[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#695236: marked as done (unblock: axis/1.4-16.1)

Your message dated Sat, 08 Dec 2012 16:33:07 +0000
with message-id <1354984387.19225.28.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#695236: unblock: axis/1.4-16.1
has caused the Debian Bug report #695236,
regarding unblock: axis/1.4-16.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695236
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package axis

Thanks to Alberto Fernández Martínez <infjaf@gmail.com>
CVE-2012-5784 (=bug #692650) was fixed and I just sponsered
his NMU.  Debdiff is attached.

unblock axis/1.4-16.1

-- System Information:
Debian Release: 6.0.6
Architecture: i386 (i686)

Kernel: Linux 2.6.36-xenU-4814-i386 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog	2011-11-08 05:58:09.000000000 +0100
+++ axis-1.4/debian/changelog	2012-12-05 17:51:30.000000000 +0100
@@ -1,3 +1,10 @@
+axis (1.4-16.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix CVE-2012-5784 (Closes: #692650)
+
+ -- Alberto Fernández Martínez <infjaf@gmail.com>  Wed, 5 Dec 2012 17:28:00 +0100
+
 axis (1.4-16) unstable; urgency=low
 
   * Add missing dependency on libcommons-httpclient-java
diff -Nru axis-1.4/debian/patches/06-fix-CVE-2012-5784.patch axis-1.4/debian/patches/06-fix-CVE-2012-5784.patch
--- axis-1.4/debian/patches/06-fix-CVE-2012-5784.patch	1970-01-01 01:00:00.000000000 +0100
+++ axis-1.4/debian/patches/06-fix-CVE-2012-5784.patch	2012-11-17 18:54:16.000000000 +0100
@@ -0,0 +1,304 @@
+Description: Validates the hostname requested is the same in the certificate in ssl-connections
+ Fixes CVE-2012-5784, validates hostname certificate in SSL connections.
+ Backported from http-client 4, and from Apache Synapse (plus some bugfixes).
+
+Author: Alberto Fernandez <infjaf@gmail.com>
+Bug-Debian: http://bugs.debian.org/692650
+Forwarded: no
+
+
+
+--- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java
++++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java
+@@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages;
+ import org.apache.axis.utils.XMLUtils;
+ import org.apache.axis.utils.StringUtils;
+ 
++import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+ import javax.net.ssl.SSLSocketFactory;
+ import java.io.BufferedWriter;
+@@ -28,7 +30,15 @@ import java.io.OutputStream;
+ import java.io.OutputStreamWriter;
+ import java.io.PrintWriter;
+ import java.net.Socket;
++import java.security.cert.Certificate;
++import java.security.cert.CertificateParsingException;
++import java.security.cert.X509Certificate;
++import java.util.Arrays;
++import java.util.Collection;
+ import java.util.Hashtable;
++import java.util.Iterator;
++import java.util.LinkedList;
++import java.util.List;
+ 
+ 
+ /**
+@@ -41,6 +51,10 @@ import java.util.Hashtable;
+  */
+ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory {
+ 
++    // This is a a sorted list, if you insert new elements do it orderdered.
++    private final static String[] BAD_COUNTRY_2LDS =
++        {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
++            "lg", "ne", "net", "or", "org"};
+     /** Field sslFactory           */
+     protected SSLSocketFactory sslFactory = null;
+ 
+@@ -187,6 +201,255 @@ public class JSSESocketFactory extends D
+         if (log.isDebugEnabled()) {
+             log.debug(Messages.getMessage("createdSSL00"));
+         }
++        verifyHostName(host, (SSLSocket) sslSocket);
+         return sslSocket;
+     }
++    /**
++     * Verifies that the given hostname in certicifate is the hostname we are trying to connect to
++     * http://www.cvedetails.com/cve/CVE-2012-5783/
++     * @param host
++     * @param ssl
++     * @throws IOException
++     */
++    
++	private static void verifyHostName(String host, SSLSocket ssl)
++			throws IOException {
++		if (host == null) {
++			throw new IllegalArgumentException("host to verify was null");
++		}
++
++		SSLSession session = ssl.getSession();
++		if (session == null) {
++            // In our experience this only happens under IBM 1.4.x when
++            // spurious (unrelated) certificates show up in the server's chain.
++            // Hopefully this will unearth the real problem:
++			InputStream in = ssl.getInputStream();
