Bug#1054121: marked as done (bullseye-pu: package axis/1.4-28)

Debian Bug Tracking System Sat, 10 Feb 2024 05:14:40 -0800

Your message dated Sat, 10 Feb 2024 13:02:55 +0000
with message-id <[email protected]>
and subject line Released with 11.9
has caused the Debian Bug report #1054121,
regarding bullseye-pu: package axis/1.4-28
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1054121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054121
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]

[ Reason ]

Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.

[ Tests ]

The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.

[ Risks ]

Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus

diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog   2018-12-03 08:25:51.000000000 +0100
+++ axis-1.4/debian/changelog   2023-10-17 14:05:20.000000000 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+    When integrating Apache Axis 1.x in an application, it may not have been
+    obvious that looking up a service through "ServiceFactory.getService"
+    allows potentially dangerous lookup mechanisms such as LDAP. When passing
+    untrusted input to this API method, this could expose the application to
+    DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany <[email protected]>  Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch 
axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch        1970-01-01 
01:00:00.000000000 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch        2023-10-17 
14:05:20.000000000 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany <[email protected]>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: 
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java 
b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+         
+         if (context != null) {
+             String name = (String)environment.get("jndiName");
++
++          if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || 
name.toUpperCase().indexOf("DNS")!=-1)  {
++              return null;
++            }
+             if (name == null) {
+                 name = "axisServiceName";
+             }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+                     context.bind(name, service);
+                 } catch (NamingException e1) {
+                     // !!! Couldn't do it, what should we do here?
++                  return null;
+                 }
+             }
+         } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series      2018-12-03 00:33:50.000000000 +0100
+++ axis-1.4/debian/patches/series      2023-10-17 14:05:20.000000000 +0200
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch

--- End Message ---

--- Begin Message ---
Version: 11.9

The upload requested in this bug has been released as part of 11.9.
--- End Message ---

Bug#1054121: marked as done (bullseye-pu: package axis/1.4-28)

Reply via email to