[SCM] KDE Development Platform Libraries module packaging branch, squeeze, updated. debian/4.4.5-2+squeeze1-4-g2bfb1e4
José Manuel Santamaría Lema
santa-guest at alioth.debian.org
Thu Apr 14 01:01:18 UTC 2011
The following commit has been merged in the squeeze branch:
commit 2bfb1e4752f0fe947d8509e8ab94f5fb7e4b0e07
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date: Thu Apr 14 02:07:12 2011 +0200
Fix CVE-2011-1094.
---
debian/changelog | 3 +
.../patches/cve_2011_1094_ssl_verify_hostname.diff | 51 ++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 55 insertions(+), 0 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b15352c..dc8817f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
cve_2011_1168_konqueror_xss.diff.
* Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
Konqueror by cve_2010_3170_cn_wildcards.diff.
+ * Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
+ matches the Common Name of the Subject of an X.509 certificate if that CN is
+ an IP address) by cve_2011_1094_ssl_verify_hostname.diff.
-- José Manuel Santamaría Lema <panfaust at gmail.com> Tue, 12 Apr 2011 21:16:20 +0200
diff --git a/debian/patches/cve_2011_1094_ssl_verify_hostname.diff b/debian/patches/cve_2011_1094_ssl_verify_hostname.diff
new file mode 100644
index 0000000..4971a3f
--- /dev/null
+++ b/debian/patches/cve_2011_1094_ssl_verify_hostname.diff
@@ -0,0 +1,51 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/3735e2ee
+Description: Harden SSL verification against poisoned DNS attacks
+ ... in the case of certificates that are issued against an IP address rather
+ than a hostname.
+ Patch by Tomas Hoger / Red Hat Security Response Team, reviewed by Jeff
+ Mitchell and Richard Moore.
+--- a/kio/kio/tcpslavebase.cpp
++++ b/kio/kio/tcpslavebase.cpp
+@@ -534,23 +534,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
+ // domain<->certificate matching here.
+ d->sslErrors = d->socket.sslErrors();
+ QSslCertificate peerCert = d->socket.peerCertificateChain().first();
+- QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
+- domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
+ QMutableListIterator<KSslError> it(d->sslErrors);
+ while (it.hasNext()) {
+ // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
+ // *in the case of HostNameMismatch*. A HostNameMismatch, however, will always
+ // be an error of the peer certificate so we just don't check the error's
+ // certificate().
+- if (it.next().error() != KSslError::HostNameMismatch) {
+- continue;
++
++ // Remove all HostNameMismatch, we have to redo name checking later.
++ if (it.next().error() == KSslError::HostNameMismatch) {
++ it.remove();
+ }
+- foreach (const QString &dp, domainPatterns) {
+- if (isMatchingHostname(dp,d->host)) {
+- it.remove();
+- }
++ }
++ // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if
++ // host name does not match any of the names in server certificate.
++ // QSslSocket may not report HostNameMismatch error, when server
++ // certificate was issued for the IP we are connecting to.
++ QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
++ domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
++ bool names_match = false;
++ foreach (const QString &dp, domainPatterns) {
++ if (isMatchingHostname(dp,d->host)) {
++ names_match = true;
++ break;
+ }
+ }
++ if (!names_match) {
++ d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert));
++ }
+
+ // The app side needs the metadata now for the SSL error dialog (if any) but
+ // the same metadata will be needed later, too. When "later" arrives the slave
diff --git a/debian/patches/series b/debian/patches/series
index ce6af15..d9a33e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@
31_relax_plugin_kde_version_check.diff
cve_2011_1168_konqueror_xss.diff
cve_2010_3170_cn_wildcards.diff
+cve_2011_1094_ssl_verify_hostname.diff
--
KDE Development Platform Libraries module packaging
More information about the pkg-kde-commits
mailing list