Bug#1054122: marked as done (bookworm-pu: package axis/1.4-28)

Debian Bug Tracking System Sat, 09 Dec 2023 02:28:20 -0800

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054122,
regarding bookworm-pu: package axis/1.4-28
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1054122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054122
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]

[ Reason ]

Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.

[ Tests ]

The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.

[ Risks ]

Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus

diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog   2018-12-03 08:25:51.000000000 +0100
+++ axis-1.4/debian/changelog   2023-10-17 14:05:20.000000000 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+    When integrating Apache Axis 1.x in an application, it may not have been
+    obvious that looking up a service through "ServiceFactory.getService"
+    allows potentially dangerous lookup mechanisms such as LDAP. When passing
+    untrusted input to this API method, this could expose the application to
+    DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany <[email protected]>  Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch 
axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch        1970-01-01 
01:00:00.000000000 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch        2023-10-17 
14:05:20.000000000 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany <[email protected]>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: 
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java 
b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+         
+         if (context != null) {
+             String name = (String)environment.get("jndiName");
++
++          if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || 
name.toUpperCase().indexOf("DNS")!=-1)  {
++              return null;
++            }
+             if (name == null) {
+                 name = "axisServiceName";
+             }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+                     context.bind(name, service);
+                 } catch (NamingException e1) {
+                     // !!! Couldn't do it, what should we do here?
++                  return null;
+                 }
+             }
+         } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series      2018-12-03 00:33:50.000000000 +0100
+++ axis-1.4/debian/patches/series      2023-10-17 14:05:20.000000000 +0200
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---

Bug#1054122: marked as done (bookworm-pu: package axis/1.4-28)

Reply via email to