libstruts1.2-java: CVE-2014-0114

Debian Bug report logs - #745897
libstruts1.2-java: CVE-2014-0114

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libstruts1.2-java: CVE-2014-0094 affects Struts 1.x

Date: Sat, 26 Apr 2014 21:16:44 +0900

Package: libstruts1.2-java
Version: 1.2.9-8
Severity: grave
Tags: security

Dear Maintainer,

In https://security-tracker.debian.org/tracker/CVE-2014-0094 :

>Notes
>- libstruts1.2-java <not-affected> (Affects Struts 2.0.0 - Struts 2.3.16)

But CVE-2014-0094 is known to affect Struts 1.x.


Regards,
Nobuhiro

Message #10 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Arun Babu Neelicattu <abn@redhat.com>

To: 745897@bugs.debian.org

Subject: Apache Struts 1.x ClassLoader Manipulation: Use CVE-2014-0114

Date: Tue, 29 Apr 2014 19:49:00 +1000

Although the attack vector is the same as that for CVE-2014-0094, this
needs to be considered as a separate flaw [1].

Please use CVE-2014-0114 to refer to this flaw affecting Apache Struts
1.x.

[1]
http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E

-- 
Arun Neelicattu / Red Hat Security Response Team 
PGP: 0xC244393B 5229 F596 474F 00A1 E416  CF8B 36F5 5054 C244 393B

Message #17 received at 745897-close@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.org>

To: 745897-close@bugs.debian.org

Subject: Bug#745897: fixed in libstruts1.2-java 1.2.9-9

Date: Sat, 31 May 2014 04:18:57 +0000

Source: libstruts1.2-java
Source-Version: 1.2.9-9

We believe that the bug you reported is fixed in the latest version of
libstruts1.2-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 745897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated libstruts1.2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 May 2014 12:28:56 +0900
Source: libstruts1.2-java
Binary: libstruts1.2-java
Architecture: source all
Version: 1.2.9-9
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description: 
 libstruts1.2-java - Java Framework for MVC web applications
Closes: 745897
Changes: 
 libstruts1.2-java (1.2.9-9) unstable; urgency=high
 .
   * Team upload.
   * debian/patches
     - add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114
       (Closes: #745897)
Checksums-Sha1: 
 290fd8596b4efd53158530670a8ce934580895ec 2325 libstruts1.2-java_1.2.9-9.dsc
 56f193f9e3af27ee3334033da349a2e713fd3702 8236 libstruts1.2-java_1.2.9-9.debian.tar.xz
 2a0adc7f7a2ea2f8082a077d004c41dfd5ff5eb1 621192 libstruts1.2-java_1.2.9-9_all.deb
Checksums-Sha256: 
 2640dd0d667e7879174bbe95f088ad69997bde0a2d91de78f1e2b5a1a31e0cff 2325 libstruts1.2-java_1.2.9-9.dsc
 8267115ffe92b225fd48000fefaab4b440fcd356085b3d5447f3fe4860335911 8236 libstruts1.2-java_1.2.9-9.debian.tar.xz
 31520ac13076c91befbfe32da03f1655f426dc0e337a5cbd93b3de58384bdea2 621192 libstruts1.2-java_1.2.9-9_all.deb
Files: 
 6323eccadeae834b464a27e7d44f156d 621192 java optional libstruts1.2-java_1.2.9-9_all.deb
 cbccb4d85125c9996980de6c3f0f0047 2325 java optional libstruts1.2-java_1.2.9-9.dsc
 5433eaa3d10113262fef9e3b4f1d821e 8236 java optional libstruts1.2-java_1.2.9-9.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTiU4gAAoJEF0yjQgqqrFAd2IP/ROlzajD7uhEgiDFGqt5vj7Q
znVFcUINDAqar2aetouO7hkbT1J0dnweB5jOfqRNklauY27NJ7lqNHyA4B66NnGD
zs1vIay7QlQ92hSlivuxpaFfy6wh8o0Zg5fRLRBrDuaRxTwBmOzGIL33/bo3/Cqj
5OXWdH/kSauVcns+22qXOpBqXK3AcYWLJwHJkAWi5nHo1X8cLmCAuO7lO4ocf/Dh
3+Q7S6R9jqdYVufznVEDKsMx5lu4cLFUxa/E4H3q3sx3MY1ZmS8PO9Z1i5syJkPE
4QdChJxgPrEUZCt97wpXlJFs/8TSfOue3dBr/qgaoJUryFVgZQSPFG9BkfYe1B/T
JV15SgIAfdEc8YdLicjAaJrrCNDz5VrBmYAWMZnGpU1klDaoUAFGcTfbPO7GYzpa
75hvqwnGHtxt8nunWuvBMrUIGJ3Sv4a7eCkIRCO0IWldEllFlpORUJwRNNuWaHA/
34SPpSGbS88DU1BmEpoGZ1XQ6ok9uiGwqnsrhbcLtvxAzcaYqZ/SOHRCgRObQvId
APylVV468ztK6vyrSNUb48G1/QINBjTnj1d3F/izQ8DgZnzWJx7jV5obzQo7xKU8
ewel2dDU35NBzuzt7ehGHMXbLD92YGzu3PN0SWJ+gOwANF9z1LjFrmeJEClJ0xRb
4mCfQSM1wZugwKR2w7F5
=Y23l
-----END PGP SIGNATURE-----

Message #22 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>

To: 745897@bugs.debian.org

Cc: Arun Babu Neelicattu <abn@redhat.com>, Hideki Yamane <henrich@debian.org>

Subject: Re: Bug#745897 closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Sun, 1 Jun 2014 15:03:20 +0900

Hi,

>    - add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114

http://sources.debian.net/src/libstruts1.2-java/1.2.9-9/debian/patches/struts-1.2.9-CVE-2014-0114.patch
>+    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
>+            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
>+                    Pattern.CASE_INSENSITIVE);

It's very strange regexp. Because we know (P1|.*|P2) == .* .
This pattern will match to words other than "class", eg. "fooClass".

I think this patch will cause a regression.


Regards,
Nobuhiro

Message #27 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: Nobuhiro Ban <ban.nobuhiro@gmail.com>

Cc: 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>, Hideki Yamane <henrich@debian.org>

Subject: Re: Bug#745897 closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Sun, 1 Jun 2014 15:40:29 +0900

Hi,

On Sun, 1 Jun 2014 15:03:20 +0900
Nobuhiro Ban <ban.nobuhiro@gmail.com> wrote:
> It's very strange regexp. Because we know (P1|.*|P2) == .* .
> This pattern will match to words other than "class", eg. "fooClass".
> 
> I think this patch will cause a regression.

 Thanks for your comment, do you have any fix for it?


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

Message #32 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>

To: Hideki Yamane <henrich@debian.or.jp>

Cc: 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897 closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Sun, 1 Jun 2014 17:23:59 +0900

Hi,

> Thanks for your comment, do you have any fix for it?

Security vendors (LAC Co.Ltd and Mitsui Bussan Secure Directions, Inc.)
suggest /(^|\W)[cC]lass\W/, so I'm personally using naive implementation
of this pattern: Pattern.compile(".*(^|\\W)[cC]lass\\W.*") .

But I'm not IT-security proofessional, so I can't say that this works
perfect, sorry.


Regards,
Nobuhiro


2014-06-01 15:40 GMT+09:00 Hideki Yamane <henrich@debian.or.jp>:
> Hi,
>
> On Sun, 1 Jun 2014 15:03:20 +0900
> Nobuhiro Ban <ban.nobuhiro@gmail.com> wrote:
>> It's very strange regexp. Because we know (P1|.*|P2) == .* .
>> This pattern will match to words other than "class", eg. "fooClass".
>>
>> I think this patch will cause a regression.
>
>  Thanks for your comment, do you have any fix for it?
>
>
> --
> Regards,
>
>  Hideki Yamane     henrich @ debian.or.jp/org
>  http://wiki.debian.org/HidekiYamane

Message #37 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Nobuhiro Ban <ban.nobuhiro@gmail.com>, 745897@bugs.debian.org, Hideki Yamane <henrich@debian.or.jp>

Cc: Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897: closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Sun, 01 Jun 2014 11:44:27 +0200

Hi,

FYI I just uploaded Commons BeanUtils 1.9.2 which includes a new
BeanIntrospector designed to fix this issue. I believe a new version of
Struts using it is expected.

Emmanuel Bourg

Message #42 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: Nobuhiro Ban <ban.nobuhiro@gmail.com>, 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897: closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Sun, 15 Jun 2014 13:43:02 +0900

Hi Emmanuel,

>>commons-beanutils (1.9.2-1) unstable; urgency=medium
>>
>>  * New upstream release
>>  * Disabled the BeanMap test which relies on a class not packaged in Debian
>>  * Moved the package to Git
>>
>> -- Emmanuel Bourg <ebourg@apache.org>  Fri, 30 May 2014 13:58:47 +0200

 You mean, struts1 calls BeanUtils.populate and we should add check logic
 in commons-beanutils and 1.9.2 is fixed version, right?

 https://github.com/apache/struts1/blob/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java#L493


 Then, question: commons-beanutils version in Debian is
>>  oldstable	:1.8.3-1 
>>   stable		:1.8.3-3 

 both seems to be still vulunerable version. Can you provide security-
 backport patch for them? If not, patch to struts1 is still usefull to 
 prevent attack, so push fix to libstruts1.2-java stable/oldstable, right?

-- 
Hideki Yamane <henrich@debian.or.jp>

Message #47 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: Nobuhiro Ban <ban.nobuhiro@gmail.com>

Cc: 745897@bugs.debian.org

Subject: Re: Bug#745897: fixed in libstruts1.2-java 1.2.9-9

Date: Sun, 15 Jun 2014 15:35:34 +0900

Hi,

On Sun, 1 Jun 2014 15:03:20 +0900
Nobuhiro Ban <ban.nobuhiro@gmail.com> wrote:
> >+    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
> >+            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
> >+                    Pattern.CASE_INSENSITIVE);
> 
> It's very strange regexp. Because we know (P1|.*|P2) == .* .
> This pattern will match to words other than "class", eg. "fooClass".

 Any class should be accepted, maybe it'd cause some
 trouble but non-class should not named as *class, IMHO.


-- 
Hideki Yamane <henrich@debian.or.jp>

Message #52 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Hideki Yamane <henrich@debian.or.jp>

Cc: Nobuhiro Ban <ban.nobuhiro@gmail.com>, 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897: closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Mon, 16 Jun 2014 13:27:32 +0200

Le 15/06/2014 06:43, Hideki Yamane a écrit :

>  Then, question: commons-beanutils version in Debian is
>  both seems to be still vulunerable version. Can you provide security-
>  backport patch for them? If not, patch to struts1 is still usefull to 
>  prevent attack, so push fix to libstruts1.2-java stable/oldstable, right?

I got confirmation from the Struts developers that a new release using
commons-beanutils 1.9.2 is planned soon. So I'm going to prepare the
backport of commons-beanutils 1.9.2 in stable and wait for the new
release of Struts 1.x.

Emmanuel Bourg

Message #57 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>

To: Hideki Yamane <henrich@debian.or.jp>

Cc: 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897: fixed in libstruts1.2-java 1.2.9-9

Date: Sat, 21 Jun 2014 16:49:22 +0900

2014-06-15 15:35 GMT+09:00 Hideki Yamane <henrich@debian.or.jp>:
>> This pattern will match to words other than "class", eg. "fooClass".
>  Any class should be accepted, maybe it'd cause some
>  trouble but non-class should not named as *class, IMHO.

That might be the case. This issue might be a very small problem.
Actually, Red Hat users do not seem to be troubled.

But I think users should be informed of it (in DSA, README.Debian
or somewhere).


Regards,
Nobuhiro

Message #66 received at 745897@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: Hideki Yamane <henrich@debian.or.jp>, 745897@bugs.debian.org, Arun Babu Neelicattu <abn@redhat.com>

Subject: Re: Bug#745897: closed by Hideki Yamane <henrich@debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Date: Tue, 22 Jul 2014 00:59:01 +0900

[Message part 1 (text/plain, inline)]

Hi all,

2014-06-16 20:27 GMT+09:00 Emmanuel Bourg <ebourg@apache.org>:
>I got confirmation from the Struts developers that a new release using
>commons-beanutils 1.9.2 is planned soon. So I'm going to prepare the
>backport of commons-beanutils 1.9.2 in stable and wait for the new
>release of Struts 1.x.

Security fix was committed over 1 month ago [1],
but not released (from upstream) yet.

So, I made a Debian fix using [1].


[1] http://svn.apache.org/r1603883


Regards,
Nobuhiro

[745897.tar.gz (application/x-gzip, attachment)]

Send a report that this bug log contains spam.