Dear maintainer, I've uploaded a new version of libthrift-java, versioned as 0.9.1-2.1 to fix CVE-2018-1320. Please find attached the debdiff.
Regards, Markus
diff -Nru libthrift-java-0.9.1/debian/changelog libthrift-java-0.9.1/debian/changelog --- libthrift-java-0.9.1/debian/changelog 2014-10-17 00:28:43.000000000 +0200 +++ libthrift-java-0.9.1/debian/changelog 2019-02-06 19:04:12.000000000 +0100 @@ -1,3 +1,15 @@ +libthrift-java (0.9.1-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-1320: + It was discovered that it was possible to bypass SASL negotiation + isComplete validation in the org.apache.thrift.transport.TSaslTransport + class. An assert used to determine if the SASL handshake had successfully + completed could be disabled in production settings making the validation + incomplete. (Closes: #918736) + + -- Markus Koschany <[email protected]> Wed, 06 Feb 2019 19:04:12 +0100 + libthrift-java (0.9.1-2) unstable; urgency=low * Use 3.0 (quilt) source format. diff -Nru libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch --- libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 1970-01-01 01:00:00.000000000 +0100 +++ libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 2019-02-06 19:04:12.000000000 +0100 @@ -0,0 +1,32 @@ +From: Markus Koschany <[email protected]> +Date: Wed, 6 Feb 2019 18:59:31 +0100 +Subject: CVE-2018-1320 + +Bug-Debian: https://bugs.debian.org/918736 +Origin: https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e +--- + src/org/apache/thrift/transport/TSaslTransport.java | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/org/apache/thrift/transport/TSaslTransport.java b/src/org/apache/thrift/transport/TSaslTransport.java +index b54746c..2f62016 100644 +--- a/src/org/apache/thrift/transport/TSaslTransport.java ++++ b/src/org/apache/thrift/transport/TSaslTransport.java +@@ -268,7 +268,7 @@ abstract class TSaslTransport extends TTransport { + if (message.status == NegotiationStatus.COMPLETE && + getRole() == SaslRole.CLIENT) { + LOGGER.debug("{}: All done!", getRole()); +- break; ++ continue; + } + + sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK, +@@ -276,8 +276,6 @@ abstract class TSaslTransport extends TTransport { + } + LOGGER.debug("{}: Main negotiation loop complete", getRole()); + +- assert sasl.isComplete(); +- + // If we're the client, and we're complete, but the server isn't + // complete yet, we need to wait for its response. This will occur + // with ANONYMOUS auth, for example, where we send an initial response diff -Nru libthrift-java-0.9.1/debian/patches/series libthrift-java-0.9.1/debian/patches/series --- libthrift-java-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libthrift-java-0.9.1/debian/patches/series 2019-02-06 19:04:12.000000000 +0100 @@ -0,0 +1 @@ +CVE-2018-1320.patch
signature.asc
Description: OpenPGP digital signature
