CVE-2012-5783: Insecure certificate validation

Debian Bug report logs - #692442
CVE-2012-5783: Insecure certificate validation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-5783: Insecure certificate validation

Date: Tue, 06 Nov 2012 11:54:59 +0100

Package: commons-httpclient
Severity: important
Tags: security

Please see Section 7.5 of this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

This has been assigned CVE-2012-5783. I'm not sure if we can backport more
correct certificate validation to 3.x, but independent of that it might
make sense to introduce the 4.x codebase to the archive?

Cheers,
        Moritz

Message #10 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: 692442@bugs.debian.org

Subject: patch

Date: Sat, 17 Nov 2012 18:08:02 +0100

[Message part 1 (text/plain, inline)]

Hi

I've backported the routine to validate certificate name, and I've made
a patch (attached).

I'm not sure  it's a good idea apply the patch, it can break programs
that connect with "bad" hostnames (ips, host in /etc/hostname, etc)

[CVE-2012-5783.patch (text/x-patch, attachment)]

Message #15 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 692650@bugs.debian.org, 692442@bugs.debian.org, infjaf@gmail.com

Subject: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 22 Nov 2012 04:00:12 -0500

> I've backported the routine to validate certificate name, and I've made
> a patch (attached).
>
> I'm not sure  it's a good idea apply the patch, it can break programs
> that connect with "bad" hostnames (ips, host in /etc/hostname, etc)

Would you mind getting your patches for these issues reviewed and
applied by the appropriate upstreams?

Thanks,
Mike

Message #20 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 22 Nov 2012 18:37:26 +0100

Hi Mike,

I don't understand what you expect from me.
I've uploaded the patches to the BTS, I don't know what next steep is.
I suppose a maintainer would pick it from there.

If there's something I can do let me know.

Thanks,
Alberto

El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
> > I've backported the routine to validate certificate name, and I've made
> > a patch (attached).
> >
> > I'm not sure  it's a good idea apply the patch, it can break programs
> > that connect with "bad" hostnames (ips, host in /etc/hostname, etc)
> 
> Would you mind getting your patches for these issues reviewed and
> applied by the appropriate upstreams?
> 
> Thanks,
> Mike

Message #25 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Fri, 23 Nov 2012 00:03:59 +0100

El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
> > I've backported the routine to validate certificate name, and I've made
> > a patch (attached).
> >
> > I'm not sure  it's a good idea apply the patch, it can break programs
> > that connect with "bad" hostnames (ips, host in /etc/hostname, etc)
> 
> Would you mind getting your patches for these issues reviewed and
> applied by the appropriate upstreams?
> 
> Thanks,
> Mike

Hi Mike

I've read your tip again.  Sorry for not understanding in the first
time.

I'll prepare the patch again upstream, and post it on their BTS.

Message #30 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <albfernandez@gmail.com>

To: 692442@bugs.debian.org

Subject: patch upstream

Date: Fri, 23 Nov 2012 00:18:33 +0100

Here is the patch posted to upstream:

https://issues.apache.org/jira/browse/HTTPCLIENT-1265

Message #41 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 5 Dec 2012 21:51:34 +0100

Hi Alberto,

On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> I've uploaded the two packages to mentors.debian.net.
> 
> We must solve the two bugs at the same time because axis uses
> commons-httpclient.

I guess you mean bug #692442, right?
 
> Upstream seems End-of-life and rejected the patches.

Did upstream actively *rejected* the patch because of technical flaws or
did they just ignored it because of the end-of-life status.  There is no
real need to have a patch accepted upstream if we as Debian maintainers
agree that the patch is technically solving the reported problem.  We
actually do *not* want new upstream versions.

So as far as I see we currently have the following situation:  A package
for axis that solves #692650 is waiting on mentors for sponsering.  I'd
volunteer to do this.  Did you uploaded commons-httpclient fixing
#692442 to mentors as well?  If not I could also apply the patch in BTS
and upload both to unstable.

