Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hello, similar to commons-httpclient [1] the Java team would like to fix CVE-2014-3577 for httpcomponents-client in wheezy. This package is the successor of commons-httpclient and currently also affected by this exploitable MITM vulnerability. [2] Please find attached the proposed debdiff against the version of httpcomponents-client 4.1.1-2 in wheezy. Regards, Markus [1] https://bugs.debian.org/782663 [2] https://security-tracker.debian.org/tracker/CVE-2014-3577
diff -Nru httpcomponents-client-4.1.1/debian/changelog httpcomponents-client-4.1.1/debian/changelog --- httpcomponents-client-4.1.1/debian/changelog 2012-04-02 01:31:57.000000000 +0200 +++ httpcomponents-client-4.1.1/debian/changelog 2015-04-18 14:46:12.000000000 +0200 @@ -1,3 +1,14 @@ +httpcomponents-client (4.1.1-2+deb7u1) wheezy; urgency=high + + * Add CVE-2012-6153.patch and CVE-2014-3577.patch. + It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was + incomplete. The code added to check that the server hostname matches the + domain name in the subject's CN field was flawed. This can be exploited by + a Man-in-the-middle (MITM) attack where the attacker can spoof a valid + certificate using a specially crafted subject. + + -- Markus Koschany <a...@gambaru.de> Sat, 18 Apr 2015 14:15:11 +0200 + httpcomponents-client (4.1.1-2) unstable; urgency=low * Add OSGi metadata to JAR manifest. diff -Nru httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch --- httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch 1970-01-01 01:00:00.000000000 +0100 +++ httpcomponents-client-4.1.1/debian/patches/CVE-2012-6153.patch 2015-04-18 14:46:12.000000000 +0200 @@ -0,0 +1,57 @@ +From: Markus Koschany <a...@gambaru.de> +Date: Sat, 18 Apr 2015 00:39:57 +0200 +Subject: CVE-2012-6153 + +It was found that the fix for CVE-2012-5783 was incomplete. +The code added to check that the server hostname matches the domain name in the +subject's CN field was flawed. This can be exploited by a Man-in-the-middle +(MITM) attack, where the attacker can spoof a valid certificate using a +specially crafted subject. + +Fix for 4.2.x branch, upstream revision 1411705 +https://svn.apache.org/viewvc?view=revision&revision=1411705 +More information: +https://bugzilla.redhat.com/show_bug.cgi?id=1129916 +--- + .../java/org/apache/http/conn/ssl/AbstractVerifier.java | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +index 547204a..d31d8c0 100644 +--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java ++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +@@ -180,12 +180,12 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + + // We're can be case-insensitive when comparing the host we used to + // establish the socket to the hostname in the certificate. +- String hostName = host.trim().toLowerCase(Locale.ENGLISH); ++ String hostName = host.trim().toLowerCase(Locale.US); + boolean match = false; + for(Iterator<String> it = names.iterator(); it.hasNext();) { + // Don't trim the CN, though! + String cn = it.next(); +- cn = cn.toLowerCase(Locale.ENGLISH); ++ cn = cn.toLowerCase(Locale.US); + // Store CN in StringBuilder in case we need to report an error. + buf.append(" <"); + buf.append(cn); +@@ -260,13 +260,15 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + Looks like toString() even works with non-ascii domain names! + I tested it with "花子.co.jp" and it worked fine. + */ ++ + String subjectPrincipal = cert.getSubjectX500Principal().toString(); + StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); + while(st.hasMoreTokens()) { +- String tok = st.nextToken(); +- int x = tok.indexOf("CN="); +- if(x >= 0) { +- cnList.add(tok.substring(x + 3)); ++ String tok = st.nextToken().trim(); ++ if (tok.length() > 3) { ++ if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { ++ cnList.add(tok.substring(3)); ++ } + } + } + if(!cnList.isEmpty()) { diff -Nru httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch --- httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch 1970-01-01 01:00:00.000000000 +0100 +++ httpcomponents-client-4.1.1/debian/patches/CVE-2014-3577.patch 2015-04-18 14:46:12.000000000 +0200 @@ -0,0 +1,147 @@ +From: Markus Koschany <a...@gambaru.de> +Date: Sat, 18 Apr 2015 00:42:07 +0200 +Subject: CVE-2014-3577 + +It was found that the fix for CVE-2012-6153 was incomplete. The code added to +check that the server hostname matches the domain name in the subject's CN +field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack +where the attacker can spoof a valid certificate using a specially crafted +subject. + +This patch was taken from +http://pkgs.fedoraproject.org/cgit/httpcomponents-client.git/diff/0001-Fix-CVE-2014-3577.patch?h=f20 + +More information: +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3577 +Links to upstream commits: +https://bugzilla.redhat.com/show_bug.cgi?id=1129074#c4 +--- + .../org/apache/http/conn/ssl/AbstractVerifier.java | 85 +++++++++++----------- + 1 file changed, 43 insertions(+), 42 deletions(-) + +diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +index d31d8c0..ce0cec6 100644 +--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java ++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +@@ -28,7 +28,6 @@ + package org.apache.http.conn.ssl; + + import org.apache.http.annotation.Immutable; +- + import org.apache.http.conn.util.InetAddressUtils; + + import java.io.IOException; +@@ -36,13 +35,20 @@ import java.io.InputStream; + import java.security.cert.Certificate; + import java.security.cert.CertificateParsingException; + import java.security.cert.X509Certificate; ++import java.util.ArrayList; + import java.util.Arrays; + import java.util.Collection; + import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; ++import java.util.NoSuchElementException; ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import java.util.logging.Logger; + import java.util.logging.Level; + +@@ -144,7 +150,8 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + + public final void verify(String host, X509Certificate cert) + throws SSLException { +- String[] cns = getCNs(cert); ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ final String[] cns = extractCNs(subjectPrincipal); + String[] subjectAlts = getSubjectAlts(cert, host); + verify(host, cns, subjectAlts); + } +@@ -236,48 +243,42 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + return true; + } + +- public static String[] getCNs(X509Certificate cert) { +- LinkedList<String> cnList = new LinkedList<String>(); +- /* +- Sebastian Hauer's original StrictSSLProtocolSocketFactory used +- getName() and had the following comment: +- +- Parses a X.500 distinguished name for the value of the +- "Common Name" field. This is done a bit sloppy right +- now and should probably be done a bit more according to +- <code>RFC 2253</code>. +- +- I've noticed that toString() seems to do a better job than +- getName() on these X500Principal objects, so I'm hoping that +- addresses Sebastian's concern. +- +- For example, getName() gives me this: +- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- +- whereas toString() gives me this: +- EMAILADDRESS=juliusdav...@cucbc.com +- +- Looks like toString() even works with non-ascii domain names! +- I tested it with "花子.co.jp" and it worked fine. +- */ +- +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- cnList.add(tok.substring(3)); +- } +- } ++ public static String[] getCNs(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCNs(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; + } +- if(!cnList.isEmpty()) { +- String[] cns = new String[cnList.size()]; +- cnList.toArray(cns); +- return cns; +- } else { ++ } ++ ++ static String[] extractCNs(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { + return null; + } ++ final List<String> cns = new ArrayList<String>(); ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List<Rdn> rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ cns.add(value.toString()); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } ++ } ++ } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); ++ } ++ return cns.isEmpty() ? null : cns.toArray(new String[cns.size()]); + } + + /** diff -Nru httpcomponents-client-4.1.1/debian/patches/series httpcomponents-client-4.1.1/debian/patches/series --- httpcomponents-client-4.1.1/debian/patches/series 2012-04-02 01:31:57.000000000 +0200 +++ httpcomponents-client-4.1.1/debian/patches/series 2015-04-18 14:46:12.000000000 +0200 @@ -1,2 +1,4 @@ 00-fix_build.patch 01-generate_osgi_metadata.patch +CVE-2012-6153.patch +CVE-2014-3577.patch
