[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#698604: marked as done (unblock: haskell-tls-extra/0.4.6.1-1)

Your message dated Sun, 20 Jan 2013 23:08:13 +0000
with message-id <1358723293.24414.13.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#698604: unblock: haskell-tls-extra/0.4.6.1-1
has caused the Debian Bug report #698604,
regarding unblock: haskell-tls-extra/0.4.6.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
698604: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698604
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please unblock package haskell-tls-extra

It fixes a security problem where certificates would not be checked
correctly.

I applied a somewhat dirty trick to avoid having to recompile all
depending libraries, so it will be sufficient to just migrate this
package.

Attached is the output of
$ debdiff haskell-tls-extra_0.4.6-1.dsc haskell-tls-extra_0.4.6.1-1.dsc 

unblock haskell-tls-extra/0.4.6.1-1

- -- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD8clMACgkQ9ijrk0dDIGzfswCfSV5GVWqfICGw5u/QNFJUq6uN
Nk8An0YaatI6C+4CE6dmiKvjome1PC6P
=vJzl
-----END PGP SIGNATURE-----

diff -Nru haskell-tls-extra-0.4.6/debian/changelog haskell-tls-extra-0.4.6.1/debian/changelog
--- haskell-tls-extra-0.4.6/debian/changelog	2012-05-15 03:03:03.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/debian/changelog	2013-01-20 23:26:26.000000000 +0100
@@ -1,3 +1,15 @@
+haskell-tls-extra (0.4.6.1-1) unstable; urgency=low
+
+  * New upstream release, aimed for wheezy.
+    Closes: #698545, a certificate validation security flaw.
+  * Added patch: patches/pretend-lower-version
+    This upstream release contains a bugfix that does not modify the ABI of
+    the resulting library. To avoid having to recompile its reverse
+    dependencies, we patch the .cabal file to pretend to be still version
+    0.4.6.
+
+ -- Joachim Breitner <nomeata@debian.org>  Sun, 20 Jan 2013 23:26:26 +0100
+
 haskell-tls-extra (0.4.6-1) unstable; urgency=low
 
   * New upstream version.
diff -Nru haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version
--- haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version	1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version	2013-01-20 23:25:56.000000000 +0100
@@ -0,0 +1,16 @@
+This upstream release contains a bugfix that does not modify the ABI of
+the resulting library. To avoid having to recompile its reverse
+dependencies, we patch the .cabal file to pretend to be still version
+0.4.6.
+
+Index: haskell-tls-extra-0.4.6.1/tls-extra.cabal
+===================================================================
+--- haskell-tls-extra-0.4.6.1.orig/tls-extra.cabal	2013-01-20 23:13:58.937092809 +0100
++++ haskell-tls-extra-0.4.6.1/tls-extra.cabal	2013-01-20 23:13:58.933092809 +0100
+@@ -1,5 +1,5 @@
+ Name:                tls-extra
+-Version:             0.4.6.1
++Version:             0.4.6
+ Description:
+    a set of extra definitions, default values and helpers for tls.
+ License:             BSD3
diff -Nru haskell-tls-extra-0.4.6/debian/patches/series haskell-tls-extra-0.4.6.1/debian/patches/series
--- haskell-tls-extra-0.4.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/series	2013-01-20 23:13:34.000000000 +0100
@@ -0,0 +1 @@
+pretend-lower-version
diff -Nru haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs
--- haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs	2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs	2013-01-20 15:49:28.000000000 +0100
@@ -73,14 +73,31 @@
 			validChain <- certificateVerifyAgainst x sysx509
 			if validChain
 				then return CertificateUsageAccept
-				else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+				else return certificateChainDoesntMatch
 		Nothing      -> case xs of
 			[] -> return $ CertificateUsageReject CertificateRejectUnknownCA
-			_  -> do
-				validChain <- certificateVerifyAgainst x (head xs)
-				if validChain
-					then certificateVerifyChain_ xs
-					else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+			cert:_ -> do
+				let exts = certExtensions (x509Cert cert)
+				case checkCA exts of
+					Just r  -> return r
+					Nothing -> do
+						validChain <- certificateVerifyAgainst x cert
+						if validChain
+							then certificateVerifyChain_ xs
+							else return certificateChainDoesntMatch
+	where
+		checkCA Nothing   = return $ certificateNotAllowedToSign
+		checkCA (Just es) = do
+			let kuCanCertSign = case extensionGet es of
+				Just (ExtKeyUsage l) -> elem KeyUsage_keyCertSign l
+				Nothing              -> False
+			case extensionGet es of
+				Just (ExtBasicConstraints True)
+					| kuCanCertSign -> Nothing
+					| otherwise     -> Just certificateNotAllowedToSign
+				_                                      -> Just certificateNotAllowedToSign
+		certificateNotAllowedToSign = CertificateUsageReject $ CertificateRejectOther "certificate is not allowed to sign another certificate"
+		certificateChainDoesntMatch = CertificateUsageReject $ CertificateRejectOther "chain doesn't match each other"
 #endif
 
 -- | verify a certificates chain using the system certificates available.
diff -Nru haskell-tls-extra-0.4.6/tls-extra.cabal haskell-tls-extra-0.4.6.1/tls-extra.cabal
--- haskell-tls-extra-0.4.6/tls-extra.cabal	2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/tls-extra.cabal	2013-01-20 15:49:28.000000000 +0100
@@ -1,5 +1,5 @@
 Name:                tls-extra
-Version:             0.4.6
+Version:             0.4.6.1
 Description:
    a set of extra definitions, default values and helpers for tls.
 License:             BSD3

--- End Message ---
--- Begin Message --- 
On Sun, 2013-01-20 at 23:40 +0100, Joachim Breitner wrote:
> Please unblock package haskell-tls-extra
> 
> It fixes a security problem where certificates would not be checked
> correctly.
> 
> I applied a somewhat dirty trick to avoid having to recompile all
> depending libraries, so it will be sufficient to just migrate this
> package.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: