rpms/gnutls/F-11 gnutls-2.6.6-cve-2009-2730.patch, NONE, 1.1 gnutls.spec, 1.43, 1.44
Tomáš Mráz
tmraz at fedoraproject.org
Fri Aug 14 11:59:04 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/gnutls/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19358
Modified Files:
gnutls.spec
Added Files:
gnutls-2.6.6-cve-2009-2730.patch
Log Message:
* Fri Aug 14 2009 Tomas Mraz <tmraz at redhat.com> 2.6.6-2
- fix CVE-2009-2730 - handling of NUL chars in certificate
CNs and SANs
gnutls-2.6.6-cve-2009-2730.patch:
gnutls_str.c | 24 +++++++++++++++---------
gnutls_str.h | 2 +-
openpgp/pgp.c | 2 +-
x509/common.c | 38 ++++++++++++++++++++++----------------
x509/output.c | 31 +++++++++++++++++++++++++++++++
x509/rfc2818_hostname.c | 6 +++---
6 files changed, 73 insertions(+), 30 deletions(-)
--- NEW FILE gnutls-2.6.6-cve-2009-2730.patch ---
diff -up gnutls-2.6.6/lib/gnutls_str.c.decoding gnutls-2.6.6/lib/gnutls_str.c
--- gnutls-2.6.6/lib/gnutls_str.c.decoding 2009-04-24 00:01:23.000000000 +0200
+++ gnutls-2.6.6/lib/gnutls_str.c 2009-08-14 13:55:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2002, 2004, 2005, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2002, 2004, 2005, 2007, 2008, 2009 Free Software Foundation
*
* Author: Nikos Mavrogiannopoulos
*
@@ -330,17 +330,22 @@ _gnutls_hex2bin (const opaque * hex_data
/* compare hostname against certificate, taking account of wildcards
* return 1 on success or 0 on error
+ *
+ * note: certnamesize is required as X509 certs can contain embedded NULs in
+ * the strings such as CN or subjectAltName
*/
int
-_gnutls_hostname_compare (const char *certname, const char *hostname)
+_gnutls_hostname_compare (const char *certname,
+ size_t certnamesize,
+ const char *hostname)
{
/* find the first different character */
for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
- certname++, hostname++)
+ certname++, hostname++, certnamesize--)
;
/* the strings are the same */
- if (strlen (certname) == 0 && strlen (hostname) == 0)
+ if (certnamesize == 0 && *hostname == '\0')
return 1;
if (*certname == '*')
@@ -348,15 +353,16 @@ _gnutls_hostname_compare (const char *ce
/* a wildcard certificate */
certname++;
+ certnamesize--;
while (1)
{
/* Use a recursive call to allow multiple wildcards */
- if (_gnutls_hostname_compare (certname, hostname))
- {
- return 1;
- }
- /* wildcards are only allowed to match a single domain component or component fragment */
+ if (_gnutls_hostname_compare (certname, certnamesize, hostname))
+ return 1;
+
+ /* wildcards are only allowed to match a single domain
+ component or component fragment */
if (*hostname == '\0' || *hostname == '.')
break;
hostname++;
diff -up gnutls-2.6.6/lib/gnutls_str.h.decoding gnutls-2.6.6/lib/gnutls_str.h
--- gnutls-2.6.6/lib/gnutls_str.h.decoding 2009-04-24 00:01:23.000000000 +0200
+++ gnutls-2.6.6/lib/gnutls_str.h 2009-08-14 13:54:25.000000000 +0200
@@ -68,7 +68,7 @@ char *_gnutls_bin2hex (const void *old,
int _gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data,
size_t * bin_size);
-int _gnutls_hostname_compare (const char *certname, const char *hostname);
+int _gnutls_hostname_compare (const char *certname, size_t certnamesize, const char *hostname);
#define MAX_CN 256
#endif
diff -up gnutls-2.6.6/lib/openpgp/pgp.c.decoding gnutls-2.6.6/lib/openpgp/pgp.c
--- gnutls-2.6.6/lib/openpgp/pgp.c.decoding 2009-04-18 13:09:50.000000000 +0200
+++ gnutls-2.6.6/lib/openpgp/pgp.c 2009-08-14 13:54:25.000000000 +0200
@@ -570,7 +570,7 @@ gnutls_openpgp_crt_check_hostname (gnutl
if (ret == 0)
{
- if (_gnutls_hostname_compare (dnsname, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
return 1;
}
}
diff -up gnutls-2.6.6/lib/x509/common.c.decoding gnutls-2.6.6/lib/x509/common.c
--- gnutls-2.6.6/lib/x509/common.c.decoding 2009-04-24 00:01:23.000000000 +0200
+++ gnutls-2.6.6/lib/x509/common.c 2009-08-14 13:48:53.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
*
* Author: Nikos Mavrogiannopoulos
*
@@ -242,6 +242,10 @@ _gnutls_x509_oid_data2string (const char
{
str[len] = 0;
+ /* Refuse to deal with strings containing NULs. */
+ if (strlen (str) != len)
+ return GNUTLS_E_ASN1_DER_ERROR;
+
if (res)
_gnutls_str_cpy (res, *res_size, str);
*res_size = len;
@@ -291,25 +295,27 @@ _gnutls_x509_oid_data2string (const char
non_printable = 0;
}
- if (res)
+ if (non_printable == 0)
{
- if (non_printable == 0)
- {
- str[len] = 0;
- _gnutls_str_cpy (res, *res_size, str);
- *res_size = len;
- }
- else
+ str[len] = 0;
+
+ /* Refuse to deal with strings containing NULs. */
+ if (strlen (str) != len)
+ return GNUTLS_E_ASN1_DER_ERROR;
+
+ if (res)
+ _gnutls_str_cpy (res, *res_size, str);
+ *res_size = len;
+ }
+ else
+ {
+ result = _gnutls_x509_data2hex (str, len, res, res_size);
+ if (result < 0)
{
- result = _gnutls_x509_data2hex (str, len, res, res_size);
- if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
+ gnutls_assert ();
+ return result;
}
}
-
}
return 0;
diff -up gnutls-2.6.6/lib/x509/output.c.decoding gnutls-2.6.6/lib/x509/output.c
--- gnutls-2.6.6/lib/x509/output.c.decoding 2009-04-24 00:01:23.000000000 +0200
+++ gnutls-2.6.6/lib/x509/output.c 2009-08-14 13:53:19.000000000 +0200
@@ -319,6 +319,17 @@ print_crldist (gnutls_string * str, gnut
return;
}
+ if ((err == GNUTLS_SAN_DNSNAME
+ || err == GNUTLS_SAN_RFC822NAME
+ || err == GNUTLS_SAN_URI) &&
+ strlen (buffer) != size)
+ {
+ adds (str, _("warning: distributionPoint contains an embedded NUL, "
+ "replacing with '!'\n"));
+ while (strlen (buffer) < size)
+ buffer[strlen (buffer)] = '!';
+ }
+
switch (err)
{
case GNUTLS_SAN_DNSNAME:
@@ -476,6 +487,17 @@ print_san (gnutls_string * str, gnutls_x
return;
}
+ if ((err == GNUTLS_SAN_DNSNAME
+ || err == GNUTLS_SAN_RFC822NAME
+ || err == GNUTLS_SAN_URI) &&
+ strlen (buffer) != size)
+ {
+ adds (str, _("warning: SAN contains an embedded NUL, "
+ "replacing with '!'\n"));
+ while (strlen (buffer) < size)
+ buffer[strlen (buffer)] = '!';
+ }
+
switch (err)
{
case GNUTLS_SAN_DNSNAME:
@@ -534,7 +556,16 @@ print_san (gnutls_string * str, gnutls_x
}
if (err == GNUTLS_SAN_OTHERNAME_XMPP)
+ {
+ if (strlen (buffer) != size)
+ {
+ adds (str, _("warning: SAN contains an embedded NUL, "
+ "replacing with '!'\n"));
+ while (strlen (buffer) < size)
+ buffer[strlen (buffer)] = '!';
+ }
addf (str, _("\t\t\tXMPP Address: %.*s\n"), size, buffer);
+ }
else
{
addf (str, _("\t\t\totherName OID: %.*s\n"), oidsize, oid);
diff -up gnutls-2.6.6/lib/x509/rfc2818_hostname.c.decoding gnutls-2.6.6/lib/x509/rfc2818_hostname.c
--- gnutls-2.6.6/lib/x509/rfc2818_hostname.c.decoding 2009-04-18 13:09:50.000000000 +0200
+++ gnutls-2.6.6/lib/x509/rfc2818_hostname.c 2009-08-14 13:54:25.000000000 +0200
@@ -74,7 +74,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
if (ret == GNUTLS_SAN_DNSNAME)
{
found_dnsname = 1;
- if (_gnutls_hostname_compare (dnsname, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
{
return 1;
}
@@ -84,7 +84,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
found_dnsname = 1; /* RFC 2818 is unclear whether the CN
should be compared for IP addresses
too, but we won't do it. */
- if (_gnutls_hostname_compare (dnsname, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
{
return 1;
}
@@ -104,7 +104,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
return 0;
}
- if (_gnutls_hostname_compare (dnsname, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
{
return 1;
}
Index: gnutls.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/F-11/gnutls.spec,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -p -r1.43 -r1.44
--- gnutls.spec 4 May 2009 14:17:24 -0000 1.43
+++ gnutls.spec 14 Aug 2009 11:59:03 -0000 1.44
@@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 2.6.6
-Release: 1%{?dist}
+Release: 2%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@@ -16,6 +16,7 @@ URL: http://www.gnutls.org/
Source0: %{name}-%{version}-nosrp.tar.bz2
Source1: libgnutls-config
Patch1: gnutls-2.6.2-nosrp.patch
+Patch2: gnutls-2.6.6-cve-2009-2730.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@@ -68,6 +69,7 @@ This package contains Guile bindings for
%prep
%setup -q
%patch1 -p1 -b .nosrp
+%patch2 -p1 -b .decoding
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
@@ -149,6 +151,10 @@ fi
%{_datadir}/guile/site/gnutls.scm
%changelog
+* Fri Aug 14 2009 Tomas Mraz <tmraz at redhat.com> 2.6.6-2
+- fix CVE-2009-2730 - handling of NUL chars in certificate
+ CNs and SANs
+
* Mon May 4 2009 Tomas Mraz <tmraz at redhat.com> 2.6.6-1
- upgrade to a new upstream version - security fixes
More information about the fedora-extras-commits
mailing list