Julien Cristau, 2013-09-19 23:48+0200:
The debdiff should be in this bug, please.
Sorry, I thought I did it. Here it is. -- ,--. : /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> | `-' Debian Developer <irc://irc.oftc.net/Tanguy> \_
diff -u gajim-0.15.1/debian/changelog gajim-0.15.1/debian/changelog
--- gajim-0.15.1/debian/changelog
+++ gajim-0.15.1/debian/changelog
@@ -1,3 +1,14 @@
+gajim (0.15.1-4.1) stable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches:
+ - 02_fix-cert-validation.diff added, fix certificate validation
+ (CVE-2012-5524) closes: #693282
+ - 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+ improve SSL/TLS handling.
+
+ -- Yves-Alexis Perez <corsac@debian.org> Wed, 17 Apr 2013 22:22:30 +0200
+
gajim (0.15.1-4) unstable; urgency=low
* apply patches using dpatch in debian/rules
diff -u gajim-0.15.1/debian/patches/00list gajim-0.15.1/debian/patches/00list
--- gajim-0.15.1/debian/patches/00list
+++ gajim-0.15.1/debian/patches/00list
@@ -2,0 +3,3 @@
+02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/04_store-all-ssl-errors.diff
+++ gajim-0.15.1/debian/patches/04_store-all-ssl-errors.diff
@@ -0,0 +1,64 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_store-all-ssl-errors.diff by <asterix@lagaule.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: store all SSL errors
+#
+# Description: store all SSL errors
+# Author: Yann Leboulanger <asterix@lagaule.org>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+# HG changeset patch
+# User Yann Leboulanger <asterix@lagaule.org>
+# Date 1360768361 -3600
+# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595
+# Parent 385f8a1fad668fbcd1d9bee10f61531a8ca7d890
+
+@DPATCH@
+
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py
+--- a/src/common/xmpp/tls_nb.py Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/tls_nb.py Wed Feb 13 16:12:41 2013 +0100
+@@ -393,7 +393,7 @@
+ flags |= 16384
+ tcpsock._sslContext.set_options(flags)
+
+- tcpsock.ssl_errnum = 0
++ tcpsock.ssl_errnum = [0]
+ tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER,
+ self._ssl_verify_callback)
+ try:
+@@ -449,11 +449,11 @@
+ def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
+ # Exceptions can't propagate up through this callback, so print them here.
+ try:
+- self._owner.ssl_fingerprint_sha1 = cert.digest('sha1')
+- self._owner.ssl_certificate = cert
+- self._owner.ssl_errnum = errnum
+- self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate(
+- OpenSSL.crypto.FILETYPE_PEM, cert)
++ self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1'))
++ self._owner.ssl_certificate.append(cert)
++ self._owner.ssl_errnum.append(errnum)
++ self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate(
++ OpenSSL.crypto.FILETYPE_PEM, cert))
+ return True
+ except:
+ log.error("Exception caught in _ssl_info_callback:", exc_info=True)
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py
+--- a/src/common/xmpp/transports_nb.py Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/transports_nb.py Wed Feb 13 16:12:41 2013 +0100
+@@ -311,6 +311,12 @@
+ self.proxy_dict = proxy_dict
+ self.on_remote_disconnect = self.disconnect
+
++ # ssl variables
++ self.ssl_fingerprint_sha1 = []
++ self.ssl_certificate = []
++ self.ssl_errnum = []
++ self.ssl_cert_pem = []
++
+ # FIXME: transport should not be aware xmpp
+ def start_disconnect(self):
+ NonBlockingTransport.start_disconnect(self)
+
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/02_fix-cert-validation.diff
+++ gajim-0.15.1/debian/patches/02_fix-cert-validation.diff
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_fix-cert-validation.diff by <asterix@lagaule.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix certificate validation
+#
+# Description: fix certificate validation
+# Author: Yann Leboulanger <asterix@lagaule.org>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+
+@DPATCH@
+
+Index: gajim/src/common/connection.py
+===================================================================
+--- gajim/src/common/connection.py (revision 14377)
++++ gajim/src/common/connection.py (revision 14379)
+@@ -1312,19 +1312,22 @@
+ errnum = con.Connection.ssl_errnum
+ except AttributeError:
+- errnum = -1 # we don't have an errnum
+- if errnum > 0 and str(errnum) not in gajim.config.get_per('accounts',
+- self.name, 'ignore_ssl_errors').split():
+- text = _('The authenticity of the %s certificate could be invalid.'
+- ) % hostname
+- if errnum in ssl_error:
+- text += _('\nSSL Error: <b>%s</b>') % ssl_error[errnum]
+- else:
+- text += _('\nUnknown SSL error: %d') % errnum
+- gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
+- error_text=text, error_num=errnum,
+- cert=con.Connection.ssl_cert_pem,
+- fingerprint=con.Connection.ssl_fingerprint_sha1,
+- certificate=con.Connection.ssl_certificate))
+- return True
++ errnum = [] # we don't have an errnum
++ i = 0
++ for er in errnum:
++ if er > 0 and str(er) not in gajim.config.get_per('accounts',
++ self.name, 'ignore_ssl_errors').split():
++ text = _('The authenticity of the %s certificate could be '
++ 'invalid.') % hostname
++ if er in ssl_error:
++ text += _('\nSSL Error: <b>%s</b>') % ssl_error[er]
++ else:
++ text += _('\nUnknown SSL error: %d') % er
++ gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
++ error_text=text, error_num=er,
++ cert=con.Connection.ssl_cert_pem[i],
++ fingerprint=con.Connection.ssl_fingerprint_sha1[i],
++ certificate=con.Connection.ssl_certificate[i]))
++ return True
++ i += 1
+ if hasattr(con.Connection, 'ssl_fingerprint_sha1'):
+ saved_fingerprint = gajim.config.get_per('accounts', self.name,
+@@ -1332,12 +1335,15 @@
+ if saved_fingerprint:
+ # Check sha1 fingerprint
+- if con.Connection.ssl_fingerprint_sha1 != saved_fingerprint:
++ if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+ gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+- conn=self, certificate=con.Connection.ssl_certificate,
+- new_fingerprint=con.Connection.ssl_fingerprint_sha1))
++ conn=self,
++ certificate=con.Connection.ssl_certificate,
++ new_fingerprint=con.Connection.ssl_fingerprint_sha1[
++ -1]))
+ return True
+ else:
+ gajim.config.set_per('accounts', self.name,
+- 'ssl_fingerprint_sha1', con.Connection.ssl_fingerprint_sha1)
++ 'ssl_fingerprint_sha1',
++ con.Connection.ssl_fingerprint_sha1[-1])
+ if not check_X509.check_certificate(con.Connection.ssl_certificate,
+ hostname) and '100' not in gajim.config.get_per('accounts',
+@@ -1348,6 +1354,6 @@
+ gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
+ error_text=txt, error_num=100,
+- cert=con.Connection.ssl_cert_pem,
+- fingerprint=con.Connection.ssl_fingerprint_sha1,
++ cert=con.Connection.ssl_cert_pem[-1],
++ fingerprint=con.Connection.ssl_fingerprint_sha1[-1],
+ certificate=con.Connection.ssl_certificate))
+ return True
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/03_correctly-get-SSL-certificate.diff
+++ gajim-0.15.1/debian/patches/03_correctly-get-SSL-certificate.diff
@@ -0,0 +1,50 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_correctly-get-SSL-certificate.diff by <asterix@lagaule.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: correctly get SSL certificate from nbxmpp. Fixes #7283
+#
+# Description: correctly get SSL certificate from nbxmpp. Fixes #7283
+# Author: Yann Leboulanger <asterix@lagaule.org>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# HG changeset patch
+# User Yann Leboulanger <asterix@lagaule.org>
+# Date 1356455919 -3600
+# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393
+# Parent 1d8caae49a31201a79529d2b81d231b06ce8c91c
+
+@DPATCH@
+
+diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py
+--- a/src/common/connection.py Sun Dec 23 17:48:11 2012 +0100
++++ b/src/common/connection.py Tue Dec 25 18:18:39 2012 +0100
+@@ -1337,7 +1337,7 @@
+ if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+ gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+ conn=self,
+- certificate=con.Connection.ssl_certificate,
++ certificate=con.Connection.ssl_certificate[-1],
+ new_fingerprint=con.Connection.ssl_fingerprint_sha1[
+ -1]))
+ return True
+@@ -1345,8 +1345,8 @@
+ gajim.config.set_per('accounts', self.name,
+ 'ssl_fingerprint_sha1',
+ con.Connection.ssl_fingerprint_sha1[-1])
+- if not check_X509.check_certificate(con.Connection.ssl_certificate,
+- hostname) and '100' not in gajim.config.get_per('accounts',
++ if not check_X509.check_certificate(con.Connection.ssl_certificate[
++ -1], hostname) and '100' not in gajim.config.get_per('accounts',
+ self.name, 'ignore_ssl_errors').split():
+ txt = _('The authenticity of the %s certificate could be '
+ 'invalid.\nThe certificate does not cover this domain.') % \
+@@ -1355,7 +1355,7 @@
+ error_text=txt, error_num=100,
+ cert=con.Connection.ssl_cert_pem[-1],
+ fingerprint=con.Connection.ssl_fingerprint_sha1[-1],
+- certificate=con.Connection.ssl_certificate))
++ certificate=con.Connection.ssl_certificate[-1]))
+ return True
+
+ self._register_handlers(con, con_type)
+
Attachment:
signature.asc
Description: Digital signature