rpms/fetchmail/F-10 fetchmail-6.3.9-CVE-2009-2666.patch, NONE, 1.1 fetchmail.spec, 1.61, 1.62
vcrhonek
vcrhonek at fedoraproject.org
Wed Aug 19 10:11:31 UTC 2009
Author: vcrhonek
Update of /cvs/extras/rpms/fetchmail/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4517
Modified Files:
fetchmail.spec
Added Files:
fetchmail-6.3.9-CVE-2009-2666.patch
Log Message:
Fix SSL null terminator bypass (CVE-2009-2666)
fetchmail-6.3.9-CVE-2009-2666.patch:
socket.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- NEW FILE fetchmail-6.3.9-CVE-2009-2666.patch ---
diff -up fetchmail-6.3.9/socket.c_orig fetchmail-6.3.9/socket.c
--- fetchmail-6.3.9/socket.c_orig 2009-08-06 11:34:12.000000000 +0200
+++ fetchmail-6.3.9/socket.c 2009-08-06 11:47:25.000000000 +0200
@@ -632,6 +632,13 @@ static int SSL_verify_callback( int ok_r
report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
return (0);
}
+ if ((size_t)i > strlen(buf)) {
+ /* Name contains embedded NUL characters, so we complain. This is likely
+ * a certificate spoofing attack. */
+ report(stderr, GT_("Bad certificate: Subject CommonName contains NUL, aborting!\n"));
+ return 0;
+ }
+
if (_ssl_server_cname != NULL) {
char *p1 = buf;
char *p2 = _ssl_server_cname;
@@ -643,12 +650,19 @@ static int SSL_verify_callback( int ok_r
* first find a match among alternative names */
gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
if (gens) {
- int i, r;
- for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
- const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
- if (gn->type == GEN_DNS) {
- char *p1 = (char *)gn->d.ia5->data;
- char *p2 = _ssl_server_cname;
+ int j, r;
+ for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
+ const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
+ if (gn->type == GEN_DNS) {
+ char *p1 = (char *)gn->d.ia5->data;
+ char *p2 = _ssl_server_cname;
+ /* Name contains embedded NUL characters, so we complain. This
+ * is likely a certificate spoofing attack. */
+ if ((size_t)gn->d.ia5->length != strlen(p1)) {
+ report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n"));
+ sk_GENERAL_NAME_free(gens);
+ return 0;
+ }
if (outlevel >= O_VERBOSE)
report(stderr, "Subject Alternative Name: %s\n", p1);
if (*p1 == '*') {
Index: fetchmail.spec
===================================================================
RCS file: /cvs/extras/rpms/fetchmail/F-10/fetchmail.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -p -r1.61 -r1.62
--- fetchmail.spec 18 Sep 2008 09:56:41 -0000 1.61
+++ fetchmail.spec 19 Aug 2009 10:11:31 -0000 1.62
@@ -4,13 +4,14 @@
Summary: A remote mail retrieval and forwarding utility
Name: fetchmail
Version: 6.3.8
-Release: 8%{?dist}
+Release: 9%{?dist}
Requires: procmail
Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.bz2
Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.bz2.asc
Patch0: fetchmail-6.2.5-addrconf.patch
Patch1: fetchmail-6.3.8-CVE-2007-4565.patch
Patch2: fetchmail-6.3.8-CVE-2008-2711.patch
+Patch3: fetchmail-6.3.9-CVE-2009-2666.patch
URL: http://fetchmail.berlios.de/
# For a breakdown of the licensing, see COPYING
License: GPL+ and Public Domain
@@ -51,6 +52,7 @@ need to have Python and Tk installed in
%patch0 -p1 -b .addrconf
%patch1 -p1 -b .cve_2007_4565
%patch2 -p1 -b .cve_2008_2711
+%patch3 -p1 -b .cve_2009_2666
%build
%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
@@ -89,6 +91,9 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Wed Aug 19 2009 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.8-9
+- Fix SSL null terminator bypass (CVE-2009-2666)
+
* Tue Sep 18 2008 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.8-8
- Rediff all patches to work with patch --fuzz=0
- Replace server(smtp) requires by procmail
More information about the scm-commits
mailing list