509_STORE_CTX_get0_current_issuer(ctx); ++ if (issuer != NULL) { ++ r = ssl_ocsp_request(cert, issuer, ctx); ++ switch (r) { ++ case OCSP_STATUS_OK: ++ X509_STORE_CTX_set_error(ctx, X509_V_OK); ++ break; ++ case OCSP_STATUS_REVOKED: + /* we set the error if we know that it is revoked */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); ++ break; ++ case OCSP_STATUS_UNKNOWN: ++ /* correct error code for application errors? */ ++ // X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); ++ break; + } +- else { +- /* else we return unknown */ +- r = OCSP_STATUS_UNKNOWN; +- } +- X509_free(issuer); /* It appears that we should free issuer since +- * X509_STORE_CTX_get1_issuer() calls X509_OBJECT_up_ref_count() +- * on the issuer object (unline X509_STORE_CTX_get_current_cert() +- * that just returns the pointer +- */ + } + return r; + } +@@ -1038,7 +1039,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp) + return o; + } + +-static int ssl_ocsp_request(X509 *cert, X509 *issuer) ++static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) + { + char **ocsp_urls = NULL; + int nid; +@@ -1061,13 +1062,20 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer) + the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */ + if (ocsp_urls != NULL) { + OCSP_RESPONSE *resp; ++ int rv = OCSP_STATUS_UNKNOWN; + /* for the time being just check for the fist response .. a better + approach is to iterate for all the possible ocsp urls */ + resp = get_ocsp_response(cert, issuer, ocsp_urls[0]); ++ if (resp != NULL) { ++ rv = process_ocsp_response(resp); ++ } else { ++ /* correct error code for application errors? */ ++ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); ++ } + + if (resp != NULL) { + apr_pool_destroy(p); +- return process_ocsp_response(resp); ++ return rv; + } + } + apr_pool_destroy(p); diff -Nru tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch --- tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch 2018-09-28 23:51:20.000000000 +0200 @@ -0,0 +1,68 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 28 Sep 2018 23:08:27 +0200 +Subject: CVE-2018-8020 + +Origin: https://svn.apache.org/r1832863 +--- + native/src/sslutils.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/native/src/sslutils.c b/native/src/sslutils.c +index f7af4af..636c16d 100644 +--- a/native/src/sslutils.c ++++ b/native/src/sslutils.c +@@ -532,7 +532,7 @@ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx) + break; + case OCSP_STATUS_UNKNOWN: + /* correct error code for application errors? */ +- // X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); ++ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); + break; + } + } +@@ -1010,11 +1010,12 @@ end: + /* Process the OCSP_RESPONSE and returns the corresponding + answert according to the status. + */ +-static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp) ++static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer) + { + int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i; + OCSP_BASICRESP *bs; + OCSP_SINGLERESP *ss; ++ OCSP_CERTID *certid; + + r = OCSP_response_status(ocsp_resp); + +@@ -1024,7 +1025,13 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp) + } + bs = OCSP_response_get1_basic(ocsp_resp); + +- ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */ ++ certid = OCSP_cert_to_id(NULL, cert, issuer); ++ if (certid == NULL) { ++ OCSP_RESPONSE_free(ocsp_resp); ++ return OCSP_STATUS_UNKNOWN; ++ } ++ ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial number and get the matching response */ ++ + + i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL); + if (i == V_OCSP_CERTSTATUS_GOOD) +@@ -1035,6 +1042,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp) + o = OCSP_STATUS_UNKNOWN; + + /* we clean up */ ++ OCSP_CERTID_free(certid); + OCSP_RESPONSE_free(ocsp_resp); + return o; + } +@@ -1067,7 +1075,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) + approach is to iterate for all the possible ocsp urls */ + resp = get_ocsp_response(cert, issuer, ocsp_urls[0]); + if (resp != NULL) { +- rv = process_ocsp_response(resp); ++ rv = process_ocsp_response(resp, cert, issuer); + } else { + /* correct error code for application errors? */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); diff -Nru tomcat-native-1.2.12/debian/patches/series tomcat-native-1.2.12/debian/patches/series --- tomcat-native-1.2.12/debian/patches/series 2018-02-11 21:16:59.000000000 +0100 +++ tomcat-native-1.2.12/debian/patches/series 2018-09-28 23:51:20.000000000 +0200 @@ -1 +1,3 @@ CVE-2017-15698.patch +CVE-2018-8019.patch +CVE-2018-8020.patch