Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 834854@bugs.debian.org
Subject: Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
From: Antoine Beaupré <anarcat@debian.org>
Date: Mon, 05 Sep 2016 20:31:07 -0400
Message-id: <[🔎] 87vay9dg38.fsf@angela.anarc.at>
Reply-to: Antoine Beaupré <anarcat@debian.org>, 834854@bugs.debian.org
In-reply-to: <878tvsxvm9.fsf@angela.anarc.at>
References: <20160819213542.819.28252.reportbug@angela.anarc.at> <1471643789.11466.4.camel@adam-barratt.org.uk> <878tvsxvm9.fsf@angela.anarc.at>

Control: tags -1 -moreinfo

On 2016-08-19 18:05:34, Antoine Beaupré wrote:
> On 2016-08-19 17:56:29, Adam D. Barratt wrote:
>> On Fri, 2016-08-19 at 17:35 -0400, Antoine Beaupré wrote:
>>> TL;DR: Charybdis 3.4 (Jessie) introduces a regression (CertFP broken)
>>> from Charybdis 3.3 (Wheezy). 7-line patch (attached) fixes the issue.
>>> 
>>> Charybdis 3.4 suffers from a regression which breaks authentication in
>>> certain scenarios. The bug is now documented upstream here:
>>> 
>>> https://github.com/charybdis-ircd/charybdis/pull/211
>> [...]
>>> I have produced a simple patch which fixes the issue for Charybdis 3.5
>>> here:
>>> 
>>> https://github.com/charybdis-ircd/charybdis/pull/211/commits/0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467
>>
>> That patch doesn't appear to have been applied to the package in
>> unstable. That's a pre-requisite for considering it for an update in
>> stable.
>
> Understood. I am waiting for upstream to release 3.5.3 which will
> include that patch, tonight, before doing a new upload.

Turns out this took about three weeks instead of 24h. But 3.5.3 is
released, and I will push the update to unstable now.

The situation is a tad more complicated now because there was a security
issue disclosed in the meantime:

https://security-tracker.debian.org/tracker/CVE-2016-7143

... which 3.5.3 fixes. I have prepared a deb8u2 update for the security
team in #836714, which the attached debdiff builds upon.

diff -Nru charybdis-3.4.2/debian/changelog charybdis-3.4.2/debian/changelog
--- charybdis-3.4.2/debian/changelog	2016-09-05 19:45:08.000000000 -0400
+++ charybdis-3.4.2/debian/changelog	2016-09-05 20:11:24.000000000 -0400
@@ -1,3 +1,10 @@
+charybdis (3.4.2-5+deb8u3) stable; urgency=medium
+
+  * backport patch from testing: fix error handling in gnutls certfp
+    support
+
+ -- Antoine Beaupré <anarcat@debian.org>  Mon, 05 Sep 2016 20:11:19 -0400
+
 charybdis (3.4.2-5+deb8u2) jessie-security; urgency=high
 
   * add fix for CVE-2016-7143, backported from upstream (Closes: #836714)
diff -Nru charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch
--- charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch	1969-12-31 19:00:00.000000000 -0500
+++ charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch	2016-09-05 20:11:24.000000000 -0400
@@ -0,0 +1,41 @@
+Bug: https://github.com/charybdis-ircd/charybdis/pull/211
+
+will be factored into 3.5.3, so hold on before merging...
+
+From 0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Fri, 19 Aug 2016 11:53:59 -0400
+Subject: [PATCH] fix error handling in gnutls certfp support
+
+---
+ libratbox/src/gnutls.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/libratbox/src/gnutls.c b/libratbox/src/gnutls.c
+index f51211f..9bb69bb 100644
+--- a/libratbox/src/gnutls.c
++++ b/libratbox/src/gnutls.c
+@@ -608,18 +608,17 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+ 	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
+ 		return 0;
+ 
+-	if (gnutls_x509_crt_init(&cert) < 0)
+-		return 0;
+-
+ 	cert_list_size = 0;
+ 	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
+-	if (cert_list == NULL)
++	if (cert_list_size <= 0)
+ 	{
+-		gnutls_x509_crt_deinit(cert);
+ 		return 0;
+ 	}
+ 
+-	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
++	if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS)
++		return 0;
++
++	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS)
+ 	{
+ 		gnutls_x509_crt_deinit(cert);
+ 		return 0;
diff -Nru charybdis-3.4.2/debian/patches/series charybdis-3.4.2/debian/patches/series
--- charybdis-3.4.2/debian/patches/series	2016-09-05 19:45:08.000000000 -0400
+++ charybdis-3.4.2/debian/patches/series	2016-09-05 20:11:24.000000000 -0400
@@ -7,3 +7,4 @@
 gnutls30
 libratbox-gnutls-add-gnutls-v3-api-compatibility-wit.patch
 CVE-2015-5290
+0001-fix-error-handling-in-gnutls-certfp-support.patch

I am running with those patches in production now.

Thanks and sorry for the delay.

A.

-- 
La propriété est un piège: ce que nous croyons posséder nous possède.
                        - Alphonse Karr

Reply to:

Follow-Ups:
- Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: Processed: Re: Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
Previous by thread: Processed: Re: Bug#836799: transition: ros-geometric-shapes
Next by thread: Processed: Re: Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
Index(es):
- Date
- Thread