← Back to branch summary

~ubuntu-branches/ubuntu/lucid/wget/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/security-CVE-2009-3490.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2009-12-12 08:15:59 UTC
  • mfrom: (2.1.5 squeeze)
  • Revision ID: james.westby@ubuntu.com-20091212081559-mvccl4kzdqb138y3
Tags: 1.12-1.1ubuntu1
* Merge from debian testing, remaining changes:
  - Add wget-udeb to ship wget.gnu as alternative to busybox wget
    implementation.
* Keep build dependencies in main:
  - debian/control: remove info2man build-dep
  - debian/patches/00list: disable wget-infopod_generated_manpage.dpatch

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/security-CVE-2009-3490.dpatch
1
 
#!/bin/sh -e
2
 
## security-CVE-2009-34390.dpatch by Marc Deslauriers <marc.deslauriers@ubuntu.com>
3
 
##
4
 
## DP: Description: fix SSL certificate bypass with NULL CN byte.
5
 
## DP: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293
6
 
## DP: Upstream: http://savannah.gnu.org/bugs/?27183
7
 
## DP: Patch: http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d
8
 
## DP: Patch: http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b
9
 
 
10
 
if [ $# -lt 1 ]; then
11
 
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
12
 
    exit 1
13
 
fi
14
 
 
15
 
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
16
 
patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
17
 
 
18
 
case "$1" in
19
 
       -patch) patch $patch_opts -p1 < $0;;
20
 
       -unpatch) patch $patch_opts -p1 -R < $0;;
21
 
        *)
22
 
                echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
23
 
                exit 1;;
24
 
esac
25
 
 
26
 
exit 0
27
 
 
28
 
@DPATCH@
29
 
 
30
 
diff -urNad wget-1.11.4~/src/openssl.c wget-1.11.4/src/openssl.c
31
 
--- wget-1.11.4~/src/openssl.c  2008-04-27 00:48:23.000000000 -0400
32
 
+++ wget-1.11.4/src/openssl.c   2009-10-05 14:32:30.000000000 -0400
33
 
@@ -561,9 +561,11 @@
34
 
      - Ensure that ASN1 strings from the certificate are encoded as
35
 
        UTF-8 which can be meaningfully compared to HOST.  */
36
 
 
37
 
+  X509_NAME *xname = X509_get_subject_name(cert);
38
 
   common_name[0] = '\0';
39
 
-  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
40
 
-                             NID_commonName, common_name, sizeof (common_name));
41
 
+  X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
42
 
+                             sizeof (common_name));
43
 
+
44
 
   if (!pattern_match (common_name, host))
45
 
     {
46
 
       logprintf (LOG_NOTQUIET, _("\
47
 
@@ -571,6 +573,41 @@
48
 
                  severity, escnonprint (common_name), escnonprint (host));
49
 
       success = false;
50
 
     }
51
 
+  else
52
 
+    {
53
 
+      /* We now determine the length of the ASN1 string. If it differs from
54
 
+       * common_name's length, then there is a \0 before the string terminates.
55
 
+       * This can be an instance of a null-prefix attack.
56
 
+       *
57
 
+       * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
58
 
+       * */
59
 
+
60
 
+      int i = -1, j;
61
 
+      X509_NAME_ENTRY *xentry;
62
 
+      ASN1_STRING *sdata;
63
 
+
64
 
+      if (xname) {
65
 
+        for (;;)
66
 
+          {
67
 
+            j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
68
 
+            if (j == -1) break;
69
 
+            i = j;
70
 
+          }
71
 
+      }
72
 
+
73
 
+      xentry = X509_NAME_get_entry(xname,i);
74
 
+      sdata = X509_NAME_ENTRY_get_data(xentry);
75
 
+      if (strlen (common_name) != ASN1_STRING_length (sdata)) 
76
 
+        {
77
 
+          logprintf (LOG_NOTQUIET, _("\
78
 
+%s: certificate common name is invalid (contains a NUL character).\n\
79
 
+This may be an indication that the host is not who it claims to be\n\
80
 
+(that is, it is not the real %s).\n"),
81
 
+                     severity, escnonprint (host));
82
 
+          success = false;
83
 
+        }
84
 
+    }
85
 
+  
86
 
 
87
 
   if (success)
88
 
     DEBUGP (("X509 certificate successfully verified and matches host %s\n",