Hi,
I was recently involved in fixing #758086, CVE-2014-3577, in
commons-httpclient. Since httpcomponents-client is the successor of
commons-httpclient, I saw that this package is also affected by
CVE-2014-3577. I have prepared a debdiff for wheezy with all the
necessary changes which is attached to this e-mail. Although I could
have omitted the CVE-2012-6153.patch, I found it useful enough to apply
it anyway, mostly because I didn't have to rebase the Fedora patch which
dealt with the same issue. It is also obvious now that CVE-2012-6153 has
been fixed for wheezy. Upstream commits and corresponding bug reports
for RedHat are documented in the patch headers. I intend to file a
wheezy-pu bug report because this vulnerability is marked as no-dsa by
the security team. I would be glad if someone sponsored this package for me.
Regards,
Markus
diff -Nru httpcomponents-client-4.1.1/debian/changelog
httpcomponents-client-4.1.1/debian/changelog
--- httpcomponents-client-4.1.1/debian/changelog2012-04-02
01:31:57.0 +0200
+++ httpcomponents-client-4.1.1/debian/changelog2015-04-18
14:46:12.0 +0200
@@ -1,3 +1,14 @@
+httpcomponents-client (4.1.1-2+deb7u1) wheezy; urgency=high
+
+ * Add CVE-2012-6153.patch and CVE-2014-3577.patch.
+It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was
+incomplete. The code added to check that the server hostname matches the
+domain name in the subject's CN field was flawed. This can be exploited by
+a Man-in-the-middle (MITM) attack where the attacker can spoof a valid
+certificate using a specially crafted subject.
+
+ -- Markus Koschany a...@gambaru.de Sat, 18 Apr 2015 14:15:11 +0200
+
httpcomponents-client (4.1.1-2) unstable; urgency=low
* Add OSGi metadata to JAR manifest.
diff -Nru httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch
httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch
--- httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch
1970-01-01 01:00:00.0 +0100
+++ httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch
2015-04-18 14:46:12.0 +0200
@@ -0,0 +1,57 @@
+From: Markus Koschany a...@gambaru.de
+Date: Sat, 18 Apr 2015 00:39:57 +0200
+Subject: CVE-2012-6153
+
+It was found that the fix for CVE-2012-5783 was incomplete.
+The code added to check that the server hostname matches the domain name in the
+subject's CN field was flawed. This can be exploited by a Man-in-the-middle
+(MITM) attack, where the attacker can spoof a valid certificate using a
+specially crafted subject.
+
+Fix for 4.2.x branch, upstream revision 1411705
+https://svn.apache.org/viewvc?view=revisionrevision=1411705
+More information:
+https://bugzilla.redhat.com/show_bug.cgi?id=1129916
+---
+ .../java/org/apache/http/conn/ssl/AbstractVerifier.java| 14 --
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git
a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+index 547204a..d31d8c0 100644
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+@@ -180,12 +180,12 @@ public abstract class AbstractVerifier implements
X509HostnameVerifier {
+
+ // We're can be case-insensitive when comparing the host we used to
+ // establish the socket to the hostname in the certificate.
+-String hostName = host.trim().toLowerCase(Locale.ENGLISH);
++String hostName = host.trim().toLowerCase(Locale.US);
+ boolean match = false;
+ for(IteratorString it = names.iterator(); it.hasNext();) {
+ // Don't trim the CN, though!
+ String cn = it.next();
+-cn = cn.toLowerCase(Locale.ENGLISH);
++cn = cn.toLowerCase(Locale.US);
+ // Store CN in StringBuilder in case we need to report an error.
+ buf.append( );
+ buf.append(cn);
+@@ -260,13 +260,15 @@ public abstract class AbstractVerifier implements
X509HostnameVerifier {
+Looks like toString() even works with non-ascii domain names!
+I tested it with #x82b1;#x5b50;.co.jp and it worked fine.
+ */
++
+ String subjectPrincipal = cert.getSubjectX500Principal().toString();
+ StringTokenizer st = new StringTokenizer(subjectPrincipal, ,);
+ while(st.hasMoreTokens()) {
+-String tok = st.nextToken();
+-int x = tok.indexOf(CN=);
+-if(x = 0) {
+-cnList.add(tok.substring(x + 3));
++String tok = st.nextToken().trim();
++if (tok.length() 3) {
++if (tok.substring(0, 3).equalsIgnoreCase(CN=)) {
++cnList.add(tok.substring(3));
++}
+ }
+ }
+ if(!cnList.isEmpty()) {
diff -Nru