[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#587445: CVE-2010-2074



On June 28, 2010 at 7:31PM +0200,
jmm (at debian.org) wrote:

> Package: w3m
> Severity: grave
> Tags: security
>
> Hi,
> several applications fail to correct SSL certificates properly
> and w3m is among them:
> http://www.openwall.com/lists/oss-security/2010/06/14/4
>
> This has been assigned CVE-2010-2074.
>
> The impact of this bug doesn't warrant a DSA, but you can still
> fix in in Lenny through a stable point update:
> http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

OK, I'll upload w3m 0.5.2-2+lenny1 to stable with the attached patch.

 w3m (0.5.2-2+lenny1) stable; urgency=high
 .
   * debian/patches/60_check-null-cn.patch: Patch to check for null bytes
     in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]

Thanks,
--
Tatsuya Kinoshita
diff -urN w3m-0.5.2-2/debian/changelog w3m-0.5.2/debian/changelog
--- w3m-0.5.2-2/debian/changelog	2010-07-03 20:52:47.000000000 +0900
+++ w3m-0.5.2/debian/changelog	2010-07-03 20:54:45.000000000 +0900
@@ -1,3 +1,10 @@
+w3m (0.5.2-2+lenny1) stable; urgency=high
+
+  * debian/patches/60_check-null-cn.patch: Patch to check for null bytes
+    in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]
+
+ -- Tatsuya Kinoshita <tats@debian.org>  Sat, 03 Jul 2010 20:53:06 +0900
+
 w3m (0.5.2-2) unstable; urgency=low

   * debian/control:
diff -urN w3m-0.5.2-2/debian/patches/60_check-null-cn.patch w3m-0.5.2/debian/patches/60_check-null-cn.patch
--- w3m-0.5.2-2/debian/patches/60_check-null-cn.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.2/debian/patches/60_check-null-cn.patch	2010-07-03 18:40:03.000000000 +0900
@@ -0,0 +1,57 @@
+Description: Check for null bytes in CN/subjAltName
+Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+Author: Ludwig Nussel <ludwig.nussel@suse.de>
+Bug-Debian: http://bugs.debian.org/587445
+
+--- w3m-0.5.2.orig/istream.c
++++ w3m-0.5.2/istream.c
+@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos
+
+ 		    if (!seen_dnsname)
+ 			seen_dnsname = Strnew();
++		    /* replace \0 to make full string visible to user */
++		    if (sl != strlen(sn)) {
++			int i;
++			for (i = 0; i < sl; ++i) {
++			    if (!sn[i])
++				sn[i] = '!';
++			}
++		    }
+ 		    Strcat_m_charp(seen_dnsname, sn, " ", NULL);
+-		    if (ssl_match_cert_ident(sn, sl, hostname))
++		    if (sl == strlen(sn) /* catch \0 in SAN */
++			&& ssl_match_cert_ident(sn, sl, hostname))
+ 			break;
+ 		}
+ 	    }
+@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos
+     if (match_ident == FALSE && ret == NULL) {
+ 	X509_NAME *xn;
+ 	char buf[2048];
++	int slen;
+
+ 	xn = X509_get_subject_name(x);
+
+-	if (X509_NAME_get_text_by_NID(xn, NID_commonName,
+-				      buf, sizeof(buf)) == -1)
++	slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
++	if ( slen == -1)
+ 	    /* FIXME: gettextize? */
+ 	    ret = Strnew_charp("Unable to get common name from peer cert");
+-	else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
++	else if (slen != strlen(buf)
++		|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
++	    /* replace \0 to make full string visible to user */
++	    if (slen != strlen(buf)) {
++		int i;
++		for (i = 0; i < slen; ++i) {
++		    if (!buf[i])
++			buf[i] = '!';
++		}
++	    }
+ 	    /* FIXME: gettextize? */
+ 	    ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
++	}
+ 	else
+ 	    match_ident = TRUE;
+     }
diff -urN w3m-0.5.2-2/debian/patches/series w3m-0.5.2/debian/patches/series
--- w3m-0.5.2-2/debian/patches/series	2010-07-03 20:52:47.000000000 +0900
+++ w3m-0.5.2/debian/patches/series	2010-07-03 20:52:16.000000000 +0900
@@ -1,3 +1,4 @@
 03-w3m.1-debian-fix
 04-ja-w3m.1-debian-fix
 05-config-debian-fix
+60_check-null-cn.patch

Attachment: pgpeqlYLUZYZQ.pgp
Description: PGP signature


Reply to: