Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
git
git-CVE-2013-0308-imap-sslchecks.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File git-CVE-2013-0308-imap-sslchecks.patch of Package git
Junio C Hamano <gitster@pobox.com> writes: > Kurt Seifried <kseifried@redhat.com> writes: > ... >> You can post it to this list which will get it to vendors in advance >> and rolled into updates. > > It is a three-patch series attached. > ... The second patch should add the additional check inside an "if (verify)" conditional, as we allow imap.sslverify=false to disable the certificate check. Here is a replacement patch for that one. -- >8 -- From: Oswald Buddenhagen <ossi@kde.org> Date: Fri, 15 Feb 2013 12:50:35 -0800 Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the host We did not check a valid certificate's subject at all, and would have happily talked with a wrong host after connecting to an incorrect address and getting a valid certificate that does not belong to the host we intended to talk to. Signed-off-by: Oswald Buddenhagen <ossi@kde.org> Signed-off-by: Junio C Hamano <gitster@pobox.com> --- imap-send.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) --- git-1.6.4.2/imap-send.c.orig 2013-02-26 12:27:23.493852908 +0100 +++ git-1.6.4.2/imap-send.c 2013-02-26 12:31:01.106054427 +0100 @@ -274,11 +274,41 @@ return -1; } #else +static int host_matches(const char *host, const char *pattern) +{ + if (pattern[0] == '*' && pattern[1] == '.') { + pattern += 2; + if (!(host = strchr(host, '.'))) + return 0; + host++; + } + + return *host && *pattern && !strcasecmp(host, pattern); +} + +static int verify_hostname(X509 *cert, const char *hostname) +{ + int len; + X509_NAME *subj; + char cname[1000]; + + /* try the common name */ + if (!(subj = X509_get_subject_name(cert))) + return error("cannot get certificate subject"); + if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) + return error("cannot get certificate common name"); + if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) + return 0; + return error("certificate owner '%s' does not match hostname '%s'", + cname, hostname); +} + static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) { SSL_METHOD *meth; SSL_CTX *ctx; int ret; + X509 *cert; SSL_library_init(); SSL_load_error_strings(); @@ -318,6 +348,15 @@ return -1; } + if (verify) { + /* make sure the hostname matches that of the certificate */ + cert = SSL_get_peer_certificate(sock->ssl); + if (!cert) + return error("unable to get peer certificate."); + if (verify_hostname(cert, server.host) < 0) + return -1; + } + return 0; } #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor