From 89614287921dd9d15f085f6b48a11ef6502c3811 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 03 2014 17:27:32 +0000 Subject: import httpcomponents-client-4.2.5-5.el7_0 --- diff --git a/SOURCES/0001-Fix-CVE-2014-3577.patch b/SOURCES/0001-Fix-CVE-2014-3577.patch new file mode 100644 index 0000000..6ed428a --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2014-3577.patch @@ -0,0 +1,140 @@ +From 3e3515b42a5c782219ba898f9cb79812c8895349 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Tue, 12 Aug 2014 14:07:29 +0200 +Subject: [PATCH] Fix CVE-2014-3577 + +--- + .../org/apache/http/conn/ssl/AbstractVerifier.java | 87 +++++++++++----------- + 1 file changed, 44 insertions(+), 43 deletions(-) + +diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +index a7cad68..7245781 100644 +--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java ++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +@@ -28,7 +28,6 @@ + package org.apache.http.conn.ssl; + + import org.apache.http.annotation.Immutable; +- + import org.apache.http.conn.util.InetAddressUtils; + + import java.io.IOException; +@@ -36,14 +35,21 @@ import java.io.InputStream; + import java.security.cert.Certificate; + import java.security.cert.CertificateParsingException; + import java.security.cert.X509Certificate; ++import java.util.ArrayList; + import java.util.Arrays; + import java.util.Collection; + import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; +- ++import java.util.NoSuchElementException; ++ ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -142,7 +148,8 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + + public final void verify(String host, X509Certificate cert) + throws SSLException { +- String[] cns = getCNs(cert); ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ final String[] cns = extractCNs(subjectPrincipal); + String[] subjectAlts = getSubjectAlts(cert, host); + verify(host, cns, subjectAlts); + } +@@ -236,48 +243,42 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0; + } + +- public static String[] getCNs(X509Certificate cert) { +- LinkedList cnList = new LinkedList(); +- /* +- Sebastian Hauer's original StrictSSLProtocolSocketFactory used +- getName() and had the following comment: +- +- Parses a X.500 distinguished name for the value of the +- "Common Name" field. This is done a bit sloppy right +- now and should probably be done a bit more according to +- RFC 2253. +- +- I've noticed that toString() seems to do a better job than +- getName() on these X500Principal objects, so I'm hoping that +- addresses Sebastian's concern. +- +- For example, getName() gives me this: +- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- +- whereas toString() gives me this: +- EMAILADDRESS=juliusdavies@cucbc.com +- +- Looks like toString() even works with non-ascii domain names! +- I tested it with "花子.co.jp" and it worked fine. +- */ +- +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- cnList.add(tok.substring(3)); +- } +- } ++ public static String[] getCNs(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCNs(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; + } +- if(!cnList.isEmpty()) { +- String[] cns = new String[cnList.size()]; +- cnList.toArray(cns); +- return cns; +- } else { ++ } ++ ++ static String[] extractCNs(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { + return null; + } ++ final List cns = new ArrayList(); ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ cns.add(value.toString()); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } ++ } ++ } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); ++ } ++ return cns.isEmpty() ? null : cns.toArray(new String[cns.size()]); + } + + /** +-- +1.9.3 + diff --git a/SPECS/httpcomponents-client.spec b/SPECS/httpcomponents-client.spec index a454368..13d73cd 100644 --- a/SPECS/httpcomponents-client.spec +++ b/SPECS/httpcomponents-client.spec @@ -3,11 +3,12 @@ Name: httpcomponents-client Summary: HTTP agent implementation based on httpcomponents HttpCore Version: 4.2.5 -Release: 4%{?dist} +Release: 5%{?dist} Group: Development/Libraries License: ASL 2.0 URL: http://hc.apache.org/ Source0: http://archive.apache.org/dist/httpcomponents/httpclient/source/%{name}-%{version}-src.tar.gz +Patch0: 0001-Fix-CVE-2014-3577.patch BuildArch: noarch @@ -41,6 +42,8 @@ Group: Documentation %prep %setup -q +%patch0 -p1 + # Remove optional build deps not available in Fedora %pom_disable_module httpclient-cache %pom_disable_module httpclient-osgi @@ -122,6 +125,10 @@ done %doc LICENSE.txt NOTICE.txt %changelog +* Tue Aug 12 2014 Michal Srb - 4.2.5-5 +- Fix MITM security vulnerability +- Resolves: CVE-2014-3577 + * Fri Dec 27 2013 Daniel Mach - 4.2.5-4 - Mass rebuild 2013-12-27