Bug#700268: libhttpclient-java: overly broad certificate wildcard match
Helmut Grohne
helmut at subdivi.de
Sun Feb 10 18:12:08 UTC 2013
Package: libhttpclient-java
Version: 4.2.1-1
Severity: grave
Tags: security
In the version above the common name match of the certificate check was
rewritten. So the versions in squeeze and wheezy are not affected. The
rewritten version contains a bug (uses length of wrong object) and
thereby accepts ssl certificates where it should not.
Let me quote the relevant bits from the upstream bug
https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
>
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
>
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
>
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Helmut
More information about the pkg-java-maintainers
mailing list