[SCM] Qt 4 packaging branch, squeeze, updated. debian/4.6.3-4-3-gca7ca43

José Manuel Santamaría Lema santa-guest at alioth.debian.org
Sun Apr 17 16:29:35 UTC 2011


The following commit has been merged in the squeeze branch:
commit ca7ca43a374cd5813d2484f06dd77ce99fb960a3
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date:   Sun Apr 17 18:31:04 2011 +0200

    Fix CVE-2010-3170.
---
 debian/changelog                                   |    3 +
 .../cve_2010_3170_ssl_certificates_wildcard.diff   |   81 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 85 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ee589b2..363ab2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ qt4-x11 (4:4.6.3-4+squeeze1) UNRELEASED; urgency=low
     blacklisting we need these patches:
     - blacklist_fraudulent_comodo_certificates.diff
     - ssl_certificate_large_sn.diff
+  * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) with
+    cve_2010_3170_ssl_certificates_wildcard.diff. This problem affects the Arora
+    web browser.
 
  -- José Manuel Santamaría Lema <panfaust at gmail.com>  Fri, 15 Apr 2011 19:13:13 +0200
 
diff --git a/debian/patches/cve_2010_3170_ssl_certificates_wildcard.diff b/debian/patches/cve_2010_3170_ssl_certificates_wildcard.diff
new file mode 100644
index 0000000..e738d4b
--- /dev/null
+++ b/debian/patches/cve_2010_3170_ssl_certificates_wildcard.diff
@@ -0,0 +1,81 @@
+Origin: http://qt.gitorious.org/qt/qt/commit/5f601856
+ http://qt.gitorious.org/qt/qt/commit/87c62128
+Description: Fix handling of SSL certificates with wildcards
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -834,17 +834,16 @@
+             QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName);
+             QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName);
+ 
+-            QRegExp regexp(commonName, Qt::CaseInsensitive, QRegExp::Wildcard);
+-            if (!regexp.exactMatch(peerName)) {
++            if (!isMatchingHostname(commonName.lower(), peerName.lower())) {
+                 bool matched = false;
+                 foreach (const QString &altName, configuration.peerCertificate
+                          .alternateSubjectNames().values(QSsl::DnsEntry)) {
+-                    regexp.setPattern(altName);
+-                    if (regexp.exactMatch(peerName)) {
++                    if (isMatchingHostname(altName.lower(), peerName.lower())) {
+                         matched = true;
+                         break;
+                     }
+                 }
++
+                 if (!matched) {
+                     // No matches in common names or alternate names.
+                     QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate);
+@@ -969,4 +968,44 @@
+     return certificates;
+ }
+ 
++bool QSslSocketBackendPrivate::isMatchingHostname(const QString &cn, const QString &hostname)
++{
++    int wildcard = cn.indexOf(QLatin1Char('*'));
++
++    // Check this is a wildcard cert, if not then just compare the strings
++    if (wildcard < 0)
++        return cn == hostname;
++
++    int firstCnDot = cn.indexOf(QLatin1Char('.'));
++    int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
++
++    // Check at least 3 components
++    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
++        return false;
++
++    // Check * is last character of 1st component (ie. there's a following .)
++    if (wildcard+1 != firstCnDot)
++        return false;
++
++    // Check only one star
++    if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
++        return false;
++
++    // Check characters preceding * (if any) match
++    if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
++        return false;
++
++    // Check characters following first . match
++    if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
++        return false;
++
++    // Check if the hostname is an IP address, if so then wildcards are not allowed
++    QHostAddress addr(hostname);
++    if (!addr.isNull())
++        return false;
++
++    // Ok, I guess this was a wildcard CN and the hostname matches.
++    return true;
++}
++
+ QT_END_NAMESPACE
+--- a/src/network/ssl/qsslsocket_openssl_p.h
++++ b/src/network/ssl/qsslsocket_openssl_p.h
+@@ -115,6 +115,7 @@
+ 
+     static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher);
+     static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509);
++    Q_AUTOTEST_EXPORT static bool isMatchingHostname(const QString &cn, const QString &hostname);
+ };
+ 
+ QT_END_NAMESPACE
diff --git a/debian/patches/series b/debian/patches/series
index 3f3c0fe..b355cb1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
 0007_qsslsocket_improve_error_handling_CVE-2010-2621.patch
 ssl_certificate_large_sn.diff
 blacklist_fraudulent_comodo_certificates.diff
+cve_2010_3170_ssl_certificates_wildcard.diff
 
 # qt-copy patches
 0180-window-role.diff

-- 
Qt 4 packaging



More information about the pkg-kde-commits mailing list