[Pkg-gnutls-commits] r604 - in /packages/gnutls26/trunk/debian: changelog patches/20_GNUTLS-SA-2008-3.patch
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Mon Nov 10 19:09:09 UTC 2008
Author: ametzler
Date: Mon Nov 10 19:09:09 2008
New Revision: 604
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=604
Log:
Add fix for CVE-2008-4989 GNUTLS-SA-2008-3, upload package
Added:
packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch
Modified:
packages/gnutls26/trunk/debian/changelog
Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=604&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Mon Nov 10 19:09:09 2008
@@ -1,8 +1,9 @@
-gnutls26 (2.4.2-2) UNRELEASED; urgency=low
-
- * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org> Sun, 21 Sep 2008 10:36:06 +0200
+gnutls26 (2.4.2-2) unstable; urgency=medium
+
+ * [CVE-2008-4989.diff] Fix man in the middle attack for certificate
+ verification. CVE-2008-4989 GNUTLS-SA-2008-3
+
+ -- Andreas Metzler <ametzler at debian.org> Mon, 10 Nov 2008 19:42:54 +0100
gnutls26 (2.4.2-1) unstable; urgency=low
Added: packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch?rev=604&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch (added)
+++ packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch Mon Nov 10 19:09:09 2008
@@ -1,0 +1,54 @@
+From 5c27c1a50cabe9db19afd114a56416bb78923fd3 Mon Sep 17 00:00:00 2001
+From: Martin von Gagern <Martin.vGagern at gmx.net>
+Date: Mon, 3 Nov 2008 13:35:13 +0100
+Subject: [PATCH] Drop self signed certificate from certificate chain before validating
+ certificates. This avoids the penultimate certificate to get incorrectly
+ trusted.
+
+---
+ lib/x509/verify.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 041a450..8fa90dc 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -374,6 +374,17 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ int i = 0, ret;
+ unsigned int status = 0, output;
+
++ /* Check if the last certificate in the path is self signed.
++ * In that case ignore it (a certificate is trusted only if it
++ * leads to a trusted party by us, not the server's).
++ */
++ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
++ certificate_list[clist_size - 1]) > 0
++ && clist_size > 0)
++ {
++ clist_size--;
++ }
++
+ /* Verify the last certificate in the certificate path
+ * against the trusted CA certificate list.
+ *
+@@ -412,17 +423,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ }
+ #endif
+
+- /* Check if the last certificate in the path is self signed.
+- * In that case ignore it (a certificate is trusted only if it
+- * leads to a trusted party by us, not the server's).
+- */
+- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+- certificate_list[clist_size - 1]) > 0
+- && clist_size > 0)
+- {
+- clist_size--;
+- }
+-
+ /* Verify the certificate path (chain)
+ */
+ for (i = clist_size - 1; i > 0; i--)
+--
+1.6.0.3
+
More information about the Pkg-gnutls-commits
mailing list