Control: severity -1 serious
Control: tags -1 patch

I am raising the severity to serious because I think we want to fix this
for Jessie.

I have created a debdiff which is attached to this e-mail. I haven't
found a simple way yet to connect to an SSL protected web server and to
test this library. The server mentioned for testing purposes at

https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

seems to be down.

The patch for CVE-2014-3577 had to be combined with the existing patch
for CVE-2012-5783 similar to how Fedora, RedHat and CentOS addressed
this vulnerability.

Markus
diff -Nru commons-httpclient-3.1/debian/ant.properties 
commons-httpclient-3.1/debian/ant.properties
--- commons-httpclient-3.1/debian/ant.properties        2011-08-30 
11:42:03.000000000 +0200
+++ commons-httpclient-3.1/debian/ant.properties        2015-03-23 
23:15:53.000000000 +0100
@@ -1,5 +1,5 @@
 # JSSE stub classes required for build
 lib.dir=/usr/share/java
 #jsse.jar=/usr/share/java/jsse.jar
-ant.build.javac.source=1.4
-ant.build.javac.target=1.4
+ant.build.javac.source=1.5
+ant.build.javac.target=1.5
diff -Nru commons-httpclient-3.1/debian/changelog 
commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog     2012-12-06 14:41:48.000000000 
+0100
+++ commons-httpclient-3.1/debian/changelog     2015-03-23 23:15:53.000000000 
+0100
@@ -1,3 +1,20 @@
+commons-httpclient (3.1-11) unstable; urgency=high
+
+  * Team upload.
+  * Add CVE-2014-3577.patch. (Closes: #758086)
+    It was found that the fix for CVE-2012-6153 was incomplete: the code added
+    to check that the server hostname matches the domain name in a subject's
+    Common Name (CN) field in X.509 certificates was flawed. A
+    man-in-the-middle attacker could use this flaw to spoof an SSL server using
+    a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
+    intended to address the incomplete patch for CVE-2012-5783. The issue is
+    now completely resolved by applying this patch and the
+    06_fix_CVE-2012-5783.patch.
+  * Change java.source and java.target ant properties to 1.5, otherwise
+    commons-httpclient will not compile with this patch.
+
+ -- Markus Koschany <a...@gambaru.de>  Mon, 23 Mar 2015 22:57:54 +0100
+
 commons-httpclient (3.1-10.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 
commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch
--- commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch   1970-01-01 
01:00:00.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch   2015-03-23 
23:15:53.000000000 +0100
@@ -0,0 +1,110 @@
+From: Markus Koschany <a...@gambaru.de>
+Date: Mon, 23 Mar 2015 22:45:14 +0100
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete: the code added to
+check that the server hostname matches the domain name in a subject's Common
+Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
+could use this flaw to spoof an SSL server using a specially crafted X.509
+certificate.
+The fix for CVE-2012-6153 was intended to address the incomplete patch for
+CVE-2012-5783. This means the issue is now completely resolved by applying
+this patch and the 06_fix_CVE-2012-5783.patch.
+
+References:
+
+upstream announcement:
+https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
+
+Fedora-Fix:
+http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
+
+CentOS-Fix:
+https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
+
+Debian-Bug: https://bugs.debian.org/758086
+Forwarded: not-needed, already fixed
+---
+ .../protocol/SSLProtocolSocketFactory.java         | 57 ++++++++++++++--------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git 
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java 
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- 
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ 
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+ 
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements 
SecureProtocolSocketFactory {
+               return dots;
+       }
+ 
+-      private static String getCN(X509Certificate cert) {
+-        // Note:  toString() seems to do a better job than getName()
+-        //
+-        // For example, getName() gives me this:
+-        // 
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-        //
+-        // whereas toString() gives me this:
+-        // EMAILADDRESS=juliusdav...@cucbc.com        
+-              String subjectPrincipal = 
cert.getSubjectX500Principal().toString();
+-              
+-              return getCN(subjectPrincipal);
+-
++      private static String getCN(final X509Certificate cert) {
++              final String subjectPrincipal = 
cert.getSubjectX500Principal().toString();
++              try {
++                      return extractCN(subjectPrincipal);
++              } catch (SSLException ex) {
++                      return null;
++              }
+       }
+-      private static String getCN(String subjectPrincipal) {
+-              StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+-              while(st.hasMoreTokens()) {
+-                      String tok = st.nextToken().trim();
+-                      if (tok.length() > 3) {
+-                              if (tok.substring(0, 
3).equalsIgnoreCase("CN=")) {
+-                                      return tok.substring(3);
++
++      private static String extractCN(final String subjectPrincipal) throws 
SSLException {
++              if (subjectPrincipal == null) {
++                      return null;
++              }
++              try {
++                      final LdapName subjectDN = new 
LdapName(subjectPrincipal);
++                      final List<Rdn> rdns = subjectDN.getRdns();
++                      for (int i = rdns.size() - 1; i >= 0; i--) {
++                              final Rdn rds = rdns.get(i);
++                              final Attributes attributes = 
rds.toAttributes();
++                              final Attribute cn = attributes.get("cn");
++                              if (cn != null) {
++                                      try {
++                                              final Object value = cn.get();
++                                              if (value != null) {
++                                                      return value.toString();
++                                              }
++                                      } catch (NoSuchElementException ignore) 
{
++                                      } catch (NamingException ignore) {
++                                      }
+                               }
+                       }
++              } catch (InvalidNameException e) {
++                      throw new SSLException(subjectPrincipal + " is not a 
valid X500 distinguished name");
+               }
+               return null;
+       }
diff -Nru commons-httpclient-3.1/debian/patches/series 
commons-httpclient-3.1/debian/patches/series
--- commons-httpclient-3.1/debian/patches/series        2012-12-05 
17:34:20.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/series        2015-03-23 
23:15:53.000000000 +0100
@@ -5,3 +5,4 @@
 04_fix_classpath.patch
 05_osgi_metadata
 06_fix_CVE-2012-5783.patch
+CVE-2014-3577.patch

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to