[axis] 35/60: Really fix CVE-2012-5784 (Closes: #692650)

Thu Jan 12 17:30:44 UTC 2017

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository axis.

commit 934ca808e526a755c44834bb3d735891fe4ef1f7
Author: Andreas Tille <tille at debian.org>
Date:   Fri Dec 7 08:30:03 2012 +0000

    Really fix CVE-2012-5784 (Closes: #692650)
---
 debian/changelog                          |   9 ++
 debian/patches/06-fix-CVE-2012-5784.patch | 143 ++++++++++++++++++------------
 2 files changed, 93 insertions(+), 59 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index a269df0..e431078 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+axis (1.4-16.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix CVE-2012-5784 (Closes: #692650)
+  * Fix CN extraction from DN of X500 principal.
+  * Fix wildcard validation on ssl connections
+
+ -- Alberto Fernández Martínez <infjaf at gmail.com>  Thu, 6 Dec 2012 14:28:00 +0100
+
 axis (1.4-16.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff --git a/debian/patches/06-fix-CVE-2012-5784.patch b/debian/patches/06-fix-CVE-2012-5784.patch
index fb93ce7..7c47487 100644
--- a/debian/patches/06-fix-CVE-2012-5784.patch
+++ b/debian/patches/06-fix-CVE-2012-5784.patch
@@ -1,25 +1,33 @@
-Description: Validates the hostname requested is the same in the certificate in ssl-connections
- Fixes CVE-2012-5784, validates hostname certificate in SSL connections.
- Backported from http-client 4, and from Apache Synapse (plus some bugfixes).
+Description: Fixed CN extraction from DN of X500 principal and wildcard validation
 
-Author: Alberto Fernandez <infjaf at gmail.com>
-Bug-Debian: http://bugs.debian.org/692650
-Forwarded: no
+ axis (1.4-16.2) unstable; urgency=low
+
+   * Fixed CN extraction from DN of X500 principal and wildcard validation
 
+Author: Alberto Fernández Martínez <infjaf at gmail.com>
 
 
+Origin: other
+Bug-Debian: http://bugs.debian.org/692650
+Forwarded: https://issues.apache.org/jira/browse/AXIS-2883
+Last-Update: <2012-12-06>
+
 --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java
 +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java
-@@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages;
- import org.apache.axis.utils.XMLUtils;
- import org.apache.axis.utils.StringUtils;
+@@ -15,12 +15,6 @@
+  */
+ package org.apache.axis.components.net;
  
-+import javax.net.ssl.SSLException;
-+import javax.net.ssl.SSLSession;
- import javax.net.ssl.SSLSocket;
- import javax.net.ssl.SSLSocketFactory;
+-import org.apache.axis.utils.Messages;
+-import org.apache.axis.utils.XMLUtils;
+-import org.apache.axis.utils.StringUtils;
+-
+-import javax.net.ssl.SSLSocket;
+-import javax.net.ssl.SSLSocketFactory;
  import java.io.BufferedWriter;
-@@ -28,7 +30,15 @@ import java.io.OutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -28,7 +22,27 @@ import java.io.OutputStream;
  import java.io.OutputStreamWriter;
  import java.io.PrintWriter;
  import java.net.Socket;
@@ -32,10 +40,22 @@ Forwarded: no
 +import java.util.Iterator;
 +import java.util.LinkedList;
 +import java.util.List;
++import java.util.Locale;
++import java.util.StringTokenizer;
++import java.util.regex.Pattern;
++
++import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLSession;
++import javax.net.ssl.SSLSocket;
++import javax.net.ssl.SSLSocketFactory;
++
++import org.apache.axis.utils.Messages;
++import org.apache.axis.utils.StringUtils;
++import org.apache.axis.utils.XMLUtils;
  
  
  /**
-@@ -41,6 +51,10 @@ import java.util.Hashtable;
+@@ -41,6 +55,10 @@ import java.util.Hashtable;
   */
  public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory {
  
@@ -46,7 +66,7 @@ Forwarded: no
      /** Field sslFactory           */
      protected SSLSocketFactory sslFactory = null;
  
-@@ -187,6 +201,255 @@ public class JSSESocketFactory extends D
+@@ -187,6 +205,260 @@ public class JSSESocketFactory extends D
          if (log.isDebugEnabled()) {
              log.debug(Messages.getMessage("createdSSL00"));
          }
@@ -104,7 +124,7 @@ Forwarded: no
 +		}
 +
 +		Certificate[] certs = session.getPeerCertificates();
-+		verifyHostName(host.trim().toLowerCase(),  (X509Certificate) certs[0]);
++		verifyHostName(host.trim().toLowerCase(Locale.US),  (X509Certificate) certs[0]);
 +	}
 +	/**
 +	 * Extract the names from the certificate and tests host matches one of them
@@ -121,7 +141,7 @@ Forwarded: no
 +        
 +		String cn = getCN(cert);
 +		String[] subjectAlts = getDNSSubjectAlts(cert);
-+		verifyHostName(host, cn.toLowerCase(), subjectAlts);
++		verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts);
 +
 +	}
 +
@@ -174,7 +194,7 @@ Forwarded: no
 +		for (int i = 0; i < subjectAlts.length; i++){
 +			String name = subjectAlts[i];
 +			if (name != null) {
-+				name = name.toLowerCase();
++				name = name.toLowerCase(Locale.US);
 +				if (verifyHostName(host, name)){
 +					return;
 +				}
@@ -191,44 +211,41 @@ Forwarded: no
 +	}		
 +	
 +	private static boolean verifyHostName(final String host, final String cn){
-+		if (doWildCard(cn)) {
++		if (doWildCard(cn) && !isIPAddress(host)) {
 +			return matchesWildCard(cn, host);
 +		} 
-+		return host.equalsIgnoreCase(cn);		
++		return host.equalsIgnoreCase(cn);
 +	}
 +    private static boolean doWildCard(String cn) {
 +		// Contains a wildcard
 +		// wildcard in the first block
 +    	// not an ipaddress (ip addres must explicitily be equal)
 +    	// not using 2nd level common tld : ex: not for *.co.uk
-+    	return 
-+    			cn.indexOf("*.")>=0 &&
-+    			cn.indexOf('.') > cn.indexOf("*.") &&
-+    			!isIPAddress(cn) &&
-+    			acceptableCountryWildcard(cn);
++    	String parts[] = cn.split("\\.");
++    	return parts.length >= 3 &&
++    			parts[0].endsWith("*") &&
++    			acceptableCountryWildcard(cn) &&
++    			!isIPAddress(cn);
 +    }
 +
-+	private static boolean isIPAddress(final String cn) {
-+		// IPv6
-+		if (cn.contains(":")) {
-+			return true;
-+		}
-+		// IPb4
-+		boolean isIP4 = true;
-+		String tld = cn;
-+		int x = cn.lastIndexOf('.');
-+		// We only bother analyzing the characters after the final dot
-+		// in the name.
-+		if (x >= 0 && x + 1 < cn.length()) {
-+			tld = cn.substring(x + 1);
-+		}
-+		for (int i = 0; i < tld.length(); i++) {
-+			if (!Character.isDigit(tld.charAt(0))) {
-+				isIP4 = false;
-+				break;
-+			}
-+		}
-+		return isIP4;
++	private static final Pattern IPV4_PATTERN =
++			Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$");
++
++	private static final Pattern IPV6_STD_PATTERN = 
++			Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
++
++	private static final Pattern IPV6_HEX_COMPRESSED_PATTERN = 
++			Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
++
++
++	private static boolean isIPAddress(final String hostname) {
++		return hostname != null
++				&& (
++						IPV4_PATTERN.matcher(hostname).matches()
++						|| IPV6_STD_PATTERN.matcher(hostname).matches() 
++						|| IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches()
++		);
++
 +	}
 +
 +	private static boolean acceptableCountryWildcard(final String cn) {
@@ -251,14 +268,15 @@ Forwarded: no
 +			final String hostName) {
 +		String parts[] = cn.split("\\.");
 +		boolean match = false;
-+		if (parts[0].length() > 1) {
++		String firstpart = parts[0];
++		if (firstpart.length() > 1) {
 +			// server∗
-+			String prefix = parts[0].substring(0, parts[0].length() - 2);
 +			// e.g. server
-+			String suffix = cn.substring(parts[0].length());
++			String prefix =  firstpart.substring(0, firstpart.length() - 1);
 +			// skipwildcard part from cn
-+			String hostSuffix = hostName.substring(prefix.length());
++			String suffix = cn.substring(firstpart.length()); 
 +			// skip wildcard part from host
++			String hostSuffix = hostName.substring(prefix.length());			
 +			match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
 +		} else {
 +			match = hostName.endsWith(cn.substring(1));
@@ -281,6 +299,7 @@ Forwarded: no
 +		return dots;
 +	}
 +
++
 +	private static String getCN(X509Certificate cert) {
 +          // Note:  toString() seems to do a better job than getName()
 +          //
@@ -290,15 +309,21 @@ Forwarded: no
 +          // whereas toString() gives me this:
 +          // EMAILADDRESS=juliusdavies at cucbc.com        
 +		String subjectPrincipal = cert.getSubjectX500Principal().toString();
-+		int x = subjectPrincipal.indexOf("CN=");
-+		if (x >= 0) {
-+			int y = subjectPrincipal.indexOf(',', x);
-+			// If there are no more commas, then CN= is the last entry.
-+			y = (y >= 0) ? y : subjectPrincipal.length();
-+			return subjectPrincipal.substring(x + 3, y);
-+		} else {
-+			return null;
++		
++		return getCN(subjectPrincipal);
++
++	}
++	private static String getCN(String subjectPrincipal) {
++		StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
++		while(st.hasMoreTokens()) {
++			String tok = st.nextToken().trim();
++			if (tok.length() > 3) {
++				if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
++					return tok.substring(3);
++				}
++			}
 +		}
++		return null;
 +	}
 +
  }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/axis.git