++			in.available();
++            /*
++                 If you're looking at the 2 lines of code above because you're
++                 running into a problem, you probably have two options:
++
++                    #1.  Clean up the certificate chain that your server
++                         is presenting (e.g. edit "/etc/apache2/server.crt" or
++                         wherever it is your server's certificate chain is
++                         defined).
++
++                                             OR
++
++                    #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch to a
++                          non-IBM JVM.
++              */
++
++            // If ssl.getInputStream().available() didn't cause an exception,
++            // maybe at least now the session is available?
++			session = ssl.getSession();
++			if (session == null) {
++                // If it's still null, probably a startHandshake() will
++                // unearth the real problem.
++				ssl.startHandshake();
++
++                // Okay, if we still haven't managed to cause an exception,
++                // might as well go for the NPE.  Or maybe we're okay now?
++				session = ssl.getSession();
++			}
++		}
++
++		Certificate[] certs = session.getPeerCertificates();
++		verifyHostName(host.trim().toLowerCase(),  (X509Certificate) certs[0]);
++	}
++	/**
++	 * Extract the names from the certificate and tests host matches one of them
++	 * @param host
++	 * @param cert
++	 * @throws SSLException
++	 */
++
++	private static void verifyHostName(final String host, X509Certificate cert)
++			throws SSLException {
++        // I'm okay with being case-insensitive when comparing the host we used
++        // to establish the socket to the hostname in the certificate.
++        // Don't trim the CN, though.
++        
++		String cn = getCN(cert);
++		String[] subjectAlts = getDNSSubjectAlts(cert);
++		verifyHostName(host, cn.toLowerCase(), subjectAlts);
++
++	}
++
++	/**
++	 * Extract all alternative names from a certificate.
++	 * @param cert
++	 * @return
++	 */
++	private static String[] getDNSSubjectAlts(X509Certificate cert) {
++		LinkedList subjectAltList = new LinkedList();
++		Collection c = null;
++		try {
++			c = cert.getSubjectAlternativeNames();
++		} catch (CertificateParsingException cpe) {
++			// Should probably log.debug() this?
++			cpe.printStackTrace();
++		}
++		if (c != null) {
++			Iterator it = c.iterator();
++			while (it.hasNext()) {
++				List list = (List) it.next();
++				int type = ((Integer) list.get(0)).intValue();
++				// If type is 2, then we've got a dNSName
++				if (type == 2) {
++					String s = (String) list.get(1);
++					subjectAltList.add(s);
++				}
++			}
++		}
++		if (!subjectAltList.isEmpty()) {
++			String[] subjectAlts = new String[subjectAltList.size()];
++			subjectAltList.toArray(subjectAlts);
++			return subjectAlts;
++		} else {
++			return new String[0];
++		}
++	        
++	}
++	/**
++	 * Verifies
++	 * @param host
++	 * @param cn
++	 * @param subjectAlts
++	 * @throws SSLException
++	 */
++
++	private static void verifyHostName(final String host, String cn, String[] subjectAlts)throws SSLException{
++		StringBuffer cnTested = new StringBuffer();
++
++		for (int i = 0; i < subjectAlts.length; i++){
++			String name = subjectAlts[i];
++			if (name != null) {
++				name = name.toLowerCase();
++				if (verifyHostName(host, name)){
++					return;
++				}
++				cnTested.append("/").append(name);
++			}				
++		}
++		if (cn != null && verifyHostName(host, cn)){
++			return;
++		}
++		cnTested.append("/").append(cn);
++		throw new SSLException("hostname in certificate didn't match: <"
++					+ host + "> != <" + cnTested + ">");
++		
++	}		
++	
++	private static boolean verifyHostName(final String host, final String cn){
++		if (doWildCard(cn)) {
++			return matchesWildCard(cn, host);
++		} 
++		return host.equalsIgnoreCase(cn);		
++	}
++    private static boolean doWildCard(String cn) {
++		// Contains a wildcard
++		// wildcard in the first block
++    	// not an ipaddress (ip addres must explicitily be equal)
++    	// not using 2nd level common tld : ex: not for *.co.uk
++    	return 
++    			cn.indexOf("*.")>=0 &&
