2
## security-CVE-2009-34390.dpatch by Marc Deslauriers <marc.deslauriers@ubuntu.com>
4
## DP: Description: fix SSL certificate bypass with NULL CN byte.
5
## DP: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293
6
## DP: Upstream: http://savannah.gnu.org/bugs/?27183
7
## DP: Patch: http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d
8
## DP: Patch: http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b
11
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
15
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
16
patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
19
-patch) patch $patch_opts -p1 < $0;;
20
-unpatch) patch $patch_opts -p1 -R < $0;;
22
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
30
diff -urNad wget-1.11.4~/src/openssl.c wget-1.11.4/src/openssl.c
31
--- wget-1.11.4~/src/openssl.c 2008-04-27 00:48:23.000000000 -0400
32
+++ wget-1.11.4/src/openssl.c 2009-10-05 14:32:30.000000000 -0400
34
- Ensure that ASN1 strings from the certificate are encoded as
35
UTF-8 which can be meaningfully compared to HOST. */
37
+ X509_NAME *xname = X509_get_subject_name(cert);
38
common_name[0] = '\0';
39
- X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
40
- NID_commonName, common_name, sizeof (common_name));
41
+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
42
+ sizeof (common_name));
44
if (!pattern_match (common_name, host))
46
logprintf (LOG_NOTQUIET, _("\
48
severity, escnonprint (common_name), escnonprint (host));
53
+ /* We now determine the length of the ASN1 string. If it differs from
54
+ * common_name's length, then there is a \0 before the string terminates.
55
+ * This can be an instance of a null-prefix attack.
57
+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
61
+ X509_NAME_ENTRY *xentry;
67
+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
73
+ xentry = X509_NAME_get_entry(xname,i);
74
+ sdata = X509_NAME_ENTRY_get_data(xentry);
75
+ if (strlen (common_name) != ASN1_STRING_length (sdata))
77
+ logprintf (LOG_NOTQUIET, _("\
78
+%s: certificate common name is invalid (contains a NUL character).\n\
79
+This may be an indication that the host is not who it claims to be\n\
80
+(that is, it is not the real %s).\n"),
81
+ severity, escnonprint (host));
88
DEBUGP (("X509 certificate successfully verified and matches host %s\n",