Your message dated Sun, 23 Nov 2014 13:53:58 +0100 with message-id <5471D8E6.6040400@thykier.net> and subject line Re: Bug#769787: unblock (pre-approval): poco 1.3.6p1-5 has caused the Debian Bug report #769787, regarding unblock (pre-approval): poco 1.3.6p1-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 769787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769787 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Maxime Chatelle <xakz@rxsoft.eu>
- Subject: unblock (pre-approval): poco 1.3.6p1-5
- From: Cristian Greco <cristian@regolo.cc>
- Date: Sun, 16 Nov 2014 13:52:41 +0100
- Message-id: <[🔎] 20141116135241.2e03f082@regolo>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, I'm seeking approval for the upload of poco 1.3.6p1-5. I received a patch for CVE-2014-0350 (#746637) from Maxime Chatelle, who prepared an upload for unstable. Debdiff is attached, dsc is available on mentors: http://mentors.debian.net/debian/pool/main/p/poco/poco_1.3.6p1-5.dsc I don't see problems with the patch but would like approval from the release team before going ahead. If we don't apply the patch now, poco 1.3.6p1-4 should be removed from testing. Thanks, -- Cristian Greco GPG key ID: 0xCF4D32E4diff -u poco-1.3.6p1/debian/control poco-1.3.6p1/debian/control --- poco-1.3.6p1/debian/control +++ poco-1.3.6p1/debian/control @@ -1,7 +1,7 @@ Source: poco Priority: optional Maintainer: Cristian Greco <cristian@debian.org> -Uploaders: Patrick Gansterer <paroga@paroga.com> +Uploaders: Patrick Gansterer <paroga@paroga.com>, Maxime Chatelle <xakz@rxsoft.eu> Build-Depends: debhelper (>= 5), dpatch, libexpat1-dev, libmysqlclient-dev, libpcre3-dev (>= 7.8), libsqlite3-dev (>= 3.6.13), libssl-dev (>= 0.9.8), unixodbc-dev, zlib1g-dev Standards-Version: 3.8.3 Section: libs diff -u poco-1.3.6p1/debian/changelog poco-1.3.6p1/debian/changelog --- poco-1.3.6p1/debian/changelog +++ poco-1.3.6p1/debian/changelog @@ -1,3 +1,11 @@ +poco (1.3.6p1-5) unstable; urgency=medium + + * Adds debian/patches/70_fix_CVE-2014-0350.dpatch (Closes: #746637). + The patch is backported from poco-1.4.7 where the vulnerability + has been fixed. + + -- Maxime Chatelle <xakz@rxsoft.eu> Sat, 15 Nov 2014 20:10:18 +0100 + poco (1.3.6p1-4) unstable; urgency=low * Wheezy cleanup release (3): should fix FTBFS on GNU/kFreeBSD for real. diff -u poco-1.3.6p1/debian/patches/00list poco-1.3.6p1/debian/patches/00list --- poco-1.3.6p1/debian/patches/00list +++ poco-1.3.6p1/debian/patches/00list @@ -6,0 +7 @@ +70_fix_CVE-2014-0350.dpatch only in patch2: unchanged: --- poco-1.3.6p1.orig/debian/patches/70_fix_CVE-2014-0350.dpatch +++ poco-1.3.6p1/debian/patches/70_fix_CVE-2014-0350.dpatch @@ -0,0 +1,142 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 70_fix_CVE-2014-0350.dpatch by Maxime Chatelle <xakz@rxsoft.eu> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Backported fix against CVE-2014-0350 + +@DPATCH@ + +diff -urNad poco-1.3.6p1~/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h poco-1.3.6p1/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h +--- poco-1.3.6p1~/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h 2009-12-21 19:15:02.000000000 +0100 ++++ poco-1.3.6p1/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h 2014-11-07 22:09:56.519596616 +0100 +@@ -102,7 +102,7 @@ + + protected: + static bool containsWildcards(const std::string& commonName); +- static bool matchByAlias(const std::string& alias, const HostEntry& heData); ++ static bool matchWildcard(const std::string& wildcard, const std::string& hostName); + + private: + enum +diff -urNad poco-1.3.6p1~/NetSSL_OpenSSL/src/X509Certificate.cpp poco-1.3.6p1/NetSSL_OpenSSL/src/X509Certificate.cpp +--- poco-1.3.6p1~/NetSSL_OpenSSL/src/X509Certificate.cpp 2009-12-21 19:15:02.000000000 +0100 ++++ poco-1.3.6p1/NetSSL_OpenSSL/src/X509Certificate.cpp 2014-11-07 22:11:30.847592322 +0100 +@@ -107,51 +107,47 @@ + std::string commonName; + std::set<std::string> dnsNames; + certificate.extractNames(commonName, dnsNames); ++ if (!commonName.empty()) dnsNames.insert(commonName); + bool ok = (dnsNames.find(hostName) != dnsNames.end()); +- +- char buffer[NAME_BUFFER_SIZE]; +- X509_NAME* subj = 0; +- if (!ok && (subj = X509_get_subject_name(const_cast<X509*>(certificate.certificate()))) && X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer)) > 0) ++ if (!ok) + { +- buffer[NAME_BUFFER_SIZE - 1] = 0; +- std::string commonName(buffer); // commonName can contain wildcards like *.appinf.com +- try ++ for (std::set<std::string>::const_iterator it = dnsNames.begin(); !ok && it != dnsNames.end(); ++it) + { +- // two cases: strData contains wildcards or not +- if (containsWildcards(commonName)) +- { +- // a compare by IPAddress is not possible with wildcards +- // only allow compare by name +- const HostEntry& heData = DNS::resolve(hostName); +- ok = matchByAlias(commonName, heData); +- } +- else ++ try + { +- // it depends on hostName if we compare by IP or by alias +- IPAddress ip; +- if (IPAddress::tryParse(hostName, ip)) ++ // two cases: strData contains wildcards or not ++ if (containsWildcards(*it)) + { +- // compare by IP +- const HostEntry& heData = DNS::resolve(commonName); +- const HostEntry::AddressList& addr = heData.addresses(); +- HostEntry::AddressList::const_iterator it = addr.begin(); +- HostEntry::AddressList::const_iterator itEnd = addr.end(); +- for (; it != itEnd && !ok; ++it) +- { +- ok = (*it == ip); +- } ++ // a compare by IPAddress is not possible with wildcards ++ // only allow compare by name ++ ok = matchWildcard(*it, hostName); + } + else + { +- // compare by name +- const HostEntry& heData = DNS::resolve(hostName); +- ok = matchByAlias(commonName, heData); ++ // it depends on hostName if we compare by IP or by alias ++ IPAddress ip; ++ if (IPAddress::tryParse(hostName, ip)) ++ { ++ // compare by IP ++ const HostEntry& heData = DNS::resolve(*it); ++ const HostEntry::AddressList& addr = heData.addresses(); ++ HostEntry::AddressList::const_iterator it = addr.begin(); ++ HostEntry::AddressList::const_iterator itEnd = addr.end(); ++ for (; it != itEnd && !ok; ++it) ++ { ++ ok = (*it == ip); ++ } ++ } ++ else ++ { ++ ok = Poco::icompare(*it, hostName) == 0; ++ } + } + } +- } +- catch (HostNotFoundException&) +- { +- return X509_V_ERR_APPLICATION_VERIFICATION; ++ catch (HostNotFoundException&) ++ { ++ return X509_V_ERR_APPLICATION_VERIFICATION; ++ } + } + } + +@@ -169,24 +165,19 @@ + } + + +-bool X509Certificate::matchByAlias(const std::string& alias, const HostEntry& heData) ++bool X509Certificate::matchWildcard(const std::string& wildcard, const std::string& hostName) + { + // fix wildcards +- std::string aliasRep = Poco::replace(alias, "*", ".*"); +- Poco::replaceInPlace(aliasRep, "..*", ".*"); +- Poco::replaceInPlace(aliasRep, "?", ".?"); +- Poco::replaceInPlace(aliasRep, "..?", ".?"); +- // compare by name +- Poco::RegularExpression expr(aliasRep); +- bool found = false; +- const HostEntry::AliasList& aliases = heData.aliases(); +- HostEntry::AliasList::const_iterator it = aliases.begin(); +- HostEntry::AliasList::const_iterator itEnd = aliases.end(); +- for (; it != itEnd && !found; ++it) +- { +- found = expr.match(*it); +- } +- return found; ++ std::string wildcardExpr("^"); ++ wildcardExpr += Poco::replace(wildcard, ".", "\\."); ++ Poco::replaceInPlace(wildcardExpr, "*", ".*"); ++ Poco::replaceInPlace(wildcardExpr, "..*", ".*"); ++ Poco::replaceInPlace(wildcardExpr, "?", ".?"); ++ Poco::replaceInPlace(wildcardExpr, "..?", ".?"); ++ wildcardExpr += "$"; ++ ++ Poco::RegularExpression expr(wildcardExpr, Poco::RegularExpression::RE_CASELESS); ++ return expr.match(hostName); + } + +Attachment: pgp0wk27af5vz.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Cristian Greco <cristian@regolo.cc>, 769787-done@bugs.debian.org
- Cc: Maxime Chatelle <xakz@rxsoft.eu>
- Subject: Re: Bug#769787: unblock (pre-approval): poco 1.3.6p1-5
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 23 Nov 2014 13:53:58 +0100
- Message-id: <5471D8E6.6040400@thykier.net>
- In-reply-to: <[🔎] 54719F27.9020708@thykier.net>
- References: <[🔎] 20141116135241.2e03f082@regolo> <[🔎] 546A75D5.1010008@thykier.net> <[🔎] 20141122162128.79e6d4fd@regolo> <[🔎] 54719F27.9020708@thykier.net>
On 2014-11-23 09:47, Niels Thykier wrote: > Control: tags -1 confirmed > > On 2014-11-22 16:21, Cristian Greco wrote: >> On Mon, 17 Nov 2014 23:25:25 +0100 >> [...] > > Hi Cristian, > > Thanks for the alternative patch. Please upload that debdiff to > unstable. Once the upload has been accepted in unstable, please ping > this bug and remove the "moreinfo" tag. > > ~Niels > > Noticed this one being uploaded and have unblocked it already. Thanks, ~Niels
--- End Message ---