Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
The fix for CVE-2018-1320 was in sid (0.9.1-2.1) before the package got removed, and is in jessie-lts (0.9.1-2+deb8u1), leaving stretch at an older version than jessie-lts. So let's get it in stretch to restore monotonic version ordering. Andreas
diff -Nru libthrift-java-0.9.1/debian/changelog libthrift-java-0.9.1/debian/changelog --- libthrift-java-0.9.1/debian/changelog 2014-10-17 00:28:43.000000000 +0200 +++ libthrift-java-0.9.1/debian/changelog 2019-05-07 03:44:09.000000000 +0200 @@ -1,3 +1,22 @@ +libthrift-java (0.9.1-2.1~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann <[email protected]> Tue, 07 May 2019 03:44:09 +0200 + +libthrift-java (0.9.1-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-1320: + It was discovered that it was possible to bypass SASL negotiation + isComplete validation in the org.apache.thrift.transport.TSaslTransport + class. An assert used to determine if the SASL handshake had successfully + completed could be disabled in production settings making the validation + incomplete. (Closes: #918736) + + -- Markus Koschany <[email protected]> Wed, 06 Feb 2019 19:04:12 +0100 + libthrift-java (0.9.1-2) unstable; urgency=low * Use 3.0 (quilt) source format. diff -Nru libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch --- libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 1970-01-01 01:00:00.000000000 +0100 +++ libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 2019-02-06 19:04:12.000000000 +0100 @@ -0,0 +1,32 @@ +From: Markus Koschany <[email protected]> +Date: Wed, 6 Feb 2019 18:59:31 +0100 +Subject: CVE-2018-1320 + +Bug-Debian: https://bugs.debian.org/918736 +Origin: https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e +--- + src/org/apache/thrift/transport/TSaslTransport.java | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/org/apache/thrift/transport/TSaslTransport.java b/src/org/apache/thrift/transport/TSaslTransport.java +index b54746c..2f62016 100644 +--- a/src/org/apache/thrift/transport/TSaslTransport.java ++++ b/src/org/apache/thrift/transport/TSaslTransport.java +@@ -268,7 +268,7 @@ abstract class TSaslTransport extends TTransport { + if (message.status == NegotiationStatus.COMPLETE && + getRole() == SaslRole.CLIENT) { + LOGGER.debug("{}: All done!", getRole()); +- break; ++ continue; + } + + sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK, +@@ -276,8 +276,6 @@ abstract class TSaslTransport extends TTransport { + } + LOGGER.debug("{}: Main negotiation loop complete", getRole()); + +- assert sasl.isComplete(); +- + // If we're the client, and we're complete, but the server isn't + // complete yet, we need to wait for its response. This will occur + // with ANONYMOUS auth, for example, where we send an initial response diff -Nru libthrift-java-0.9.1/debian/patches/series libthrift-java-0.9.1/debian/patches/series --- libthrift-java-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libthrift-java-0.9.1/debian/patches/series 2019-02-06 19:04:12.000000000 +0100 @@ -0,0 +1 @@ +CVE-2018-1320.patch