Just tell me if there is any reason to not upload these both packages?

Kind regards and thanks for providing the patches

    Andreas.

-- 
http://fam-tille.de

Message #46 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: 692650@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 05 Dec 2012 22:28:52 +0100

Hi Andreas

I've uploaded both packages to mentors.

commons-httpclient -> bug #692442 CVE-2012-5783
axis -> bug #692650 CVE-2012-5784

Since axis uses commons-httpclient, we need fix and upload both
packages. 

Upstream has ignored axis patch, and rejected commons-httpclient patch.
Basically, they say commons-httpclient is EOL and they don't want to
spend time on it. They maybe would apply the patch to the SVN, but
without revision and without releasing.

I've tested the patches and they work ok. So I think it's fine to
upload.

Kind regards

Alberto

El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió:
> Hi Alberto,
> 
> On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> > I've uploaded the two packages to mentors.debian.net.
> > 
> > We must solve the two bugs at the same time because axis uses
> > commons-httpclient.
> 
> I guess you mean bug #692442, right?
>  
> > Upstream seems End-of-life and rejected the patches.
> 
> Did upstream actively *rejected* the patch because of technical flaws or
> did they just ignored it because of the end-of-life status.  There is no
> real need to have a patch accepted upstream if we as Debian maintainers
> agree that the patch is technically solving the reported problem.  We
> actually do *not* want new upstream versions.
> 
> So as far as I see we currently have the following situation:  A package
> for axis that solves #692650 is waiting on mentors for sponsering.  I'd
> volunteer to do this.  Did you uploaded commons-httpclient fixing
> #692442 to mentors as well?  If not I could also apply the patch in BTS
> and upload both to unstable.
> 
> Just tell me if there is any reason to not upload these both packages?
> 
> Kind regards and thanks for providing the patches
> 
>     Andreas.
> 

Message #51 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: infjaf@gmail.com

Cc: Andreas Tille <tille@debian.org>, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 5 Dec 2012 20:45:26 -0500

> Hi Andreas
>
> I've uploaded both packages to mentors.
>
> commons-httpclient -> bug #692442 CVE-2012-5783
> axis -> bug #692650 CVE-2012-5784
>
> Since axis uses commons-httpclient, we need fix and upload both
> packages.
>
> Upstream has ignored axis patch, and rejected commons-httpclient patch.
> Basically, they say commons-httpclient is EOL and they don't want to
> spend time on it. They maybe would apply the patch to the SVN, but
> without revision and without releasing.

According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783

Please coordinate with them on that fix.

> I've tested the patches and they work ok. So I think it's fine to
> upload.

Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either.  They will review your work:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784

Best wishes,
Mike

Message #56 received at 692442@bugs.debian.org (full text, mbox, reply):

From: David Jorm <djorm@redhat.com>

To: mgilbert@debian.org

Cc: infjaf@gmail.com, tille@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 13:58:11 +1000

Hi All

The upstream patch for CVE-2012-5783 referred to in Red Hat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=873317#c3

Is the 4.x patch. As you've noted, there is no 3.x patch available and 
upstream won't provide one because it is EOL. I think Alberto's patch 
looks sane (from a brief check) with just one small issue. In this section:

+    private static String getCN(X509Certificate cert) {
+          // Note:  toString() seems to do a better job than getName()
+          //
+          // For example, getName() gives me this:
+          // 
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+          //
+          // whereas toString() gives me this:
+          // EMAILADDRESS=juliusdavies@cucbc.com
+        String subjectPrincipal = 
cert.getSubjectX500Principal().toString();
+        int x = subjectPrincipal.indexOf("CN=");
+        if (x >= 0) {
+            int y = subjectPrincipal.indexOf(',', x);
+            // If there are no more commas, then CN= is the last entry.
+            y = (y >= 0) ? y : subjectPrincipal.length();
+            return subjectPrincipal.substring(x + 3, y);
+        } else {
+            return null;
+        }
+    }

If the subject DN includes something like "OU=CN=www.example.com", this 
function will treat it as a CN field. An attacker could use this to 
spoof a valid certificate and perform a man-in-the-middle attack. An 
attacker could get a trusted CA to issue them a certificate for 
CN=www.ownedbyattacker.com but then include in the CSR 
OU=CN=www.victim.com or include a subject DN element 
emailAddress="CN=www.victim.com,@ownedbyattacker.com". The attacker 
could then use this certificate to perform a MITM attack against victim.com.

This would of course rely on the CA allowing such a certificate to be 
issued, but I think it is highly likely an attacker could find a widely 
trusted CA that allowed this, while they couldn't get a trusted CA to 
issue them a certificate for CN=www.victim.com. I have already brought 
this flaw in the initial 4.x patch to the attention of upstream, and 
they have addressed it via the following commit:

http://svn.apache.org/viewvc?view=revision&revision=1411705

In my view the ideal solution would be to resolve the issue I noted 
above, and then have upstream commit the patch even if there is no 
further 3.x release, so at least all distributions can consume the patch 
from the upstream tree.

Regarding CVE-2012-5784, I need some more time to review the patch 
attached to AXIS-2883. Please stay tuned for more details.

Thanks again to Alberto for providing these patches!
--
David Jorm / Red Hat Security Response Team

Message #61 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: David Jorm <djorm@redhat.com>

Cc: mgilbert@debian.org, infjaf@gmail.com, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 08:05:56 +0100

Hi,

thanks for the additional information.  Please note that I uploaded the
NMUed packages yesterday.  In case the "just one small issue" mentioned
by David below is serious above please reopen the bug report to prevent
migration to testing (I also filed unblock request bugs).

Kind regards

       Andreas.

On Thu, Dec 06, 2012 at 01:58:11PM +1000, David Jorm wrote:
> Hi All
> 
> The upstream patch for CVE-2012-5783 referred to in Red Hat bugzilla:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=873317#c3
> 
> Is the 4.x patch. As you've noted, there is no 3.x patch available
> and upstream won't provide one because it is EOL. I think Alberto's
> patch looks sane (from a brief check) with just one small issue. In
> this section:
> 
> +    private static String getCN(X509Certificate cert) {
> +          // Note:  toString() seems to do a better job than getName()
> +          //
> +          // For example, getName() gives me this:
> +          // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
> +          //
> +          // whereas toString() gives me this:
> +          // EMAILADDRESS=juliusdavies@cucbc.com
> +        String subjectPrincipal =
> cert.getSubjectX500Principal().toString();
> +        int x = subjectPrincipal.indexOf("CN=");
> +        if (x >= 0) {
> +            int y = subjectPrincipal.indexOf(',', x);
> +            // If there are no more commas, then CN= is the last entry.
> +            y = (y >= 0) ? y : subjectPrincipal.length();
> +            return subjectPrincipal.substring(x + 3, y);
> +        } else {
> +            return null;
> +        }
> +    }
> 
> If the subject DN includes something like "OU=CN=www.example.com",
> this function will treat it as a CN field. An attacker could use
> this to spoof a valid certificate and perform a man-in-the-middle
> attack. An attacker could get a trusted CA to issue them a
> certificate for CN=www.ownedbyattacker.com but then include in the
> CSR OU=CN=www.victim.com or include a subject DN element
> emailAddress="CN=www.victim.com,@ownedbyattacker.com". The attacker
> could then use this certificate to perform a MITM attack against
> victim.com.
> 
> This would of course rely on the CA allowing such a certificate to
> be issued, but I think it is highly likely an attacker could find a
> widely trusted CA that allowed this, while they couldn't get a
> trusted CA to issue them a certificate for CN=www.victim.com. I have
> already brought this flaw in the initial 4.x patch to the attention
> of upstream, and they have addressed it via the following commit:
> 
> http://svn.apache.org/viewvc?view=revision&revision=1411705
> 
> In my view the ideal solution would be to resolve the issue I noted
> above, and then have upstream commit the patch even if there is no
> further 3.x release, so at least all distributions can consume the
> patch from the upstream tree.
> 
> Regarding CVE-2012-5784, I need some more time to review the patch
> attached to AXIS-2883. Please stay tuned for more details.
> 
> Thanks again to Alberto for providing these patches!
> --
> David Jorm / Red Hat Security Response Team
> 

-- 
http://fam-tille.de

Message #66 received at 692442-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández Martínez <infjaf@gmail.com>

To: 692442-close@bugs.debian.org

Subject: Bug#692442: fixed in commons-httpclient 3.1-10.1

Date: Thu, 06 Dec 2012 11:50:21 +0000

Source: commons-httpclient
Source-Version: 3.1-10.1

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Fernández Martínez <infjaf@gmail.com> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 5 Dec 2012 17:28:00 +0100
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-10.1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Alberto Fernández Martínez <infjaf@gmail.com>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 692442
Changes: 
 commons-httpclient (3.1-10.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix CVE-2012-5783 (Closes: #692442)
Checksums-Sha1: 
 0258175c67454dfd5efff9774d1bef65eec5d2e1 1745 commons-httpclient_3.1-10.1.dsc
 14bb6295ef7f5154483387d8a5bbc8ca7042ed5b 12151 commons-httpclient_3.1-10.1.debian.tar.gz
 10b81b5f2106f2e4f64ab3fc728095fd9386fd61 309558 libcommons-httpclient-java_3.1-10.1_all.deb
 9444f99b8bbec97f7a10681d1e079ea68fef8af0 1543222 libcommons-httpclient-java-doc_3.1-10.1_all.deb
Checksums-Sha256: 
 c1a783a2505e0b04ff539809f661a7c1c272c1804f492257fcc7142bb01bff2d 1745 commons-httpclient_3.1-10.1.dsc
 f79c86df377545c17eb24a41636b15247830bf139c3d3a531377855cd3e5dadf 12151 commons-httpclient_3.1-10.1.debian.tar.gz
 fd691dc0b473d501dc7758ea7e4c152c1f6b11f5cdce610969ed9148c9e5cf88 309558 libcommons-httpclient-java_3.1-10.1_all.deb
 551d03ad3bcd69806c8d722b3ccc8061456b6dc57863d5feb547c9cb0e185a8d 1543222 libcommons-httpclient-java-doc_3.1-10.1_all.deb
Files: 
 09c4b9cce86c396bad8e8c273aa133e6 1745 java optional commons-httpclient_3.1-10.1.dsc
 eac0c70c4334412415d1237d9f0177ed 12151 java optional commons-httpclient_3.1-10.1.debian.tar.gz
 6fb8cd37723cde05e38fc24cc45d8950 309558 java optional libcommons-httpclient-java_3.1-10.1_all.deb
 c245d7de16d413eec2d71d251496bfda 1543222 doc optional libcommons-httpclient-java-doc_3.1-10.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlC/wjsACgkQYDBbMcCf01o2nQCfQjz11XBVYcNNOF/8JJSV4qM2
ZxwAn167iflFiqPRfouFsE61AAKyIG7p
=4eF1
-----END PGP SIGNATURE-----

Message #71 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: David Jorm <djorm@redhat.com>, mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 13:49:07 +0100

Hi All,

I've prepared the patch with the problem pointed by David fixed (thanks
David). It also fixes a bug related to wildcard certificates.

The first patch is backported from httpclient 4.0 and apache synapse. 

This second patch backports some fixes from httpclient 4.2

The patch differ a lot from 4.x line for two reasons: first, the code
arquitecture changes, second , I want to mantain the 3.1 api unchanged,
so all methods are private and only apply to one class.

The patch for axis and commons-httpclient is the same. In the function
they create a SSLSocket, I've put the same routine to validate the
hostname against certificate valid names.

I'll upload the new patches in their place.
Please review them and when ready I can upload a new package to mentors.

