File git-CVE-2013-0308-imap-sslchecks.patch of Package git

Junio C Hamano <gitster@pobox.com> writes:

> Kurt Seifried <kseifried@redhat.com> writes:
> ...
>> You can post it to this list which will get it to vendors in advance
>> and rolled into updates.
>
> It is a three-patch series attached.
> ...

The second patch should add the additional check inside an "if (verify)"
conditional, as we allow imap.sslverify=false to disable the certificate
check.

Here is a replacement patch for that one.

-- >8 --
From: Oswald Buddenhagen <ossi@kde.org>
Date: Fri, 15 Feb 2013 12:50:35 -0800
Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the host

We did not check a valid certificate's subject at all, and would
have happily talked with a wrong host after connecting to an
incorrect address and getting a valid certificate that does not
belong to the host we intended to talk to.

Signed-off-by: Oswald Buddenhagen <ossi@kde.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 imap-send.c |   39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

--- git-1.6.4.2/imap-send.c.orig	2013-02-26 12:27:23.493852908 +0100
+++ git-1.6.4.2/imap-send.c	2013-02-26 12:31:01.106054427 +0100
@@ -274,11 +274,41 @@
 	return -1;
 }
 #else
+static int host_matches(const char *host, const char *pattern)
+{
+	if (pattern[0] == '*' && pattern[1] == '.') {
+		pattern += 2;
+		if (!(host = strchr(host, '.')))
+			return 0;
+		host++;
+	}
+
+	return *host && *pattern && !strcasecmp(host, pattern);
+}
+
+static int verify_hostname(X509 *cert, const char *hostname)
+{
+	int len;
+	X509_NAME *subj;
+	char cname[1000];
+
+	/* try the common name */
+	if (!(subj = X509_get_subject_name(cert)))
+		return error("cannot get certificate subject");
+	if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0)
+		return error("cannot get certificate common name");
+	if (strlen(cname) == (size_t)len && host_matches(hostname, cname))
+		return 0;
+	return error("certificate owner '%s' does not match hostname '%s'",
+		     cname, hostname);
+}
+
 static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
 {
 	SSL_METHOD *meth;
 	SSL_CTX *ctx;
 	int ret;
+	X509 *cert;
 
 	SSL_library_init();
 	SSL_load_error_strings();
@@ -318,6 +348,15 @@
 		return -1;
 	}
 
+	if (verify) {
+		/* make sure the hostname matches that of the certificate */
+		cert = SSL_get_peer_certificate(sock->ssl);
+		if (!cert)
+			return error("unable to get peer certificate.");
+		if (verify_hostname(cert, server.host) < 0)
+			return -1;
+	}
+
 	return 0;
 }
 #endif