Bug#769787: marked as done (unblock (pre-approval): poco 1.3.6p1-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 23 Nov 2014 13:53:58 +0100
with message-id <5471D8E6.6040400@thykier.net>
and subject line Re: Bug#769787: unblock (pre-approval): poco 1.3.6p1-5
has caused the Debian Bug report #769787,
regarding unblock (pre-approval): poco 1.3.6p1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
769787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769787
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Cc: Maxime Chatelle <xakz@rxsoft.eu>
• Subject: unblock (pre-approval): poco 1.3.6p1-5
• From: Cristian Greco <cristian@regolo.cc>
• Date: Sun, 16 Nov 2014 13:52:41 +0100
• Message-id: <[🔎] 20141116135241.2e03f082@regolo>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I'm seeking approval for the upload of poco 1.3.6p1-5.

I received a patch for CVE-2014-0350 (#746637) from Maxime Chatelle,
who prepared an upload for unstable.

Debdiff is attached, dsc is available on mentors:
http://mentors.debian.net/debian/pool/main/p/poco/poco_1.3.6p1-5.dsc

I don't see problems with the patch but would like approval from the
release team before going ahead. If we don't apply the patch now, poco
1.3.6p1-4 should be removed from testing.

Thanks,
--
Cristian Greco
GPG key ID: 0xCF4D32E4

diff -u poco-1.3.6p1/debian/control poco-1.3.6p1/debian/control
--- poco-1.3.6p1/debian/control
+++ poco-1.3.6p1/debian/control
@@ -1,7 +1,7 @@
 Source: poco
 Priority: optional
 Maintainer: Cristian Greco <cristian@debian.org>
-Uploaders: Patrick Gansterer <paroga@paroga.com>
+Uploaders: Patrick Gansterer <paroga@paroga.com>, Maxime Chatelle <xakz@rxsoft.eu>
 Build-Depends: debhelper (>= 5), dpatch, libexpat1-dev, libmysqlclient-dev, libpcre3-dev (>= 7.8), libsqlite3-dev (>= 3.6.13), libssl-dev (>= 0.9.8), unixodbc-dev, zlib1g-dev
 Standards-Version: 3.8.3
 Section: libs
diff -u poco-1.3.6p1/debian/changelog poco-1.3.6p1/debian/changelog
--- poco-1.3.6p1/debian/changelog
+++ poco-1.3.6p1/debian/changelog
@@ -1,3 +1,11 @@
+poco (1.3.6p1-5) unstable; urgency=medium
+
+  * Adds debian/patches/70_fix_CVE-2014-0350.dpatch (Closes: #746637).
+    The patch is backported from poco-1.4.7 where the vulnerability
+    has been fixed.
+
+ -- Maxime Chatelle <xakz@rxsoft.eu>  Sat, 15 Nov 2014 20:10:18 +0100
+
 poco (1.3.6p1-4) unstable; urgency=low
 
   * Wheezy cleanup release (3): should fix FTBFS on GNU/kFreeBSD for real.
diff -u poco-1.3.6p1/debian/patches/00list poco-1.3.6p1/debian/patches/00list
--- poco-1.3.6p1/debian/patches/00list
+++ poco-1.3.6p1/debian/patches/00list
@@ -6,0 +7 @@
+70_fix_CVE-2014-0350.dpatch
only in patch2:
unchanged:
--- poco-1.3.6p1.orig/debian/patches/70_fix_CVE-2014-0350.dpatch
+++ poco-1.3.6p1/debian/patches/70_fix_CVE-2014-0350.dpatch
@@ -0,0 +1,142 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_fix_CVE-2014-0350.dpatch by Maxime Chatelle <xakz@rxsoft.eu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Backported fix against CVE-2014-0350
+
+@DPATCH@
+
+diff -urNad poco-1.3.6p1~/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h poco-1.3.6p1/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h
+--- poco-1.3.6p1~/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h	2009-12-21 19:15:02.000000000 +0100
++++ poco-1.3.6p1/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h	2014-11-07 22:09:56.519596616 +0100
+@@ -102,7 +102,7 @@
+ 		
+ protected:
+ 	static bool containsWildcards(const std::string& commonName);
+-	static bool matchByAlias(const std::string& alias, const HostEntry& heData);
++	static bool matchWildcard(const std::string& wildcard, const std::string& hostName);
+ 	
+ private:
+ 	enum
+diff -urNad poco-1.3.6p1~/NetSSL_OpenSSL/src/X509Certificate.cpp poco-1.3.6p1/NetSSL_OpenSSL/src/X509Certificate.cpp
+--- poco-1.3.6p1~/NetSSL_OpenSSL/src/X509Certificate.cpp	2009-12-21 19:15:02.000000000 +0100
++++ poco-1.3.6p1/NetSSL_OpenSSL/src/X509Certificate.cpp	2014-11-07 22:11:30.847592322 +0100
+@@ -107,51 +107,47 @@
+ 	std::string commonName;
+ 	std::set<std::string> dnsNames;
+ 	certificate.extractNames(commonName, dnsNames);
++	if (!commonName.empty()) dnsNames.insert(commonName);
+ 	bool ok = (dnsNames.find(hostName) != dnsNames.end());
+-
+-	char buffer[NAME_BUFFER_SIZE];
+-	X509_NAME* subj = 0;
+-	if (!ok && (subj = X509_get_subject_name(const_cast<X509*>(certificate.certificate()))) && X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer)) > 0)
++	if (!ok)
+ 	{
+-		buffer[NAME_BUFFER_SIZE - 1] = 0;
+-		std::string commonName(buffer); // commonName can contain wildcards like *.appinf.com
+-		try
++		for (std::set<std::string>::const_iterator it = dnsNames.begin(); !ok && it != dnsNames.end(); ++it)
+ 		{
+-			// two cases: strData contains wildcards or not
+-			if (containsWildcards(commonName))
+-			{
+-				// a compare by IPAddress is not possible with wildcards
+-				// only allow compare by name
+-				const HostEntry& heData = DNS::resolve(hostName);
+-				ok = matchByAlias(commonName, heData);
+-			}
+-			else
++			try
+ 			{
+-				// it depends on hostName if we compare by IP or by alias
+-				IPAddress ip;
+-				if (IPAddress::tryParse(hostName, ip))
++				// two cases: strData contains wildcards or not
++				if (containsWildcards(*it))
+ 				{
+-					// compare by IP
+-					const HostEntry& heData = DNS::resolve(commonName);
+-					const HostEntry::AddressList& addr = heData.addresses();
+-					HostEntry::AddressList::const_iterator it = addr.begin();
+-					HostEntry::AddressList::const_iterator itEnd = addr.end();
+-					for (; it != itEnd && !ok; ++it)
+-					{
+-						ok = (*it == ip);
+-					}
++					// a compare by IPAddress is not possible with wildcards
++					// only allow compare by name
++					ok = matchWildcard(*it, hostName);
+ 				}
+ 				else
+ 				{
+-					// compare by name
+-					const HostEntry& heData = DNS::resolve(hostName);
+-					ok = matchByAlias(commonName, heData);
++					// it depends on hostName if we compare by IP or by alias
++					IPAddress ip;
++					if (IPAddress::tryParse(hostName, ip))
++					{
++						// compare by IP
++						const HostEntry& heData = DNS::resolve(*it);
++						const HostEntry::AddressList& addr = heData.addresses();
++						HostEntry::AddressList::const_iterator it = addr.begin();
++						HostEntry::AddressList::const_iterator itEnd = addr.end();
++						for (; it != itEnd && !ok; ++it)
++						{
++							ok = (*it == ip);
++						}
++					}
++					else
++					{
++						ok = Poco::icompare(*it, hostName) == 0;
++					}
+ 				}
+ 			}
+-		}
+-		catch (HostNotFoundException&)
+-		{
+-			return X509_V_ERR_APPLICATION_VERIFICATION;
++			catch (HostNotFoundException&)
++			{
++                		return X509_V_ERR_APPLICATION_VERIFICATION;
++			}
+ 		}
+ 	}
+ 
+@@ -169,24 +165,19 @@
+ }
+ 
+ 
+-bool X509Certificate::matchByAlias(const std::string& alias, const HostEntry& heData)
++bool X509Certificate::matchWildcard(const std::string& wildcard, const std::string& hostName)
+ {
+ 	// fix wildcards
+-	std::string aliasRep = Poco::replace(alias, "*", ".*");
+-	Poco::replaceInPlace(aliasRep, "..*", ".*");
+-	Poco::replaceInPlace(aliasRep, "?", ".?");
+-	Poco::replaceInPlace(aliasRep, "..?", ".?");
+-	// compare by name
+-	Poco::RegularExpression expr(aliasRep);
+-	bool found = false;
+-	const HostEntry::AliasList& aliases = heData.aliases();
+-	HostEntry::AliasList::const_iterator it = aliases.begin();
+-	HostEntry::AliasList::const_iterator itEnd = aliases.end();
+-	for (; it != itEnd && !found; ++it)
+-	{
+-		found = expr.match(*it);
+-	}
+-	return found;
++	std::string wildcardExpr("^");
++	wildcardExpr += Poco::replace(wildcard, ".", "\\.");
++	Poco::replaceInPlace(wildcardExpr, "*", ".*");
++	Poco::replaceInPlace(wildcardExpr, "..*", ".*");
++	Poco::replaceInPlace(wildcardExpr, "?", ".?");
++	Poco::replaceInPlace(wildcardExpr, "..?", ".?");
++	wildcardExpr += "$";
++
++	Poco::RegularExpression expr(wildcardExpr, Poco::RegularExpression::RE_CASELESS);
++	return expr.match(hostName);
+ }
+ 
+ 

Attachment: pgp0wk27af5vz.pgp
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: Cristian Greco <cristian@regolo.cc>, 769787-done@bugs.debian.org
• Cc: Maxime Chatelle <xakz@rxsoft.eu>
• Subject: Re: Bug#769787: unblock (pre-approval): poco 1.3.6p1-5
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 23 Nov 2014 13:53:58 +0100
• Message-id: <5471D8E6.6040400@thykier.net>
• In-reply-to: <[🔎] 54719F27.9020708@thykier.net>
• References: <[🔎] 20141116135241.2e03f082@regolo> <[🔎] 546A75D5.1010008@thykier.net> <[🔎] 20141122162128.79e6d4fd@regolo> <[🔎] 54719F27.9020708@thykier.net>

On 2014-11-23 09:47, Niels Thykier wrote:
> Control: tags -1 confirmed
> 
> On 2014-11-22 16:21, Cristian Greco wrote:
>> On Mon, 17 Nov 2014 23:25:25 +0100
>> [...]
> 
> Hi Cristian,
> 
> Thanks for the alternative patch.  Please upload that debdiff to
> unstable.  Once the upload has been accepted in unstable, please ping
> this bug and remove the "moreinfo" tag.
> 
> ~Niels
> 
> 

Noticed this one being uploaded and have unblocked it already.

Thanks,
~Niels

--- End Message ---