[smack/f20] fix for CVE-2014-5075 (rhbz#1127277)
gil
gil at fedoraproject.org
Thu Aug 21 11:40:15 UTC 2014
commit 7a15ed3f2b9e563a511d2184a6779de4454bdb50
Author: gil <puntogil at libero.it>
Date: Thu Aug 21 13:40:06 2014 +0200
fix for CVE-2014-5075 (rhbz#1127277)
smack-3.2.2-CVE-2014-5075.patch | 118 +++++++++++++++++++++++++++++++++++++++
smack.spec | 48 +++++-----------
2 files changed, 133 insertions(+), 33 deletions(-)
---
diff --git a/smack-3.2.2-CVE-2014-5075.patch b/smack-3.2.2-CVE-2014-5075.patch
new file mode 100644
index 0000000..894ba4a
--- /dev/null
+++ b/smack-3.2.2-CVE-2014-5075.patch
@@ -0,0 +1,118 @@
+diff -Nru smack_src_3_2_2/source/org/jivesoftware/smack/ConnectionConfiguration.java smack_src_3_2_2-gil/source/org/jivesoftware/smack/ConnectionConfiguration.java
+--- smack_src_3_2_2/source/org/jivesoftware/smack/ConnectionConfiguration.java 2012-02-05 03:02:30.000000000 +0100
++++ smack_src_3_2_2-gil/source/org/jivesoftware/smack/ConnectionConfiguration.java 2014-08-21 11:51:58.857471586 +0200
+@@ -24,6 +24,7 @@
+ import org.jivesoftware.smack.util.DNSUtil;
+
+ import javax.net.SocketFactory;
++import javax.net.ssl.HostnameVerifier;
+ import javax.security.auth.callback.CallbackHandler;
+ import java.io.File;
+
+@@ -83,6 +84,8 @@
+ private boolean sendPresence = true;
+ private boolean rosterLoadedAtLogin = true;
+ private SecurityMode securityMode = SecurityMode.enabled;
++
++ private HostnameVerifier hostnameVerifier;
+
+ // Holds the proxy information (such as proxyhost, proxyport, username, password etc)
+ protected ProxyInfo proxy;
+@@ -486,6 +489,29 @@
+ this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;
+ }
+
++ /**
++ * Set the HostnameVerifier used to verify the hostname of SSLSockets used by XMPP connections
++ * created with this ConnectionConfiguration.
++ *
++ * @param verifier
++ */
++ public void setHostnameVerifier(HostnameVerifier verifier) {
++ hostnameVerifier = verifier;
++ }
++
++ /**
++ * Returns the configured HostnameVerifier of this ConnectionConfiguration or the Smack default
++ * HostnameVerifier configured with
++ * {@link SmackConfiguration#setDefaultHostnameVerifier(HostnameVerifier)}.
++ *
++ * @return a configured HostnameVerifier or <code>null</code>
++ */
++ public HostnameVerifier getHostnameVerifier() {
++ if (hostnameVerifier != null)
++ return hostnameVerifier;
++ return SmackConfiguration.getDefaultHostnameVerifier();
++ }
++
+ /**
+ * Returns true if the connection is going to use stream compression. Stream compression
+ * will be requested after TLS was established (if TLS was enabled) and only if the server
+diff -Nru smack_src_3_2_2/source/org/jivesoftware/smack/SmackConfiguration.java smack_src_3_2_2-gil/source/org/jivesoftware/smack/SmackConfiguration.java
+--- smack_src_3_2_2/source/org/jivesoftware/smack/SmackConfiguration.java 2012-02-05 03:02:30.000000000 +0100
++++ smack_src_3_2_2-gil/source/org/jivesoftware/smack/SmackConfiguration.java 2014-08-21 12:11:59.517268422 +0200
+@@ -27,6 +27,8 @@
+ import java.net.URL;
+ import java.util.*;
+
++import javax.net.ssl.HostnameVerifier;
++
+ /**
+ * Represents the configuration of Smack. The configuration is used for:
+ * <ul>
+@@ -53,6 +55,8 @@
+ private static boolean localSocks5ProxyEnabled = true;
+ private static int localSocks5ProxyPort = 7777;
+ private static int packetCollectorSize = 5000;
++
++ private static HostnameVerifier defaultHostnameVerififer;
+
+ private SmackConfiguration() {
+ }
+@@ -341,4 +345,24 @@
+ }
+ return loaders.toArray(new ClassLoader[loaders.size()]);
+ }
++
++ /**
++ * Set the default HostnameVerifier that will be used by XMPP connections to verify the hostname
++ * of a TLS certificate. XMPP connections are able to overwrite this settings by supplying a
++ * HostnameVerifier in their ConnecitonConfiguration with
++ * {@link ConnectionConfiguration#setHostnameVerifier(HostnameVerifier)}.
++ */
++ public static void setDefaultHostnameVerifier(HostnameVerifier verifier) {
++ defaultHostnameVerififer = verifier;
++ }
++
++ /**
++ * Get the default HostnameVerifier
++ *
++ * @return the default HostnameVerifier or <code>null</code> if none was set
++ */
++ static HostnameVerifier getDefaultHostnameVerifier() {
++ return defaultHostnameVerififer;
++ }
++
+ }
+diff -Nru smack_src_3_2_2/source/org/jivesoftware/smack/XMPPConnection.java smack_src_3_2_2-gil/source/org/jivesoftware/smack/XMPPConnection.java
+--- smack_src_3_2_2/source/org/jivesoftware/smack/XMPPConnection.java 2012-02-05 03:02:30.000000000 +0100
++++ smack_src_3_2_2-gil/source/org/jivesoftware/smack/XMPPConnection.java 2014-08-21 11:54:16.348600438 +0200
+@@ -26,6 +26,7 @@
+ import org.jivesoftware.smack.packet.XMPPError;
+ import org.jivesoftware.smack.util.StringUtils;
+
++import javax.net.ssl.HostnameVerifier;
+ import javax.net.ssl.KeyManager;
+ import javax.net.ssl.KeyManagerFactory;
+ import javax.net.ssl.SSLContext;
+@@ -804,6 +805,10 @@
+ initReaderAndWriter();
+ // Proceed to do the handshake
+ ((SSLSocket) socket).startHandshake();
++ // Verify the server hostname
++ HostnameVerifier verifier = this.config.getHostnameVerifier();
++ if (verifier != null && !verifier.verify(getServiceName(), ((SSLSocket) socket).getSession()))
++ throw new XMPPException("Server could not authenticate as '" + getServiceName() + "'.");
+ //if (((SSLSocket) socket).getWantClientAuth()) {
+ // System.err.println("Connection wants client auth");
+ //}
diff --git a/smack.spec b/smack.spec
index 8bd51e4..269b26e 100644
--- a/smack.spec
+++ b/smack.spec
@@ -1,9 +1,8 @@
%global pkg_version %(echo %version | tr . _)
Name: smack
Version: 3.2.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Open Source XMPP (Jabber) client library
-Group: Development/Libraries
License: ASL 2.0
URL: http://www.igniterealtime.org/projects/smack/index.jsp
# http://svn.igniterealtime.org/svn/repos/smack/tags/
@@ -37,10 +36,10 @@ Source4: %{name}-%{version}-test-config-test-case.xml
# fix javadoc link
# fix build/javadoc/tests classpath
Patch0: %{name}-%{version}-build.patch
+Patch1: %{name}-3.2.2-CVE-2014-5075.patch
-BuildRequires: java-devel
BuildRequires: java-javadoc
-BuildRequires: jpackage-utils
+BuildRequires: javapackages-local
BuildRequires: ant
BuildRequires: ant-contrib
@@ -50,12 +49,8 @@ BuildRequires: junit
BuildRequires: jzlib
BuildRequires: xmlunit
BuildRequires: xpp3
+BuildRequires: mvn(org.sonatype.oss:oss-parent)
-Requires: jzlib
-Requires: xpp3
-
-Requires: java
-Requires: jpackage-utils
BuildArch: noarch
%description
@@ -66,9 +61,7 @@ to simple XMPP integrations such as sending notification messages and
presence-enabling devices.
%package javadoc
-Group: Documentation
Summary: Javadoc for %{name}
-Requires: jpackage-utils
%description javadoc
This package contains javadoc for %{name}.
@@ -84,6 +77,7 @@ find . -name "*.jar" -print -delete
rm -rf javadoc/* documentation/*
%patch0 -p0
+%patch1 -p1
mkdir -p test/config
cp -p %{SOURCE4} test/config/test-case.xml
@@ -113,35 +107,23 @@ rm -r test/org/jivesoftware/smack/ChatTest.java \
%ant -f build/build.xml jar javadoc test
%install
+%mvn_artifact %{SOURCE1} target/%{name}.jar
+%mvn_artifact %{SOURCE2} target/%{name}x.jar
+%mvn_artifact %{SOURCE3} target/%{name}x-debug.jar
+%mvn_alias : jivesoftware:
+%mvn_install -J target/javadoc
-mkdir -p %{buildroot}%{_javadir}/%{name}
-install -pm 644 target/%{name}.jar %{buildroot}%{_javadir}/%{name}/
-install -pm 644 target/%{name}x.jar %{buildroot}%{_javadir}/%{name}/
-install -pm 644 target/%{name}x-debug.jar %{buildroot}%{_javadir}/%{name}/
-
-mkdir -p %{buildroot}%{_mavenpomdir}
-install -pm 644 %{SOURCE1} %{buildroot}%{_mavenpomdir}/JPP.%{name}-%{name}.pom
-%add_maven_depmap JPP.%{name}-%{name}.pom %{name}/%{name}.jar -a "jivesoftware:%{name}"
-install -pm 644 %{SOURCE2} %{buildroot}%{_mavenpomdir}/JPP.%{name}-%{name}x.pom
-%add_maven_depmap JPP.%{name}-%{name}x.pom %{name}/%{name}x.jar -a "jivesoftware:%{name}x"
-install -pm 644 %{SOURCE3} %{buildroot}%{_mavenpomdir}/JPP.%{name}-%{name}x-debug.pom
-%add_maven_depmap JPP.%{name}-%{name}x-debug.pom %{name}/%{name}x-debug.jar -a "jivesoftware:%{name}x-debug"
-
-mkdir -p %{buildroot}%{_javadocdir}/%{name}
-cp -rp target/javadoc/* %{buildroot}%{_javadocdir}/%{name}
-
-%files
+%files -f .mfiles
%dir %{_javadir}/%{name}
-%{_javadir}/%{name}/%{name}*.jar
-%{_mavenpomdir}/JPP.%{name}-%{name}*.pom
-%{_mavendepmapfragdir}/%{name}
%doc README.html changelog.html
-%files javadoc
-%{_javadocdir}/%{name}
+%files javadoc -f .mfiles-javadoc
%doc README.html
%changelog
+* Thu Aug 21 2014 gil cattaneo <puntogil at libero.it> 3.2.2-5
+- fix for CVE-2014-5075 (rhbz#1127277)
+
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.2.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list