Thanks

Message #76 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <albfernandez@gmail.com>

To: 692442@bugs.debian.org

Subject: new patch for commons-httpclient CVE-2012-5783 (full patch)

Date: Thu, 06 Dec 2012 13:50:03 +0100

[Message part 1 (text/plain, inline)]

[CVE-2012-5783-2.patch (text/x-patch, attachment)]

Message #81 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 13:58:08 +0100

Hi Alberto,

thanks for your continuous work on this.  As I said in my previous mail
please remember to reopen the according bugs to make sure the previous
solution will not migrate to testing.  I'll volunteer to sponsor your
new version if you confirm that this is needed to finally fix the issue.

Kind regards

       Andreas.

On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> Hi All,
> 
> I've prepared the patch with the problem pointed by David fixed (thanks
> David). It also fixes a bug related to wildcard certificates.
> 
> The first patch is backported from httpclient 4.0 and apache synapse. 
> 
> This second patch backports some fixes from httpclient 4.2
> 
> The patch differ a lot from 4.x line for two reasons: first, the code
> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> so all methods are private and only apply to one class.
> 
> The patch for axis and commons-httpclient is the same. In the function
> they create a SSLSocket, I've put the same routine to validate the
> hostname against certificate valid names.
> 
> I'll upload the new patches in their place.
> Please review them and when ready I can upload a new package to mentors.
> 
> Thanks
> 
> 
> 
> 
> 

-- 
http://fam-tille.de

Message #92 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 19:02:54 +0100

Hi

I've uploaded new packages to mentors. I'll be out until Monday, so feel
free to review the patches and sponsor the new version if all you are
confident it's all ok

I think now it's fine , but if you find some other bug or improvement,
I'll be happy to correct it.

I'll insist next week upstream to include the last fix.

El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> Hi Alberto,
> 
> thanks for your continuous work on this.  As I said in my previous mail
> please remember to reopen the according bugs to make sure the previous
> solution will not migrate to testing.  I'll volunteer to sponsor your
> new version if you confirm that this is needed to finally fix the issue.
> 
> Kind regards
> 
>        Andreas.
> 
> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > Hi All,
> > 
> > I've prepared the patch with the problem pointed by David fixed (thanks
> > David). It also fixes a bug related to wildcard certificates.
> > 
> > The first patch is backported from httpclient 4.0 and apache synapse. 
> > 
> > This second patch backports some fixes from httpclient 4.2
> > 
> > The patch differ a lot from 4.x line for two reasons: first, the code
> > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > so all methods are private and only apply to one class.
> > 
> > The patch for axis and commons-httpclient is the same. In the function
> > they create a SSLSocket, I've put the same routine to validate the
> > hostname against certificate valid names.
> > 
> > I'll upload the new patches in their place.
> > Please review them and when ready I can upload a new package to mentors.
> > 
> > Thanks
> > 
> > 
> > 
> > 
> > 
> 

Message #97 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Alberto Fernández <infjaf@gmail.com>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 6 Dec 2012 20:40:12 +0100

Hi,

On Thu, Dec 06, 2012 at 07:02:54PM +0100, Alberto Fernández wrote:
> Hi
> 
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok

I admit I'm no Java programmer and I do not feel competent to serve as a
reviewer for security relevant problems.  So again:  If the recently
uploaded packages

    axis 1.4-16.1
    commons-httpclient 3.1-10.1

remain a security risk we *definitely* need to reopen the bugs that were
closed with the upload.  This is needed for two reasons:

  1. Keep a record in BTS about the remaining problem
  2. Make sure release managers will accept only those packages that
     are closing RC bugs.

Can you please confirm whether the security risk remains or whether
there is just a bug that is not nice but no real security risk.

> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
> 
> I'll insist next week upstream to include the last fix.

Its a good thing to convince upstream but for the moment the Debian
release we need to decide what fix will make it into our release (the
one just uploaded or your newly prepared patch).

Thanks for your work on this

     Andreas.
 
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> > Hi Alberto,
> > 
> > thanks for your continuous work on this.  As I said in my previous mail
> > please remember to reopen the according bugs to make sure the previous
> > solution will not migrate to testing.  I'll volunteer to sponsor your
> > new version if you confirm that this is needed to finally fix the issue.
> > 
> > Kind regards
> > 
> >        Andreas.
> > 
> > On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > > Hi All,
> > > 
> > > I've prepared the patch with the problem pointed by David fixed (thanks
> > > David). It also fixes a bug related to wildcard certificates.
> > > 
> > > The first patch is backported from httpclient 4.0 and apache synapse. 
> > > 
> > > This second patch backports some fixes from httpclient 4.2
> > > 
> > > The patch differ a lot from 4.x line for two reasons: first, the code
> > > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > > so all methods are private and only apply to one class.
> > > 
> > > The patch for axis and commons-httpclient is the same. In the function
> > > they create a SSLSocket, I've put the same routine to validate the
> > > hostname against certificate valid names.
> > > 
> > > I'll upload the new patches in their place.
> > > Please review them and when ready I can upload a new package to mentors.
> > > 
> > > Thanks
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 
> 
> 

-- 
http://fam-tille.de

Message #102 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: Andreas Tille <tille@debian.org>

Cc: mgilbert@debian.org, 692650@bugs.debian.org, 692442@bugs.debian.org

Subject: Re: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Thu, 06 Dec 2012 21:03:25 +0100

Hi

I've reopened the two bugs.

The first patch was incomplete, as pointed by David and by other bug
i've found reviewing the code.

The bug pointed by David can occur in  some rare cases where the CA
issues malformed certificates. It's rare, but there are may CA...
The other bug it's about  wildcard certificate validation. The first
patch incorrect validates some cases. They're also rare cases of
certificates of type aaaa*.xxx.com.

Both are very rare cases, but I think they must be fixed before release.

In outline, hosts name correctly validated:
original -> 0% (no validation at all)
first patch -> ¿99%? 
           Never fails with valid certificates, 
           block majority of invalid request.
           allow few rare cases which should be blocked
second patch -> 100%. I hope.


Thanks for your patience

Message #107 received at 692442-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández Martínez <infjaf@gmail.com>

To: 692442-close@bugs.debian.org

Subject: Bug#692442: fixed in commons-httpclient 3.1-10.2

Date: Fri, 07 Dec 2012 10:02:38 +0000

Source: commons-httpclient
Source-Version: 3.1-10.2

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Fernández Martínez <infjaf@gmail.com> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 6 Dec 2012 14:28:00 +0100
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-10.2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Alberto Fernández Martínez <infjaf@gmail.com>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 692442
Changes: 
 commons-httpclient (3.1-10.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix CVE-2012-5783 (Closes: #692442)
   * Fix CN extraction from DN of X500 principal.
   * Fix wildcard validation on ssl connections
Checksums-Sha1: 
 6a163ebc664640e90d342cb24b4fe7afe37fe493 1745 commons-httpclient_3.1-10.2.dsc
 b91496b5b1e235086c2cd335acdb1800aa0b92bb 12458 commons-httpclient_3.1-10.2.debian.tar.gz
 8d5af922cf81cd2fe9bf40547443ed1c12f29f06 309350 libcommons-httpclient-java_3.1-10.2_all.deb
 351a079fbccc48e0caaf01eacb548c454d8af8e4 1552432 libcommons-httpclient-java-doc_3.1-10.2_all.deb
Checksums-Sha256: 
 39ccff6c5c584b6cfc81e4432c06a4f42aceeabe010ea07cbd8628ede6928ca4 1745 commons-httpclient_3.1-10.2.dsc
 8493865175f2eb370664c907094d5530a186d1b6ed11fae4f1f79043849b3404 12458 commons-httpclient_3.1-10.2.debian.tar.gz
 ba2494a3894e87160912fb0494acbe009cd061c9adb6dde33b755cb38c95229b 309350 libcommons-httpclient-java_3.1-10.2_all.deb
 40af7e244433a72477c8c5ea931486213dfdf460136d53d79b4cbbfea26b89ed 1552432 libcommons-httpclient-java-doc_3.1-10.2_all.deb
Files: 
 34e93ee1f41434a0248b93cee7c0e2f3 1745 java optional commons-httpclient_3.1-10.2.dsc
 2c29e200958a57902377226ba132e067 12458 java optional commons-httpclient_3.1-10.2.debian.tar.gz
 6cc0089d7e94c1cf35932f3d1a92834c 309350 java optional libcommons-httpclient-java_3.1-10.2_all.deb
 2bc45fc7ee991f5c475efa1ee7610216 1552432 doc optional libcommons-httpclient-java-doc_3.1-10.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDBu7wACgkQYDBbMcCf01o3sACgiIjjUlbNKC8gZoxW8PEqzexZ
PtEAoLRD0tbX2GOZtMRnOGNmZ3F8dl9Z
=TiOt
-----END PGP SIGNATURE-----

Message #112 received at 692442@bugs.debian.org (full text, mbox, reply):

From: David Jorm <djorm@redhat.com>

To: infjaf@gmail.com, 692442@bugs.debian.org

Cc: Andreas Tille <tille@debian.org>, mgilbert@debian.org, 692650@bugs.debian.org

Subject: Re: Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Mon, 10 Dec 2012 13:08:15 +1000

Thanks Alberto! Could I ask that to finalize this, you attach both 
revised patches to the upstream bugs (HTTPCLIENT-1265 and AXIS-2883) and 
ask upstream to commit them?

Thanks again
David

On 12/07/2012 04:02 AM, Alberto Fernández wrote:
> Hi
>
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok
>
> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
>
> I'll insist next week upstream to include the last fix.
>
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
>> Hi Alberto,
>>
>> thanks for your continuous work on this.  As I said in my previous mail
>> please remember to reopen the according bugs to make sure the previous
>> solution will not migrate to testing.  I'll volunteer to sponsor your
>> new version if you confirm that this is needed to finally fix the issue.
>>
>> Kind regards
>>
>>         Andreas.
>>
>> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
>>> Hi All,
>>>
>>> I've prepared the patch with the problem pointed by David fixed (thanks
>>> David). It also fixes a bug related to wildcard certificates.
>>>
>>> The first patch is backported from httpclient 4.0 and apache synapse.
>>>
>>> This second patch backports some fixes from httpclient 4.2
>>>
>>> The patch differ a lot from 4.x line for two reasons: first, the code
>>> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
>>> so all methods are private and only apply to one class.
>>>
>>> The patch for axis and commons-httpclient is the same. In the function
>>> they create a SSLSocket, I've put the same routine to validate the
>>> hostname against certificate valid names.
>>>
>>> I'll upload the new patches in their place.
>>> Please review them and when ready I can upload a new package to mentors.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>

Message #117 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <infjaf@gmail.com>

To: David Jorm <djorm@redhat.com>

Cc: 692442@bugs.debian.org, Andreas Tille <tille@debian.org>, mgilbert@debian.org, 692650@bugs.debian.org

Subject: Re: Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

Date: Wed, 12 Dec 2012 00:25:36 +0100

Hi.

Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265.
Waiting for response.

Kind regards
 Alberto

Message #122 received at 692442@bugs.debian.org (full text, mbox, reply):

From: Alberto Fernández <albfernandez@gmail.com>

To: David Jorm <djorm@redhat.com>

Cc: 692442@bugs.debian.org, 692650@bugs.debian.org

Subject: patch applied to commons-httpclient upstream

Date: Sun, 16 Dec 2012 15:27:32 +0100

Hi

The patch is applied upstream:

http://svn.apache.org/viewvc?view=revision&revision=1422573


http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk


Kind Regars

  Alberto

Send a report that this bug log contains spam.