On June 28, 2010 at 7:31PM +0200, jmm (at debian.org) wrote: > Package: w3m > Severity: grave > Tags: security > > Hi, > several applications fail to correct SSL certificates properly > and w3m is among them: > http://www.openwall.com/lists/oss-security/2010/06/14/4 > > This has been assigned CVE-2010-2074. > > The impact of this bug doesn't warrant a DSA, but you can still > fix in in Lenny through a stable point update: > http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable OK, I'll upload w3m 0.5.2-2+lenny1 to stable with the attached patch. w3m (0.5.2-2+lenny1) stable; urgency=high . * debian/patches/60_check-null-cn.patch: Patch to check for null bytes in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074] Thanks, -- Tatsuya Kinoshita
diff -urN w3m-0.5.2-2/debian/changelog w3m-0.5.2/debian/changelog --- w3m-0.5.2-2/debian/changelog 2010-07-03 20:52:47.000000000 +0900 +++ w3m-0.5.2/debian/changelog 2010-07-03 20:54:45.000000000 +0900 @@ -1,3 +1,10 @@ +w3m (0.5.2-2+lenny1) stable; urgency=high + + * debian/patches/60_check-null-cn.patch: Patch to check for null bytes + in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074] + + -- Tatsuya Kinoshita <tats@debian.org> Sat, 03 Jul 2010 20:53:06 +0900 + w3m (0.5.2-2) unstable; urgency=low * debian/control: diff -urN w3m-0.5.2-2/debian/patches/60_check-null-cn.patch w3m-0.5.2/debian/patches/60_check-null-cn.patch --- w3m-0.5.2-2/debian/patches/60_check-null-cn.patch 1970-01-01 09:00:00.000000000 +0900 +++ w3m-0.5.2/debian/patches/60_check-null-cn.patch 2010-07-03 18:40:03.000000000 +0900 @@ -0,0 +1,57 @@ +Description: Check for null bytes in CN/subjAltName +Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 +Author: Ludwig Nussel <ludwig.nussel@suse.de> +Bug-Debian: http://bugs.debian.org/587445 + +--- w3m-0.5.2.orig/istream.c ++++ w3m-0.5.2/istream.c +@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos + + if (!seen_dnsname) + seen_dnsname = Strnew(); ++ /* replace \0 to make full string visible to user */ ++ if (sl != strlen(sn)) { ++ int i; ++ for (i = 0; i < sl; ++i) { ++ if (!sn[i]) ++ sn[i] = '!'; ++ } ++ } + Strcat_m_charp(seen_dnsname, sn, " ", NULL); +- if (ssl_match_cert_ident(sn, sl, hostname)) ++ if (sl == strlen(sn) /* catch \0 in SAN */ ++ && ssl_match_cert_ident(sn, sl, hostname)) + break; + } + } +@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos + if (match_ident == FALSE && ret == NULL) { + X509_NAME *xn; + char buf[2048]; ++ int slen; + + xn = X509_get_subject_name(x); + +- if (X509_NAME_get_text_by_NID(xn, NID_commonName, +- buf, sizeof(buf)) == -1) ++ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); ++ if ( slen == -1) + /* FIXME: gettextize? */ + ret = Strnew_charp("Unable to get common name from peer cert"); +- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname)) ++ else if (slen != strlen(buf) ++ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) { ++ /* replace \0 to make full string visible to user */ ++ if (slen != strlen(buf)) { ++ int i; ++ for (i = 0; i < slen; ++i) { ++ if (!buf[i]) ++ buf[i] = '!'; ++ } ++ } + /* FIXME: gettextize? */ + ret = Sprintf("Bad cert ident %s from %s", buf, hostname); ++ } + else + match_ident = TRUE; + } diff -urN w3m-0.5.2-2/debian/patches/series w3m-0.5.2/debian/patches/series --- w3m-0.5.2-2/debian/patches/series 2010-07-03 20:52:47.000000000 +0900 +++ w3m-0.5.2/debian/patches/series 2010-07-03 20:52:16.000000000 +0900 @@ -1,3 +1,4 @@ 03-w3m.1-debian-fix 04-ja-w3m.1-debian-fix 05-config-debian-fix +60_check-null-cn.patch
Attachment:
pgpeqlYLUZYZQ.pgp
Description: PGP signature