Bug 758302 (CVE-2020-13956)

Summary:	<dev-java/httpclient-4.5.13: Possible host impersonation vulnerability (CVE-2020-13956)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	fordfrog, java
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E
See Also:	https://github.com/gentoo/gentoo/pull/21197 https://github.com/gentoo/gentoo/pull/22910 https://github.com/gentoo/gentoo/pull/23703
Whiteboard:	B4 [glsa? cleanup]
Package list:	dev-java/commons-httpclient-4.5.13-r1 dev-java/httpcore-4.4.14	Runtime testing required:	---
Bug Depends on:	804528
Bug Blocks:

Description Sam James archtester

2020-12-03 16:52:29 UTC

Description:
"Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can
misinterpret malformed authority component in request URIs passed to
the library as java.net.URI object and pick the wrong target host for
request execution."

Comment 1 Larry the Git Cow gentoo-dev

2021-07-10 11:01:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74381de068c890ea97defeeae91ee47f0233f415

commit 74381de068c890ea97defeeae91ee47f0233f415
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-06-08 18:25:02 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-10 11:01:10 +0000

    dev-java/commons-httpclient: bump to 4.5.13
    
    Bug: https://bugs.gentoo.org/758302
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/21197/commits/282b2f490a05b41948ba1b53c856a60c7db58e03
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-httpclient/Manifest               |  1 +
 .../commons-httpclient-4.5.13.ebuild               | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)

Comment 2 John Helmert III archtester

2021-07-10 12:40:42 UTC

Thank you! Please stable when ready

Comment 3 NATTkA bot gentoo-dev

2021-07-10 12:44:34 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/commons-httpclient-4.5.13
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (6 total)
>     dev-java/httpcore:0
>   depend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     dev-java/httpcore:0
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (6 total)
>     dev-java/httpcore:0
>   rdepend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     dev-java/httpcore:0

Comment 4 NATTkA bot gentoo-dev

2021-07-16 06:36:29 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-java/commons-httpclient-4.5.13

Comment 5 Miroslav Šulc gentoo-dev

2021-07-16 06:39:34 UTC

it can go stable, but we still have deps on the old version (3.1-r2 atm).

Comment 6 NATTkA bot gentoo-dev

2021-07-16 06:44:35 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/commons-httpclient-4.5.13-r1
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (6 total)
>     dev-java/httpcore:0
>   depend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     dev-java/httpcore:0
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (6 total)
>     dev-java/httpcore:0
>   rdepend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     dev-java/httpcore:0

Comment 7 Sam James archtester

2021-07-16 21:41:31 UTC

x86 done

Comment 8 Sam James archtester

2021-07-19 18:35:17 UTC

amd64 done

Comment 9 Sam James archtester

2021-07-26 06:24:36 UTC

ppc64 done

all arches done

Comment 10 Volkmar W. Pogatzki 2022-01-08 16:52:41 UTC

This bug report is assigned to the wrong package. 

In https://archive.apache.org/dist/httpcomponents/ there are
* commons-httpclient
* httpclient

The CVE mentioned in #c0 is about 'httpclient', not about the other.
dev-java/commons-httpclient-3.1:3 is not affected.

Comment 11 Volkmar W. Pogatzki 2022-01-08 17:18:45 UTC

Adjusting summary.

Comment 12 NATTkA bot gentoo-dev

2022-02-09 01:29:21 UTC

Keywords are not fully specified and arches are not CC-ed for the following packages:

- =dev-java/commons-httpclient-4.5.13-r1

Comment 13 Larry the Git Cow gentoo-dev

2022-02-20 18:05:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18d1aae66cb6aebbe9c278c43330ba6f16ee984

commit d18d1aae66cb6aebbe9c278c43330ba6f16ee984
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-01-08 17:44:20 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-02-20 18:03:26 +0000

    dev-java/httpcomponents-client: New package
    
    Split from dev-java/commons-httpclient
    Bug: https://bugs.gentoo.org/758302
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/httpcomponents-client/Manifest            |  1 +
 .../httpcomponents-client-4.5.13-r1.ebuild         | 74 ++++++++++++++++++++++
 dev-java/httpcomponents-client/metadata.xml        | 10 +++
 3 files changed, 85 insertions(+)

Comment 14 John Helmert III archtester

2022-02-20 20:16:12 UTC

(In reply to Volkmar W. Pogatzki from comment #10)
> This bug report is assigned to the wrong package. 
> 
> In https://archive.apache.org/dist/httpcomponents/ there are
> * commons-httpclient
> * httpclient
> 
> The CVE mentioned in #c0 is about 'httpclient', not about the other.
> dev-java/commons-httpclient-3.1:3 is not affected.

Closing as invalid, thanks!