[SCM] KDE Development Platform Libraries module packaging branch, squeeze, updated. debian/4.4.5-2+squeeze1-4-g2bfb1e4

José Manuel Santamaría Lema santa-guest at alioth.debian.org
Thu Apr 14 01:01:18 UTC 2011 

The following commit has been merged in the squeeze branch:
commit 2bfb1e4752f0fe947d8509e8ab94f5fb7e4b0e07
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date:   Thu Apr 14 02:07:12 2011 +0200

    Fix CVE-2011-1094.
---
 debian/changelog                                   |    3 +
 .../patches/cve_2011_1094_ssl_verify_hostname.diff |   51 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 55 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b15352c..dc8817f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
     cve_2011_1168_konqueror_xss.diff.
   * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
     Konqueror by cve_2010_3170_cn_wildcards.diff.
+  * Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
+    matches the Common Name of the Subject of an X.509 certificate if that CN is
+    an IP address) by cve_2011_1094_ssl_verify_hostname.diff.
 
  -- José Manuel Santamaría Lema <panfaust at gmail.com>  Tue, 12 Apr 2011 21:16:20 +0200
 
diff --git a/debian/patches/cve_2011_1094_ssl_verify_hostname.diff b/debian/patches/cve_2011_1094_ssl_verify_hostname.diff
new file mode 100644
index 0000000..4971a3f
--- /dev/null
+++ b/debian/patches/cve_2011_1094_ssl_verify_hostname.diff
@@ -0,0 +1,51 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/3735e2ee
+Description: Harden SSL verification against poisoned DNS attacks
+ ... in the case of certificates that are issued against an IP address rather
+ than a hostname.
+ Patch by Tomas Hoger / Red Hat Security Response Team, reviewed by Jeff
+ Mitchell and Richard Moore.
+--- a/kio/kio/tcpslavebase.cpp
++++ b/kio/kio/tcpslavebase.cpp
+@@ -534,23 +534,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
+     // domain<->certificate matching here.
+     d->sslErrors = d->socket.sslErrors();
+     QSslCertificate peerCert = d->socket.peerCertificateChain().first();
+-    QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
+-    domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
+     QMutableListIterator<KSslError> it(d->sslErrors);
+     while (it.hasNext()) {
+         // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
+         // *in the case of HostNameMismatch*. A HostNameMismatch, however, will always
+         // be an error of the peer certificate so we just don't check the error's
+         // certificate().
+-        if (it.next().error() != KSslError::HostNameMismatch) {
+-            continue;
++
++        // Remove all HostNameMismatch, we have to redo name checking later.
++        if (it.next().error() == KSslError::HostNameMismatch) {
++			it.remove();
+         }
+-        foreach (const QString &dp, domainPatterns) {
+-            if (isMatchingHostname(dp,d->host)) {
+-                it.remove();
+-            }
++    }
++    // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if
++    // host name does not match any of the names in server certificate.
++    // QSslSocket may not report HostNameMismatch error, when server
++    // certificate was issued for the IP we are connecting to.
++    QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
++    domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
++    bool names_match = false;
++    foreach (const QString &dp, domainPatterns) {
++        if (isMatchingHostname(dp,d->host)) {
++            names_match = true;
++            break;
+         }
+     }
++    if (!names_match) {
++        d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert));
++    }
+ 
+     // The app side needs the metadata now for the SSL error dialog (if any) but
+     // the same metadata will be needed later, too. When "later" arrives the slave
diff --git a/debian/patches/series b/debian/patches/series
index ce6af15..d9a33e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@
 31_relax_plugin_kde_version_check.diff
 cve_2011_1168_konqueror_xss.diff
 cve_2010_3170_cn_wildcards.diff
+cve_2011_1094_ssl_verify_hostname.diff

-- 
KDE Development Platform Libraries module packaging

More information about the pkg-kde-commits mailing list