[commons-httpclient] 57/66: Add CVE-2014-3577.patch
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Tue Jul 4 08:04:06 UTC 2017
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository commons-httpclient.
commit 8c2492d17d7b7df6cc00dd21939ff2e80b0e7b17
Author: Markus Koschany <apo at debian.org>
Date: Thu Apr 16 10:00:06 2015 +0000
Add CVE-2014-3577.patch
---
debian/patches/CVE-2014-3577.patch | 110 +++++++++++++++++++++++++++++++++++++
1 file changed, 110 insertions(+)
diff --git a/debian/patches/CVE-2014-3577.patch b/debian/patches/CVE-2014-3577.patch
new file mode 100644
index 0000000..0e44c07
--- /dev/null
+++ b/debian/patches/CVE-2014-3577.patch
@@ -0,0 +1,110 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Mon, 23 Mar 2015 22:45:14 +0100
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete: the code added to
+check that the server hostname matches the domain name in a subject's Common
+Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
+could use this flaw to spoof an SSL server using a specially crafted X.509
+certificate.
+The fix for CVE-2012-6153 was intended to address the incomplete patch for
+CVE-2012-5783. This means the issue is now completely resolved by applying
+this patch and the 06_fix_CVE-2012-5783.patch.
+
+References:
+
+upstream announcement:
+https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
+
+Fedora-Fix:
+http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
+
+CentOS-Fix:
+https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
+
+Debian-Bug: https://bugs.debian.org/758086
+Forwarded: not-needed, already fixed
+---
+ .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++++--------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ return dots;
+ }
+
+- private static String getCN(X509Certificate cert) {
+- // Note: toString() seems to do a better job than getName()
+- //
+- // For example, getName() gives me this:
+- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+- //
+- // whereas toString() gives me this:
+- // EMAILADDRESS=juliusdavies at cucbc.com
+- String subjectPrincipal = cert.getSubjectX500Principal().toString();
+-
+- return getCN(subjectPrincipal);
+-
++ private static String getCN(final X509Certificate cert) {
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ try {
++ return extractCN(subjectPrincipal);
++ } catch (SSLException ex) {
++ return null;
++ }
+ }
+- private static String getCN(String subjectPrincipal) {
+- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+- while(st.hasMoreTokens()) {
+- String tok = st.nextToken().trim();
+- if (tok.length() > 3) {
+- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+- return tok.substring(3);
++
++ private static String extractCN(final String subjectPrincipal) throws SSLException {
++ if (subjectPrincipal == null) {
++ return null;
++ }
++ try {
++ final LdapName subjectDN = new LdapName(subjectPrincipal);
++ final List<Rdn> rdns = subjectDN.getRdns();
++ for (int i = rdns.size() - 1; i >= 0; i--) {
++ final Rdn rds = rdns.get(i);
++ final Attributes attributes = rds.toAttributes();
++ final Attribute cn = attributes.get("cn");
++ if (cn != null) {
++ try {
++ final Object value = cn.get();
++ if (value != null) {
++ return value.toString();
++ }
++ } catch (NoSuchElementException ignore) {
++ } catch (NamingException ignore) {
++ }
+ }
+ }
++ } catch (InvalidNameException e) {
++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
+ }
+ return null;
+ }
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/commons-httpclient.git
More information about the pkg-java-commits
mailing list