++    			cn.indexOf('.') > cn.indexOf("*.") &&
++    			!isIPAddress(cn) &&
++    			acceptableCountryWildcard(cn);
++    }
++
++	private static boolean isIPAddress(final String cn) {
++		// IPv6
++		if (cn.contains(":")) {
++			return true;
++		}
++		// IPb4
++		boolean isIP4 = true;
++		String tld = cn;
++		int x = cn.lastIndexOf('.');
++		// We only bother analyzing the characters after the final dot
++		// in the name.
++		if (x >= 0 && x + 1 < cn.length()) {
++			tld = cn.substring(x + 1);
++		}
++		for (int i = 0; i < tld.length(); i++) {
++			if (!Character.isDigit(tld.charAt(0))) {
++				isIP4 = false;
++				break;
++			}
++		}
++		return isIP4;
++	}
++
++	private static boolean acceptableCountryWildcard(final String cn) {
++		// The CN better have at least two dots if it wants wildcard action,
++		// but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc...
++		// The [*.co.uk] problem is an interesting one. Should we just
++		// hope that CA's would never foolishly allow such a
++		// certificate to happen?
++    	
++		String[] parts = cn.split("\\.");
++		// Only checks for 3 levels, with country code of 2 letters.
++		if (parts.length > 3 || parts[parts.length - 1].length() != 2) {
++			return true;
++		}
++		String countryCode = parts[parts.length - 2];
++		return Arrays.binarySearch(BAD_COUNTRY_2LDS, countryCode) < 0;
++	}
++
++	private static boolean matchesWildCard(final String cn,
++			final String hostName) {
++		String parts[] = cn.split("\\.");
++		boolean match = false;
++		if (parts[0].length() > 1) {
++			// server∗
++			String prefix = parts[0].substring(0, parts[0].length() - 2);
++			// e.g. server
++			String suffix = cn.substring(parts[0].length());
++			// skipwildcard part from cn
++			String hostSuffix = hostName.substring(prefix.length());
++			// skip wildcard part from host
++			match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
++		} else {
++			match = hostName.endsWith(cn.substring(1));
++		}
++		if (match) {
++			// I f we ’ r e i n s t r i c t mode ,
++			// [ ∗.foo.com] is not allowed to match [a.b.foo.com]
++			match = countDots(hostName) == countDots(cn);
++		}
++		return match;
++	}
++
++	private static int countDots(final String data) {
++		int dots = 0;
++		for (int i = 0; i < data.length(); i++) {
++			if (data.charAt(i) == '.') {
++				dots += 1;
++			}
++		}
++		return dots;
++	}
++
++	private static String getCN(X509Certificate cert) {
++          // Note:  toString() seems to do a better job than getName()
++          //
++          // For example, getName() gives me this:
++          // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
++          //
++          // whereas toString() gives me this:
++          // EMAILADDRESS=juliusdavies@cucbc.com        
++		String subjectPrincipal = cert.getSubjectX500Principal().toString();
++		int x = subjectPrincipal.indexOf("CN=");
++		if (x >= 0) {
++			int y = subjectPrincipal.indexOf(',', x);
++			// If there are no more commas, then CN= is the last entry.
++			y = (y >= 0) ? y : subjectPrincipal.length();
++			return subjectPrincipal.substring(x + 3, y);
++		} else {
++			return null;
++		}
++	}
++
+ }
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series	2011-10-27 21:52:50.000000000 +0200
+++ axis-1.4/debian/patches/series	2012-12-05 17:50:11.000000000 +0100
@@ -3,3 +3,4 @@
 axis-bz152255.patch
 javadoc.diff
 add-osgi-metadata.patch
+06-fix-CVE-2012-5784.patch

--- End Message ---
--- Begin Message --- 
On Fri, 2012-12-07 at 10:53 +0100, Andreas Tille wrote:
> as promised I uploaded another attempt to fix the problem.  A debdiff
> against the current version in testing is attached to this mail.

Unblocked; thanks.

A few comments:

++    // This is a a sorted list, if you insert new elements do it orderdered.

"orderdered"? :)

++    private final static String[] BAD_COUNTRY_2LDS =
++        {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",

"gouv"?

++     * Verifies that the given hostname in certicifate is the hostname we are trying to connect to
++     * http://www.cvedetails.com/cve/CVE-2012-5783/

The axis CVE appears to be 5784.

++                      // I f we ’ r e i n s t r i c t mode ,

Why all the extra spaces?

Regards,

Adam

--- End Message ---
Reply to: