Bug#928553: stretch-pu: package libthrift-java/0.9.1-2.1~deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
The fix for CVE-2018-1320 was in sid (0.9.1-2.1) before the package got
removed, and is in jessie-lts (0.9.1-2+deb8u1), leaving stretch at an
older version than jessie-lts. So let's get it in stretch to restore
monotonic version ordering.
Andreas
diff -Nru libthrift-java-0.9.1/debian/changelog libthrift-java-0.9.1/debian/changelog
--- libthrift-java-0.9.1/debian/changelog 2014-10-17 00:28:43.000000000 +0200
+++ libthrift-java-0.9.1/debian/changelog 2019-05-07 03:44:09.000000000 +0200
@@ -1,3 +1,22 @@
+libthrift-java (0.9.1-2.1~deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for stretch.
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 07 May 2019 03:44:09 +0200
+
+libthrift-java (0.9.1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-1320:
+ It was discovered that it was possible to bypass SASL negotiation
+ isComplete validation in the org.apache.thrift.transport.TSaslTransport
+ class. An assert used to determine if the SASL handshake had successfully
+ completed could be disabled in production settings making the validation
+ incomplete. (Closes: #918736)
+
+ -- Markus Koschany <apo@debian.org> Wed, 06 Feb 2019 19:04:12 +0100
+
libthrift-java (0.9.1-2) unstable; urgency=low
* Use 3.0 (quilt) source format.
diff -Nru libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch
--- libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 1970-01-01 01:00:00.000000000 +0100
+++ libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 2019-02-06 19:04:12.000000000 +0100
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 6 Feb 2019 18:59:31 +0100
+Subject: CVE-2018-1320
+
+Bug-Debian: https://bugs.debian.org/918736
+Origin: https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
+---
+ src/org/apache/thrift/transport/TSaslTransport.java | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/org/apache/thrift/transport/TSaslTransport.java b/src/org/apache/thrift/transport/TSaslTransport.java
+index b54746c..2f62016 100644
+--- a/src/org/apache/thrift/transport/TSaslTransport.java
++++ b/src/org/apache/thrift/transport/TSaslTransport.java
+@@ -268,7 +268,7 @@ abstract class TSaslTransport extends TTransport {
+ if (message.status == NegotiationStatus.COMPLETE &&
+ getRole() == SaslRole.CLIENT) {
+ LOGGER.debug("{}: All done!", getRole());
+- break;
++ continue;
+ }
+
+ sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK,
+@@ -276,8 +276,6 @@ abstract class TSaslTransport extends TTransport {
+ }
+ LOGGER.debug("{}: Main negotiation loop complete", getRole());
+
+- assert sasl.isComplete();
+-
+ // If we're the client, and we're complete, but the server isn't
+ // complete yet, we need to wait for its response. This will occur
+ // with ANONYMOUS auth, for example, where we send an initial response
diff -Nru libthrift-java-0.9.1/debian/patches/series libthrift-java-0.9.1/debian/patches/series
--- libthrift-java-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libthrift-java-0.9.1/debian/patches/series 2019-02-06 19:04:12.000000000 +0100
@@ -0,0 +1 @@
+CVE-2018-1320.patch
Reply to: