axis: CVE-2012-5784

Debian Bug report logs - #692650
axis: CVE-2012-5784

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: axis: CVE-2012-5784

Date: Thu, 08 Nov 2012 08:10:14 +0100

Package: axis
Severity: grave
Tags: security
Justification: user security hole

CVE-2012-5784 has been assigned to Axis being affected by the issues
described in this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
(See Section 8.1)

Cheers,
        Moritz

Message #10 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: 692650@bugs.debian.org

Subject: patch

Date: Sat, 17 Nov 2012 18:57:22 +0100

[Message part 1 (text/plain, inline)]

Hi

I've made a patch (attached)

It's basically the same patch i've submitted to commons-httpclient
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 ), 

This patch is tested in commons-httpclient but untested in axis (sorry)

[CVE-2012-5784.patch (text/x-patch, attachment)]

Message #15 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 692650@bugs.debian.org, 692442@bugs.debian.org, infjaf@gmail.com

Subject: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 22 Nov 2012 04:00:12 -0500

> I've backported the routine to validate certificate name, and I've made
> a patch (attached).
>
> I'm not sure  it's a good idea apply the patch, it can break programs
> that connect with "bad" hostnames (ips, host in /etc/hostname, etc)

Would you mind getting your patches for these issues reviewed and
applied by the appropriate upstreams?

Thanks,
Mike

Message #20 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 22 Nov 2012 18:37:26 +0100

Hi Mike,

I don't understand what you expect from me.
I've uploaded the patches to the BTS, I don't know what next steep is.
I suppose a maintainer would pick it from there.

If there's something I can do let me know.

Thanks,
Alberto

El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
> > I've backported the routine to validate certificate name, and I've made
> > a patch (attached).
> >
> > I'm not sure  it's a good idea apply the patch, it can break programs
> > that connect with "bad" hostnames (ips, host in /etc/hostname, etc)
> 
> Would you mind getting your patches for these issues reviewed and
> applied by the appropriate upstreams?
> 
> Thanks,
> Mike

Message #25 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Fri, 23 Nov 2012 00:03:59 +0100

El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
> > I've backported the routine to validate certificate name, and I've made
> > a patch (attached).
> >
> > I'm not sure  it's a good idea apply the patch, it can break programs
> > that connect with "bad" hostnames (ips, host in /etc/hostname, etc)
> 
> Would you mind getting your patches for these issues reviewed and
> applied by the appropriate upstreams?
> 
> Thanks,
> Mike

Hi Mike

I've read your tip again.  Sorry for not understanding in the first
time.

I'll prepare the patch again upstream, and post it on their BTS.

Message #30 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: 692650@bugs.debian.org

Subject: patch

Date: Fri, 23 Nov 2012 00:27:08 +0100

patch posted upstream:

https://issues.apache.org/jira/browse/AXIS-2883

Message #39 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>, Alberto Fernández <infjaf@gmail.com>

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 5 Dec 2012 16:43:12 +0100

Hi,

seems the package is ready for an upload.  Any reason why this is not
done?  I could sponsor an upload or NMU if this would help.

Kind regards

      Andreas.

-- 
http://fam-tille.de

Message #44 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 05 Dec 2012 18:01:51 +0100

Hi,

I've uploaded the two packages to mentors.debian.net.

We must solve the two bugs at the same time because axis uses
commons-httpclient.

Upstream seems End-of-life and rejected the patches.

El mié, 05-12-2012 a las 16:43 +0100, Andreas Tille escribió:
> Hi,
> 
> seems the package is ready for an upload.  Any reason why this is not
> done?  I could sponsor an upload or NMU if this would help.
> 
> Kind regards
> 
>       Andreas.
> 

Message #49 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 5 Dec 2012 21:51:34 +0100

Hi Alberto,

On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> I've uploaded the two packages to mentors.debian.net.
> 
> We must solve the two bugs at the same time because axis uses
> commons-httpclient.

I guess you mean bug #692442, right?
 
> Upstream seems End-of-life and rejected the patches.

Did upstream actively *rejected* the patch because of technical flaws or
did they just ignored it because of the end-of-life status.  There is no
real need to have a patch accepted upstream if we as Debian maintainers
agree that the patch is technically solving the reported problem.  We
actually do *not* want new upstream versions.

So as far as I see we currently have the following situation:  A package
for axis that solves #692650 is waiting on mentors for sponsering.  I'd
volunteer to do this.  Did you uploaded commons-httpclient fixing
#692442 to mentors as well?  If not I could also apply the patch in BTS
and upload both to unstable.

Just tell me if there is any reason to not upload these both packages?

Kind regards and thanks for providing the patches

    Andreas.

-- 
http://fam-tille.de

Message #54 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 05 Dec 2012 22:28:52 +0100

Hi Andreas

I've uploaded both packages to mentors.

commons-httpclient -> bug #692442 CVE-2012-5783
axis -> bug #692650 CVE-2012-5784

Since axis uses commons-httpclient, we need fix and upload both
packages. 

Upstream has ignored axis patch, and rejected commons-httpclient patch.
Basically, they say commons-httpclient is EOL and they don't want to
spend time on it. They maybe would apply the patch to the SVN, but
without revision and without releasing.

I've tested the patches and they work ok. So I think it's fine to
upload.

Kind regards

Alberto

El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió:
> Hi Alberto,
> 
> On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> > I've uploaded the two packages to mentors.debian.net.
> > 
> > We must solve the two bugs at the same time because axis uses
> > commons-httpclient.
> 
> I guess you mean bug #692442, right?
>  
> > Upstream seems End-of-life and rejected the patches.
> 
> Did upstream actively *rejected* the patch because of technical flaws or
> did they just ignored it because of the end-of-life status.  There is no
> real need to have a patch accepted upstream if we as Debian maintainers
> agree that the patch is technically solving the reported problem.  We
> actually do *not* want new upstream versions.
> 
> So as far as I see we currently have the following situation:  A package
> for axis that solves #692650 is waiting on mentors for sponsering.  I'd
> volunteer to do this.  Did you uploaded commons-httpclient fixing
> #692442 to mentors as well?  If not I could also apply the patch in BTS
> and upload both to unstable.
> 
> Just tell me if there is any reason to not upload these both packages?
> 
> Kind regards and thanks for providing the patches
> 
>     Andreas.
> 

Message #59 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: infjaf@gmail.com

Cc: Andreas Tille <tille@debian.org>, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 5 Dec 2012 20:45:26 -0500

> Hi Andreas
>
> I've uploaded both packages to mentors.
>
> commons-httpclient -> bug #692442 CVE-2012-5783
> axis -> bug #692650 CVE-2012-5784
>
> Since axis uses commons-httpclient, we need fix and upload both
> packages.
>
> Upstream has ignored axis patch, and rejected commons-httpclient patch.
> Basically, they say commons-httpclient is EOL and they don't want to
> spend time on it. They maybe would apply the patch to the SVN, but
> without revision and without releasing.

According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783

Please coordinate with them on that fix.

> I've tested the patches and they work ok. So I think it's fine to
> upload.

Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either.  They will review your work:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784

Best wishes,
Mike

Message #64 received at 692650@bugs.debian.org (full text, mbox, reply):

From: David Jorm <djorm@redhat.com>

To: mgilbert@debian.org

Cc: infjaf@gmail.com, tille@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 13:58:11 +1000

Hi All

The upstream patch for CVE-2012-5783 referred to in Red Hat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=873317#c3

Is the 4.x patch. As you've noted, there is no 3.x patch available and 
upstream won't provide one because it is EOL. I think Alberto's patch 
looks sane (from a brief check) with just one small issue. In this section:

+    private static String getCN(X509Certificate cert) {
+          // Note:  toString() seems to do a better job than getName()
+          //
+          // For example, getName() gives me this:
+          // 
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+          //
+          // whereas toString() gives me this:
+          // EMAILADDRESS=juliusdavies@cucbc.com
+        String subjectPrincipal = 
cert.getSubjectX500Principal().toString();
+        int x = subjectPrincipal.indexOf("CN=");
+        if (x >= 0) {
+            int y = subjectPrincipal.indexOf(',', x);
+            // If there are no more commas, then CN= is the last entry.
+            y = (y >= 0) ? y : subjectPrincipal.length();
+            return subjectPrincipal.substring(x + 3, y);
+        } else {
+            return null;
+        }
+    }

If the subject DN includes something like "OU=CN=www.example.com", this 
function will treat it as a CN field. An attacker could use this to 
spoof a valid certificate and perform a man-in-the-middle attack. An 
attacker could get a trusted CA to issue them a certificate for 
CN=www.ownedbyattacker.com but then include in the CSR 
OU=CN=www.victim.com or include a subject DN element 
emailAddress="CN=www.victim.com,@ownedbyattacker.com". The attacker 
could then use this certificate to perform a MITM attack against victim.com.

This would of course rely on the CA allowing such a certificate to be 
issued, but I think it is highly likely an attacker could find a widely 
trusted CA that allowed this, while they couldn't get a trusted CA to 
issue them a certificate for CN=www.victim.com. I have already brought 
this flaw in the initial 4.x patch to the attention of upstream, and 
they have addressed it via the following commit:

http://svn.apache.org/viewvc?view=revision&revision=1411705

In my view the ideal solution would be to resolve the issue I noted 
above, and then have upstream commit the patch even if there is no 
further 3.x release, so at least all distributions can consume the patch 
from the upstream tree.

Regarding CVE-2012-5784, I need some more time to review the patch 
attached to AXIS-2883. Please stay tuned for more details.

Thanks again to Alberto for providing these patches!
--
David Jorm / Red Hat Security Response Team

Message #69 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: David Jorm <djorm@redhat.com>

Cc: mgilbert@debian.org, infjaf@gmail.com, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 08:05:56 +0100

Hi,

thanks for the additional information.  Please note that I uploaded the
NMUed packages yesterday.  In case the "just one small issue" mentioned
by David below is serious above please reopen the bug report to prevent
migration to testing (I also filed unblock request bugs).

Kind regards

       Andreas.

On Thu, Dec 06, 2012 at 01:58:11PM +1000, David Jorm wrote:
> Hi All
> 
> The upstream patch for CVE-2012-5783 referred to in Red Hat bugzilla:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=873317#c3
> 
> Is the 4.x patch. As you've noted, there is no 3.x patch available
> and upstream won't provide one because it is EOL. I think Alberto's
> patch looks sane (from a brief check) with just one small issue. In
> this section:
> 
> +    private static String getCN(X509Certificate cert) {
> +          // Note:  toString() seems to do a better job than getName()
> +          //
> +          // For example, getName() gives me this:
> +          // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
> +          //
> +          // whereas toString() gives me this:
> +          // EMAILADDRESS=juliusdavies@cucbc.com
> +        String subjectPrincipal =
> cert.getSubjectX500Principal().toString();
> +        int x = subjectPrincipal.indexOf("CN=");
> +        if (x >= 0) {
> +            int y = subjectPrincipal.indexOf(',', x);
> +            // If there are no more commas, then CN= is the last entry.
> +            y = (y >= 0) ? y : subjectPrincipal.length();
> +            return subjectPrincipal.substring(x + 3, y);
> +        } else {
> +            return null;
> +        }
> +    }
> 
> If the subject DN includes something like "OU=CN=www.example.com",
> this function will treat it as a CN field. An attacker could use
> this to spoof a valid certificate and perform a man-in-the-middle
> attack. An attacker could get a trusted CA to issue them a
> certificate for CN=www.ownedbyattacker.com but then include in the
> CSR OU=CN=www.victim.com or include a subject DN element
> emailAddress="CN=www.victim.com,@ownedbyattacker.com". The attacker
> could then use this certificate to perform a MITM attack against
> victim.com.
> 
> This would of course rely on the CA allowing such a certificate to
> be issued, but I think it is highly likely an attacker could find a
> widely trusted CA that allowed this, while they couldn't get a
> trusted CA to issue them a certificate for CN=www.victim.com. I have
> already brought this flaw in the initial 4.x patch to the attention
> of upstream, and they have addressed it via the following commit:
> 
> http://svn.apache.org/viewvc?view=revision&revision=1411705
> 
> In my view the ideal solution would be to resolve the issue I noted
> above, and then have upstream commit the patch even if there is no
> further 3.x release, so at least all distributions can consume the
> patch from the upstream tree.
> 
> Regarding CVE-2012-5784, I need some more time to review the patch
> attached to AXIS-2883. Please stay tuned for more details.
> 
> Thanks again to Alberto for providing these patches!
> --
> David Jorm / Red Hat Security Response Team
> 

-- 
http://fam-tille.de

Message #74 received at 692650-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández Martínez <infjaf@gmail.com>

To: 692650-close@bugs.debian.org

Subject: Bug#692650: fixed in axis 1.4-16.1

Date: Thu, 06 Dec 2012 11:47:56 +0000

Source: axis
Source-Version: 1.4-16.1

We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Fernández Martínez <infjaf@gmail.com> (supplier of updated axis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 5 Dec 2012 17:28:00 +0100
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source all
Version: 1.4-16.1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Alberto Fernández Martínez <infjaf@gmail.com>
Description: 
 libaxis-java - SOAP implementation in Java
 libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 692650
Changes: 
 axis (1.4-16.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix CVE-2012-5784 (Closes: #692650)
Checksums-Sha1: 
 8e159512abc01815c3d20ddb431e294cc1986fb8 1602 axis_1.4-16.1.dsc
 f3206e0fb139fbf7e28662633f1ccb60417a2746 11894 axis_1.4-16.1.debian.tar.gz
 6f22a687b8782e711d81971b67e39093237ed89f 1493966 libaxis-java_1.4-16.1_all.deb
 659c7f3824cdec752d3b19c4388d2ce8477b79dc 2020892 libaxis-java-doc_1.4-16.1_all.deb
Checksums-Sha256: 
 5b56fa34e478320dbe527a24c364f82389fe7a0fb0f2b23cf3a879a25363d453 1602 axis_1.4-16.1.dsc
 85ad8499b327d4eb750b35e1461a71faf521e6bfdb5fd675fcc5230fd5fb1a25 11894 axis_1.4-16.1.debian.tar.gz
 4aa9a2e546210d0b68a17e3bd86f5a2ce4a31c6db4fac5d9572a37d3c975be15 1493966 libaxis-java_1.4-16.1_all.deb
 6519e20551c61458be7b8ed1e8b9bf728635ca87416b21cf15efa29225d6303b 2020892 libaxis-java-doc_1.4-16.1_all.deb
Files: 
 69efbb01ca56ad9981e8598365f7bdb2 1602 java optional axis_1.4-16.1.dsc
 a2410ffc509dab87d8aef631ac07c110 11894 java optional axis_1.4-16.1.debian.tar.gz
 17c015988107b2ab9cc0effde0156f65 1493966 java optional libaxis-java_1.4-16.1_all.deb
 96d8325094d1c6f2ad4605bfcf3c98c5 2020892 doc optional libaxis-java-doc_1.4-16.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlC/xQ0ACgkQYDBbMcCf01q0CACgiU2g86vDAXeE/DbMMUq7eApu
OOwAn2lOnfPtI26rzxzV7lFBF/XFwAjL
=pgND
-----END PGP SIGNATURE-----

Message #79 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: David Jorm <djorm@redhat.com>, mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 13:49:07 +0100

Hi All,

I've prepared the patch with the problem pointed by David fixed (thanks
David). It also fixes a bug related to wildcard certificates.

The first patch is backported from httpclient 4.0 and apache synapse. 

This second patch backports some fixes from httpclient 4.2

The patch differ a lot from 4.x line for two reasons: first, the code
arquitecture changes, second , I want to mantain the 3.1 api unchanged,
so all methods are private and only apply to one class.

The patch for axis and commons-httpclient is the same. In the function
they create a SSLSocket, I've put the same routine to validate the
hostname against certificate valid names.

I'll upload the new patches in their place.
Please review them and when ready I can upload a new package to mentors.

Thanks

Message #84 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <albfernandez@gmail.com>

To: 692650@bugs.debian.org

Subject: patch for axis CVE-2012-5784 (full patch)

Date: Thu, 06 Dec 2012 13:50:52 +0100

[Message part 1 (text/plain, inline)]

[CVE-2012-5784-2.patch (text/x-patch, attachment)]

Message #89 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 13:58:08 +0100

Hi Alberto,

thanks for your continuous work on this.  As I said in my previous mail
please remember to reopen the according bugs to make sure the previous
solution will not migrate to testing.  I'll volunteer to sponsor your
new version if you confirm that this is needed to finally fix the issue.

Kind regards

       Andreas.

On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> Hi All,
> 
> I've prepared the patch with the problem pointed by David fixed (thanks
> David). It also fixes a bug related to wildcard certificates.
> 
> The first patch is backported from httpclient 4.0 and apache synapse. 
> 
> This second patch backports some fixes from httpclient 4.2
> 
> The patch differ a lot from 4.x line for two reasons: first, the code
> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> so all methods are private and only apply to one class.
> 
> The patch for axis and commons-httpclient is the same. In the function
> they create a SSLSocket, I've put the same routine to validate the
> hostname against certificate valid names.
> 
> I'll upload the new patches in their place.
> Please review them and when ready I can upload a new package to mentors.
> 
> Thanks
> 
> 
> 
> 
> 

-- 
http://fam-tille.de

Message #100 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 19:02:54 +0100

Hi

I've uploaded new packages to mentors. I'll be out until Monday, so feel
free to review the patches and sponsor the new version if all you are
confident it's all ok

I think now it's fine , but if you find some other bug or improvement,
I'll be happy to correct it.

I'll insist next week upstream to include the last fix.

El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> Hi Alberto,
> 
> thanks for your continuous work on this.  As I said in my previous mail
> please remember to reopen the according bugs to make sure the previous
> solution will not migrate to testing.  I'll volunteer to sponsor your
> new version if you confirm that this is needed to finally fix the issue.
> 
> Kind regards
> 
>        Andreas.
> 
> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > Hi All,
> > 
> > I've prepared the patch with the problem pointed by David fixed (thanks
> > David). It also fixes a bug related to wildcard certificates.
> > 
> > The first patch is backported from httpclient 4.0 and apache synapse. 
> > 
> > This second patch backports some fixes from httpclient 4.2
> > 
> > The patch differ a lot from 4.x line for two reasons: first, the code
> > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > so all methods are private and only apply to one class.
> > 
> > The patch for axis and commons-httpclient is the same. In the function
> > they create a SSLSocket, I've put the same routine to validate the
> > hostname against certificate valid names.
> > 
> > I'll upload the new patches in their place.
> > Please review them and when ready I can upload a new package to mentors.
> > 
> > Thanks
> > 
> > 
> > 
> > 
> > 
> 

Message #105 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 20:40:12 +0100

Hi,

On Thu, Dec 06, 2012 at 07:02:54PM +0100, Alberto Fernández wrote:
> Hi
> 
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok

I admit I'm no Java programmer and I do not feel competent to serve as a
reviewer for security relevant problems.  So again:  If the recently
uploaded packages

    axis 1.4-16.1
    commons-httpclient 3.1-10.1

remain a security risk we *definitely* need to reopen the bugs that were
closed with the upload.  This is needed for two reasons:

  1. Keep a record in BTS about the remaining problem
  2. Make sure release managers will accept only those packages that
     are closing RC bugs.

Can you please confirm whether the security risk remains or whether
there is just a bug that is not nice but no real security risk.

> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
> 
> I'll insist next week upstream to include the last fix.

Its a good thing to convince upstream but for the moment the Debian
release we need to decide what fix will make it into our release (the
one just uploaded or your newly prepared patch).

Thanks for your work on this

     Andreas.
 
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> > Hi Alberto,
> > 
> > thanks for your continuous work on this.  As I said in my previous mail
> > please remember to reopen the according bugs to make sure the previous
> > solution will not migrate to testing.  I'll volunteer to sponsor your
> > new version if you confirm that this is needed to finally fix the issue.
> > 
> > Kind regards
> > 
> >        Andreas.
> > 
> > On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > > Hi All,
> > > 
> > > I've prepared the patch with the problem pointed by David fixed (thanks
> > > David). It also fixes a bug related to wildcard certificates.
> > > 
> > > The first patch is backported from httpclient 4.0 and apache synapse. 
> > > 
> > > This second patch backports some fixes from httpclient 4.2
> > > 
> > > The patch differ a lot from 4.x line for two reasons: first, the code
> > > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > > so all methods are private and only apply to one class.
> > > 
> > > The patch for axis and commons-httpclient is the same. In the function
> > > they create a SSLSocket, I've put the same routine to validate the
> > > hostname against certificate valid names.
> > > 
> > > I'll upload the new patches in their place.
> > > Please review them and when ready I can upload a new package to mentors.
> > > 
> > > Thanks
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 
> 
> 

-- 
http://fam-tille.de

Message #110 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 21:03:25 +0100

Hi

I've reopened the two bugs.

The first patch was incomplete, as pointed by David and by other bug
i've found reviewing the code.

The bug pointed by David can occur in  some rare cases where the CA
issues malformed certificates. It's rare, but there are may CA...
The other bug it's about  wildcard certificate validation. The first
patch incorrect validates some cases. They're also rare cases of
certificates of type aaaa*.xxx.com.

Both are very rare cases, but I think they must be fixed before release.

In outline, hosts name correctly validated:
original -> 0% (no validation at all)
first patch -> ¿99%? 
           Never fails with valid certificates, 
           block majority of invalid request.
           allow few rare cases which should be blocked
second patch -> 100%. I hope.


Thanks for your patience

Message #115 received at 692650-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández Martínez <infjaf@gmail.com>

To: 692650-close@bugs.debian.org

Subject: Bug#692650: fixed in axis 1.4-16.2

Date: Fri, 07 Dec 2012 09:32:45 +0000

Source: axis
Source-Version: 1.4-16.2

We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Fernández Martínez <infjaf@gmail.com> (supplier of updated axis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 6 Dec 2012 14:28:00 +0100
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source all
Version: 1.4-16.2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Alberto Fernández Martínez <infjaf@gmail.com>
Description: 
 libaxis-java - SOAP implementation in Java
 libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 692650
Changes: 
 axis (1.4-16.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix CVE-2012-5784 (Closes: #692650)
   * Fix CN extraction from DN of X500 principal.
   * Fix wildcard validation on ssl connections
Checksums-Sha1: 
 48f38fa463e1c0897a9e52c04ac691ffb195d7ae 1602 axis_1.4-16.2.dsc
 8f578501c50e7d1a342ba40da7ada21f0508d896 11868 axis_1.4-16.2.debian.tar.gz
 5bd1b2d03f2c53f044edc451ac6d171f05b6fd43 1494606 libaxis-java_1.4-16.2_all.deb
 c9d5ceacfb918dd6f7feab2b8b287426dabbb04f 2036068 libaxis-java-doc_1.4-16.2_all.deb
Checksums-Sha256: 
 88dce098ba6314366bc365cd04897ae057e8b9d863b3a991d37a6c044fc6967a 1602 axis_1.4-16.2.dsc
 a844225b1c10b50e59ff9ed295e9d01db4546451400eb611780e77e94878b227 11868 axis_1.4-16.2.debian.tar.gz
 032d34c27629460224bed4ab314c4e1475af22633bb2e00bdfdbe56100f7d194 1494606 libaxis-java_1.4-16.2_all.deb
 d7def35539b836ab97e408eb1a20058789a519cc02ac4cfb73d4d2bc82188781 2036068 libaxis-java-doc_1.4-16.2_all.deb
Files: 
 e4970d88f7ffbeca4944d92d15ab15f4 1602 java optional axis_1.4-16.2.dsc
 16b495a03148b42d2ceec1e2a351b2e5 11868 java optional axis_1.4-16.2.debian.tar.gz
 9602c21a20bea96e5d901f1a4e0afccc 1494606 java optional libaxis-java_1.4-16.2_all.deb
 cabf67754524fa146cb1803efbc59987 2036068 doc optional libaxis-java-doc_1.4-16.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDBtzAACgkQYDBbMcCf01rmegCeO+D1kGu17NdOSNWaD8CeJH1u
uRsAoJ9c8DzzWXirqDaVFvrJ43fENEUq
=oY9m
-----END PGP SIGNATURE-----

Message #120 received at 692650@bugs.debian.org (full text, mbox, reply):

From: David Jorm <djorm@redhat.com>

To: infjaf@gmail.com, 692442@bugs.debian.org

Cc: Andreas Tille <tille@debian.org>, mgilbert@debian.org, 692650@bugs.debian.org

Subject: Re: Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Mon, 10 Dec 2012 13:08:15 +1000

Thanks Alberto! Could I ask that to finalize this, you attach both 
revised patches to the upstream bugs (HTTPCLIENT-1265 and AXIS-2883) and 
ask upstream to commit them?

Thanks again
David

On 12/07/2012 04:02 AM, Alberto Fernández wrote:
> Hi
>
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok
>
> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
>
> I'll insist next week upstream to include the last fix.
>
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
>> Hi Alberto,
>>
>> thanks for your continuous work on this.  As I said in my previous mail
>> please remember to reopen the according bugs to make sure the previous
>> solution will not migrate to testing.  I'll volunteer to sponsor your
>> new version if you confirm that this is needed to finally fix the issue.
>>
>> Kind regards
>>
>>         Andreas.
>>
>> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
>>> Hi All,
>>>
>>> I've prepared the patch with the problem pointed by David fixed (thanks
>>> David). It also fixes a bug related to wildcard certificates.
>>>
>>> The first patch is backported from httpclient 4.0 and apache synapse.
>>>
>>> This second patch backports some fixes from httpclient 4.2
>>>
>>> The patch differ a lot from 4.x line for two reasons: first, the code
>>> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
>>> so all methods are private and only apply to one class.
>>>
>>> The patch for axis and commons-httpclient is the same. In the function
>>> they create a SSLSocket, I've put the same routine to validate the
>>> hostname against certificate valid names.
>>>
>>> I'll upload the new patches in their place.
>>> Please review them and when ready I can upload a new package to mentors.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>

Message #125 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: David Jorm <djorm@redhat.com>

Cc: 692442@bugs.debian.org, Andreas Tille <tille@debian.org>, mgilbert@debian.org, 692650@bugs.debian.org

Subject: Re: Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 12 Dec 2012 00:25:36 +0100

Hi.

Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265.
Waiting for response.

Kind regards
 Alberto

Message #130 received at 692650@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <albfernandez@gmail.com>

To: David Jorm <djorm@redhat.com>

Cc: 692442@bugs.debian.org, 692650@bugs.debian.org

Subject: patch applied to commons-httpclient upstream

Date: Sun, 16 Dec 2012 15:27:32 +0100

Hi

The patch is applied upstream:

http://svn.apache.org/viewvc?view=revision&revision=1422573


http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk


Kind Regars

  Alberto

Message #135 received at 692650-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 692650-close@bugs.debian.org

Subject: Bug#692650: fixed in axis 1.4-17

Date: Tue, 05 Feb 2013 06:47:35 +0000

Source: axis
Source-Version: 1.4-17

We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated axis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Feb 2013 22:14:27 -0800
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source all
Version: 1.4-17
Distribution: experimental
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 libaxis-java - SOAP implementation in Java
 libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 653992 692650
Changes: 
 axis (1.4-17) experimental; urgency=low
 .
   * Team upload.
 .
   [ Jakub Adam ]
   * Use bnd to generate OSGi metadata.
   * Remove Michael Koch from Uploaders (Closes: #653992).
     - Thanks for your contribution to this package.
   * Bump Standards-Version to 3.9.4.
 .
   [ tony mancill ]
   * Acknowledge NMU:  Thank you to Alberto Fernández Martínez.
     - Fix CVE-2012-5784 (Closes: #692650)
   * Update d/copyright to add lintian warnings.
Checksums-Sha1: 
 ed0ae7c356250cfad55bb2c2506ade8724719fd6 2204 axis_1.4-17.dsc
 cccbc630ed05487fb0c0a589d1f42b7e99aa20b4 11634 axis_1.4-17.debian.tar.gz
 ec8e43299f4d85649cf112189fc034f323050a84 1496628 libaxis-java_1.4-17_all.deb
 fbdf6c3f956b904a6101c84ec2a90f71768da890 2037044 libaxis-java-doc_1.4-17_all.deb
Checksums-Sha256: 
 c1bf9af70c7fdcd2002c3f12c9cef1ec96ade17ea1e9bb330f5d9cef55d99430 2204 axis_1.4-17.dsc
 9ef8159e3b25499629e0bee100b33ea1b69579dc61fe9a43dda78c1c906ce805 11634 axis_1.4-17.debian.tar.gz
 a0135db55fdf75f3d81f6dd879622bc9e9cbd0256bdc70a7eb2f542a357c82b5 1496628 libaxis-java_1.4-17_all.deb
 a7edc77983df8314c5f70367eef51af72f820b892f41ac335fe66ba6bf4e2238 2037044 libaxis-java-doc_1.4-17_all.deb
Files: 
 4059016df119efb53d335963b963c726 2204 java optional axis_1.4-17.dsc
 e2aa34f05e9dde72dd4685d1eed595f3 11634 java optional axis_1.4-17.debian.tar.gz
 b9bc5d65fe85bedf992ea91ce7f4b18e 1496628 java optional libaxis-java_1.4-17_all.deb
 59566de4241473a8db3f4eff0d524330 2037044 doc optional libaxis-java-doc_1.4-17_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJREKdIAAoJECHSBYmXSz6WDUIP+wXb2SJPD+3qtRJnAuvqT8fw
AQAHeDjxNwRIRkXmizmGBH9+BCJMPHXoPSRk1wIF4NDS6bsLXo+LJ+ryPPRewfjA
7vs+lxORBb11CAUhi+IQ6qms2oYIzkpJGWal+9TsBJSA/i0BquGWy8auX4Mn5MFb
x9iVVVoBMe1+5KxgbopoptW5daoGFV/rrHt7ZgjFqMdT6LMWDJ1KeWyP6kJUcw6H
ZJhD5ICQ/EbYBHIERIy1dDsp6GUlHsO0vbRGm+XUsAJtTgkFG+QA0bZyvf9BrIbh
skanQb0mf/aRvxUkq7dwHNnJ4QSVdtw+pmpbnsVtEQ6oFvWJ3CGuQ0tRaSmVCTEX
3BYq4wm0+tAbcUZ3PBxOHPVthHaV4XGXVMXpO8FNENQXBq5Kt6shPN7cdmobvrtw
zvs5OuxPhdUcMGNXywKHZRRtRJmlfCeg9Pp3MYju0HlLZhFOcbnc9vxLPLNTrS2p
biC19fvUk4ovJV0zg6hr+4XxqviuT0wP2z0apuDvFZYH1vtM4DgkVgw+ztVuN2Nt
zRctOC6W8gqdtb98aBPl/4cnLj4xwpiQ9llryZjrY3aIj0XvzVIDqBmJHcOgTJ/q
H4SAflRrIJNhSQQrxFWwCYmMKdHODI5e/UUObMgbFhRYexX+MJYAARavT0AU3xUm
/127F8yrz7WQjn7vd1J7
=CH1e
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.