Bug#909807: stretch-pu: package tomcat-native/1.2.12-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to update tomcat-native in Stretch. It is currently
affected by CVE-2018-8019 and CVE-2018-8020. The security team marked
both issues as no-dsa.
Please find attached the debdiff.
Regards,
Markus
diff -Nru tomcat-native-1.2.12/debian/changelog tomcat-native-1.2.12/debian/changelog
--- tomcat-native-1.2.12/debian/changelog 2018-02-11 21:16:59.000000000 +0100
+++ tomcat-native-1.2.12/debian/changelog 2018-09-28 23:51:20.000000000 +0200
@@ -1,3 +1,15 @@
+tomcat-native (1.2.12-2+deb9u2) stretch; urgency=high
+
+ * Team upload.
+ * Fix CVE-2018-8019 and CVE-2018-8020.
+ When using an OCSP responder Tomcat Native did not correctly handle invalid
+ responses. This allowed for revoked client certificates to be incorrectly
+ identified. It was therefore possible for users to authenticate with
+ revoked certificates when using mutual TLS. Users not using OCSP checks are
+ not affected by this vulnerability.
+
+ -- Markus Koschany <apo@debian.org> Fri, 28 Sep 2018 23:51:20 +0200
+
tomcat-native (1.2.12-2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch
--- tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch 1970-01-01 01:00:00.000000000 +0100
+++ tomcat-native-1.2.12/debian/patches/CVE-2018-8019.patch 2018-09-28 23:51:20.000000000 +0200
@@ -0,0 +1,88 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 28 Sep 2018 22:59:06 +0200
+Subject: CVE-2018-8019
+
+Origin: https://svn.apache.org/r1832832
+---
+ native/src/sslutils.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/native/src/sslutils.c b/native/src/sslutils.c
+index 035c2b0..f7af4af 100644
+--- a/native/src/sslutils.c
++++ b/native/src/sslutils.c
+@@ -35,7 +35,7 @@ extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data);
+ #define ASN1_OID 0x06
+ #define ASN1_STRING 0x86
+ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx);
+-static int ssl_ocsp_request(X509 *cert, X509 *issuer);
++static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx);
+ #endif
+
+ /* _________________________________________________________________
+@@ -519,21 +519,22 @@ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx)
+ }
+
+ /* if we can't get the issuer, we cannot perform OCSP verification */
+- if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) {
+- r = ssl_ocsp_request(cert, issuer);
+- if (r == OCSP_STATUS_REVOKED) {
++ issuer = X509_STORE_CTX_get0_current_issuer(ctx);
++ if (issuer != NULL) {
++ r = ssl_ocsp_request(cert, issuer, ctx);
++ switch (r) {
++ case OCSP_STATUS_OK:
++ X509_STORE_CTX_set_error(ctx, X509_V_OK);
++ break;
++ case OCSP_STATUS_REVOKED:
+ /* we set the error if we know that it is revoked */
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
++ break;
++ case OCSP_STATUS_UNKNOWN:
++ /* correct error code for application errors? */
++ // X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
++ break;
+ }
+- else {
+- /* else we return unknown */
+- r = OCSP_STATUS_UNKNOWN;
+- }
+- X509_free(issuer); /* It appears that we should free issuer since
+- * X509_STORE_CTX_get1_issuer() calls X509_OBJECT_up_ref_count()
+- * on the issuer object (unline X509_STORE_CTX_get_current_cert()
+- * that just returns the pointer
+- */
+ }
+ return r;
+ }
+@@ -1038,7 +1039,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
+ return o;
+ }
+
+-static int ssl_ocsp_request(X509 *cert, X509 *issuer)
++static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
+ {
+ char **ocsp_urls = NULL;
+ int nid;
+@@ -1061,13 +1062,20 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer)
+ the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
+ if (ocsp_urls != NULL) {
+ OCSP_RESPONSE *resp;
++ int rv = OCSP_STATUS_UNKNOWN;
+ /* for the time being just check for the fist response .. a better
+ approach is to iterate for all the possible ocsp urls */
+ resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
++ if (resp != NULL) {
++ rv = process_ocsp_response(resp);
++ } else {
++ /* correct error code for application errors? */
++ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
++ }
+
+ if (resp != NULL) {
+ apr_pool_destroy(p);
+- return process_ocsp_response(resp);
++ return rv;
+ }
+ }
+ apr_pool_destroy(p);
diff -Nru tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch
--- tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch 1970-01-01 01:00:00.000000000 +0100
+++ tomcat-native-1.2.12/debian/patches/CVE-2018-8020.patch 2018-09-28 23:51:20.000000000 +0200
@@ -0,0 +1,68 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 28 Sep 2018 23:08:27 +0200
+Subject: CVE-2018-8020
+
+Origin: https://svn.apache.org/r1832863
+---
+ native/src/sslutils.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/native/src/sslutils.c b/native/src/sslutils.c
+index f7af4af..636c16d 100644
+--- a/native/src/sslutils.c
++++ b/native/src/sslutils.c
+@@ -532,7 +532,7 @@ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx)
+ break;
+ case OCSP_STATUS_UNKNOWN:
+ /* correct error code for application errors? */
+- // X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
++ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+ break;
+ }
+ }
+@@ -1010,11 +1010,12 @@ end:
+ /* Process the OCSP_RESPONSE and returns the corresponding
+ answert according to the status.
+ */
+-static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
++static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer)
+ {
+ int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
+ OCSP_BASICRESP *bs;
+ OCSP_SINGLERESP *ss;
++ OCSP_CERTID *certid;
+
+ r = OCSP_response_status(ocsp_resp);
+
+@@ -1024,7 +1025,13 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
+ }
+ bs = OCSP_response_get1_basic(ocsp_resp);
+
+- ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
++ certid = OCSP_cert_to_id(NULL, cert, issuer);
++ if (certid == NULL) {
++ OCSP_RESPONSE_free(ocsp_resp);
++ return OCSP_STATUS_UNKNOWN;
++ }
++ ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial number and get the matching response */
++
+
+ i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
+ if (i == V_OCSP_CERTSTATUS_GOOD)
+@@ -1035,6 +1042,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
+ o = OCSP_STATUS_UNKNOWN;
+
+ /* we clean up */
++ OCSP_CERTID_free(certid);
+ OCSP_RESPONSE_free(ocsp_resp);
+ return o;
+ }
+@@ -1067,7 +1075,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
+ approach is to iterate for all the possible ocsp urls */
+ resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
+ if (resp != NULL) {
+- rv = process_ocsp_response(resp);
++ rv = process_ocsp_response(resp, cert, issuer);
+ } else {
+ /* correct error code for application errors? */
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
diff -Nru tomcat-native-1.2.12/debian/patches/series tomcat-native-1.2.12/debian/patches/series
--- tomcat-native-1.2.12/debian/patches/series 2018-02-11 21:16:59.000000000 +0100
+++ tomcat-native-1.2.12/debian/patches/series 2018-09-28 23:51:20.000000000 +0200
@@ -1 +1,3 @@
CVE-2017-15698.patch
+CVE-2018-8019.patch
+CVE-2018-8020.patch
Reply to: