[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#698604: unblock: haskell-tls-extra/0.4.6.1-1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please unblock package haskell-tls-extra

It fixes a security problem where certificates would not be checked
correctly.

I applied a somewhat dirty trick to avoid having to recompile all
depending libraries, so it will be sufficient to just migrate this
package.

Attached is the output of
$ debdiff haskell-tls-extra_0.4.6-1.dsc haskell-tls-extra_0.4.6.1-1.dsc 

unblock haskell-tls-extra/0.4.6.1-1

- -- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD8clMACgkQ9ijrk0dDIGzfswCfSV5GVWqfICGw5u/QNFJUq6uN
Nk8An0YaatI6C+4CE6dmiKvjome1PC6P
=vJzl
-----END PGP SIGNATURE-----

diff -Nru haskell-tls-extra-0.4.6/debian/changelog haskell-tls-extra-0.4.6.1/debian/changelog
--- haskell-tls-extra-0.4.6/debian/changelog	2012-05-15 03:03:03.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/debian/changelog	2013-01-20 23:26:26.000000000 +0100
@@ -1,3 +1,15 @@
+haskell-tls-extra (0.4.6.1-1) unstable; urgency=low
+
+  * New upstream release, aimed for wheezy.
+    Closes: #698545, a certificate validation security flaw.
+  * Added patch: patches/pretend-lower-version
+    This upstream release contains a bugfix that does not modify the ABI of
+    the resulting library. To avoid having to recompile its reverse
+    dependencies, we patch the .cabal file to pretend to be still version
+    0.4.6.
+
+ -- Joachim Breitner <nomeata@debian.org>  Sun, 20 Jan 2013 23:26:26 +0100
+
 haskell-tls-extra (0.4.6-1) unstable; urgency=low
 
   * New upstream version.
diff -Nru haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version
--- haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version	1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version	2013-01-20 23:25:56.000000000 +0100
@@ -0,0 +1,16 @@
+This upstream release contains a bugfix that does not modify the ABI of
+the resulting library. To avoid having to recompile its reverse
+dependencies, we patch the .cabal file to pretend to be still version
+0.4.6.
+
+Index: haskell-tls-extra-0.4.6.1/tls-extra.cabal
+===================================================================
+--- haskell-tls-extra-0.4.6.1.orig/tls-extra.cabal	2013-01-20 23:13:58.937092809 +0100
++++ haskell-tls-extra-0.4.6.1/tls-extra.cabal	2013-01-20 23:13:58.933092809 +0100
+@@ -1,5 +1,5 @@
+ Name:                tls-extra
+-Version:             0.4.6.1
++Version:             0.4.6
+ Description:
+    a set of extra definitions, default values and helpers for tls.
+ License:             BSD3
diff -Nru haskell-tls-extra-0.4.6/debian/patches/series haskell-tls-extra-0.4.6.1/debian/patches/series
--- haskell-tls-extra-0.4.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/series	2013-01-20 23:13:34.000000000 +0100
@@ -0,0 +1 @@
+pretend-lower-version
diff -Nru haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs
--- haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs	2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs	2013-01-20 15:49:28.000000000 +0100
@@ -73,14 +73,31 @@
 			validChain <- certificateVerifyAgainst x sysx509
 			if validChain
 				then return CertificateUsageAccept
-				else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+				else return certificateChainDoesntMatch
 		Nothing      -> case xs of
 			[] -> return $ CertificateUsageReject CertificateRejectUnknownCA
-			_  -> do
-				validChain <- certificateVerifyAgainst x (head xs)
-				if validChain
-					then certificateVerifyChain_ xs
-					else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+			cert:_ -> do
+				let exts = certExtensions (x509Cert cert)
+				case checkCA exts of
+					Just r  -> return r
+					Nothing -> do
+						validChain <- certificateVerifyAgainst x cert
+						if validChain
+							then certificateVerifyChain_ xs
+							else return certificateChainDoesntMatch
+	where
+		checkCA Nothing   = return $ certificateNotAllowedToSign
+		checkCA (Just es) = do
+			let kuCanCertSign = case extensionGet es of
+				Just (ExtKeyUsage l) -> elem KeyUsage_keyCertSign l
+				Nothing              -> False
+			case extensionGet es of
+				Just (ExtBasicConstraints True)
+					| kuCanCertSign -> Nothing
+					| otherwise     -> Just certificateNotAllowedToSign
+				_                                      -> Just certificateNotAllowedToSign
+		certificateNotAllowedToSign = CertificateUsageReject $ CertificateRejectOther "certificate is not allowed to sign another certificate"
+		certificateChainDoesntMatch = CertificateUsageReject $ CertificateRejectOther "chain doesn't match each other"
 #endif
 
 -- | verify a certificates chain using the system certificates available.
diff -Nru haskell-tls-extra-0.4.6/tls-extra.cabal haskell-tls-extra-0.4.6.1/tls-extra.cabal
--- haskell-tls-extra-0.4.6/tls-extra.cabal	2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/tls-extra.cabal	2013-01-20 15:49:28.000000000 +0100
@@ -1,5 +1,5 @@
 Name:                tls-extra
-Version:             0.4.6
+Version:             0.4.6.1
 Description:
    a set of extra definitions, default values and helpers for tls.
 License:             BSD3
Reply to: