--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package httpcomponents-client/4.1.1-2
- From: Markus Koschany <apo@gambaru.de>
- Date: Sat, 18 Apr 2015 20:56:01 +0200
- Message-id: <20150418185601.5779.39952.reportbug@conan>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
similar to commons-httpclient [1] the Java team would like to fix
CVE-2014-3577 for httpcomponents-client in wheezy. This package is
the successor of commons-httpclient and currently also affected by
this exploitable MITM vulnerability. [2] Please find attached the
proposed debdiff against the version of httpcomponents-client 4.1.1-2
in wheezy.
Regards,
Markus
[1] https://bugs.debian.org/782663
[2] https://security-tracker.debian.org/tracker/CVE-2014-3577
diff -Nru httpcomponents-client-4.1.1/debian/changelog httpcomponents-client-4.1.1/debian/changelog
--- httpcomponents-client-4.1.1/debian/changelog 2012-04-02 01:31:57.000000000 +0200
+++ httpcomponents-client-4.1.1/debian/changelog 2015-04-18 14:46:12.000000000 +0200
@@ -1,3 +1,14 @@
+httpcomponents-client (4.1.1-2+deb7u1) wheezy; urgency=high
+
+ * Add CVE-2012-6153.patch and CVE-2014-3577.patch.
+ It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was
+ incomplete. The code added to check that the server hostname matches the
+ domain name in the subject's CN field was flawed. This can be exploited by
+ a Man-in-the-middle (MITM) attack where the attacker can spoof a valid
+ certificate using a specially crafted subject.
+
+ -- Markus Koschany <apo@gambaru.de> Sat, 18 Apr 2015 14:15:11 +0200
+
httpcomponents-client (4.1.1-2) unstable; urgency=low
* Add OSGi metadata to JAR manifest.
diff -Nru httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch
--- httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch 1970-01-01 01:00:00.000000000 +0100
+++ httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch 2015-04-18 14:46:12.000000000 +0200
@@ -0,0 +1,57 @@
+From: Markus Koschany <apo@gambaru.de>
+Date: Sat, 18 Apr 2015 00:39:57 +0200
+Subject: CVE-2012-6153
+
+It was found that the fix for CVE-2012-5783 was incomplete.
+The code added to check that the server hostname matches the domain name in the
+subject's CN field was flawed. This can be exploited by a Man-in-the-middle
+(MITM) attack, where the attacker can spoof a valid certificate using a
+specially crafted subject.
+
+Fix for 4.2.x branch, upstream revision 1411705
+https://svn.apache.org/viewvc?view=revision&revision=1411705
+More information:
+https://bugzilla.redhat.com/show_bug.cgi?id=1129916
+---
+ .../java/org/apache/http/conn/ssl/AbstractVerifier.java | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+index 547204a..d31d8c0 100644
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+@@ -180,12 +180,12 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+
+ // We're can be case-insensitive when comparing the host we used to
+ // establish the socket to the hostname in the certificate.
+- String hostName = host.trim().toLowerCase(Locale.ENGLISH);
++ String hostName = host.trim().toLowerCase(Locale.US);
+ boolean match = false;
+ for(Iterator<String> it = names.iterator(); it.hasNext();) {
+ // Don't trim the CN, though!
+ String cn = it.next();
+- cn = cn.toLowerCase(Locale.ENGLISH);
++ cn = cn.toLowerCase(Locale.US);
+ // Store CN in StringBuilder in case we need to report an error.
+ buf.append(" <");
+ buf.append(cn);
+@@ -260,13 +260,15 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+ Looks like toString() even works with non-ascii domain names!
+ I tested it with "花子.co.jp" and it worked fine.
+ */
++
+ String subjectPrincipal = cert.getSubjectX500Principal().toString();
+ StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+ while(st.hasMoreTokens()) {
+- String tok = st.nextToken();
+- int x = tok.indexOf("CN=");
+- if(x >= 0) {
+- cnList.add(tok.substring(x + 3));
++ String tok = st.nextToken().trim();
++ if (tok.length() > 3) {
++ if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
++ cnList.add(tok.substring(3));
++ }
+ }
+ }
+ if(!cnList.isEmpty()) {
diff -Nru httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch
--- httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch 1970-01-01 01:00:00.000000000 +0100
+++ httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch 2015-04-18 14:46:12.000000000 +0200
@@ -0,0 +1,147 @@
+From: Markus Koschany <apo@gambaru.de>
+Date: Sat, 18 Apr 2015 00:42:07 +0200
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete. The code added to
+check that the server hostname matches the domain name in the subject's CN
+field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack
+where the attacker can spoof a valid certificate using a specially crafted
+subject.
+
+This patch was taken from
+http://pkgs.fedoraproject.org/cgit/httpcomponents-client.git/diff/0001-Fix-CVE-2014-3577.patch?h=f20
+
+More information:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3577
+Links to upstream commits:
+https://bugzilla.redhat.com/show_bug.cgi?id=1129074#c4
+---
+ .../org/apache/http/conn/ssl/AbstractVerifier.java | 85 +++++++++++-----------
+ 1 file changed, 43 insertions(+), 42 deletions(-)
+
+diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+index d31d8c0..ce0cec6 100644
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+@@ -28,7 +28,6 @@
+ package org.apache.http.conn.ssl;
+
+ import org.apache.http.annotation.Immutable;
+-
+ import org.apache.http.conn.util.InetAddressUtils;
+
+ import java.io.IOException;
+@@ -36,13 +35,20 @@ import java.io.InputStream;
+ import java.security.cert.Certificate;
+ import java.security.cert.CertificateParsingException;
+ import java.security.cert.X509Certificate;
++import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Collection;
+ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import java.util.logging.Logger;
+ import java.util.logging.Level;
+
+@@ -144,7 +150,8 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+
+ public final void verify(String host, X509Certificate cert)
+ throws SSLException {
+- String[] cns = getCNs(cert);
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ final String[] cns = extractCNs(subjectPrincipal);
+ String[] subjectAlts = getSubjectAlts(cert, host);
+ verify(host, cns, subjectAlts);
+ }
+@@ -236,48 +243,42 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+ return true;
+ }
+
+- public static String[] getCNs(X509Certificate cert) {
+- LinkedList<String> cnList = new LinkedList<String>();
+- /*
+- Sebastian Hauer's original StrictSSLProtocolSocketFactory used
+- getName() and had the following comment:
+-
+- Parses a X.500 distinguished name for the value of the
+- "Common Name" field. This is done a bit sloppy right
+- now and should probably be done a bit more according to
+- <code>RFC 2253</code>.
+-
+- I've noticed that toString() seems to do a better job than
+- getName() on these X500Principal objects, so I'm hoping that
+- addresses Sebastian's concern.
+-
+- For example, getName() gives me this:
+- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-
+- whereas toString() gives me this:
+- EMAILADDRESS=juliusdavies@cucbc.com
+-
+- Looks like toString() even works with non-ascii domain names!
+- I tested it with "花子.co.jp" and it worked fine.
+- */
+-
+- String subjectPrincipal = cert.getSubjectX500Principal().toString();
+- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+- while(st.hasMoreTokens()) {
+- String tok = st.nextToken().trim();
+- if (tok.length() > 3) {
+- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+- cnList.add(tok.substring(3));
+- }
+- }
++ public static String[] getCNs(final X509Certificate cert) {
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ try {
++ return extractCNs(subjectPrincipal);
++ } catch (SSLException ex) {
++ return null;
+ }
+- if(!cnList.isEmpty()) {
+- String[] cns = new String[cnList.size()];
+- cnList.toArray(cns);
+- return cns;
+- } else {
++ }
++
++ static String[] extractCNs(final String subjectPrincipal) throws SSLException {
++ if (subjectPrincipal == null) {
+ return null;
+ }
++ final List<String> cns = new ArrayList<String>();
++ try {
++ final LdapName subjectDN = new LdapName(subjectPrincipal);
++ final List<Rdn> rdns = subjectDN.getRdns();
++ for (int i = rdns.size() - 1; i >= 0; i--) {
++ final Rdn rds = rdns.get(i);
++ final Attributes attributes = rds.toAttributes();
++ final Attribute cn = attributes.get("cn");
++ if (cn != null) {
++ try {
++ final Object value = cn.get();
++ if (value != null) {
++ cns.add(value.toString());
++ }
++ } catch (NoSuchElementException ignore) {
++ } catch (NamingException ignore) {
++ }
++ }
++ }
++ } catch (InvalidNameException e) {
++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
++ }
++ return cns.isEmpty() ? null : cns.toArray(new String[cns.size()]);
+ }
+
+ /**
diff -Nru httpcomponents-client-4.1.1/debian/patches/series httpcomponents-client-4.1.1/debian/patches/series
--- httpcomponents-client-4.1.1/debian/patches/series 2012-04-02 01:31:57.000000000 +0200
+++ httpcomponents-client-4.1.1/debian/patches/series 2015-04-18 14:46:12.000000000 +0200
@@ -1,2 +1,4 @@
00-fix_build.patch
01-generate_osgi_metadata.patch
+CVE-2012-6153.patch
+CVE-2014-3577.patch
--- End Message ---