Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 699611 Details for
Bug 909977
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Second part (2/3) of proposed upstream patch to correct this
v3-0002-imap-send-the-subject-of-SSL-certificate-must-match.txt (text/plain), 2.48 KB, created by
Jan Lieskovsky
on 2013-02-19 19:23:25 UTC
(
hide
)
Description:
Second part (2/3) of proposed upstream patch to correct this
Filename:
MIME Type:
Creator:
Jan Lieskovsky
Created:
2013-02-19 19:23:25 UTC
Size:
2.48 KB
patch
obsolete
>From 35a3c3ac75615f5435e708e1f378c96fbe1887f6 Mon Sep 17 00:00:00 2001 >From: Oswald Buddenhagen <ossi@kde.org> >Date: Fri, 15 Feb 2013 12:50:35 -0800 >Subject: [PATCH v3 2/3] imap-send: the subject of SSL certificate must match > the host > >We did not check a valid certificate's subject at all, and would >have happily talked with a wrong host after connecting to an >incorrect address and getting a valid certificate that does not >belong to the host we intended to talk to. > >Signed-off-by: Oswald Buddenhagen <ossi@kde.org> >Signed-off-by: Junio C Hamano <gitster@pobox.com> >--- > imap-send.c | 37 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > >diff --git a/imap-send.c b/imap-send.c >index 75c14a0..33fed3d 100644 >--- a/imap-send.c >+++ b/imap-send.c >@@ -275,6 +275,35 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > > #else > >+static int host_matches(const char *host, const char *pattern) >+{ >+ if (pattern[0] == '*' && pattern[1] == '.') { >+ pattern += 2; >+ if (!(host = strchr(host, '.'))) >+ return 0; >+ host++; >+ } >+ >+ return *host && *pattern && !strcasecmp(host, pattern); >+} >+ >+static int verify_hostname(X509 *cert, const char *hostname) >+{ >+ int len; >+ X509_NAME *subj; >+ char cname[1000]; >+ >+ /* try the common name */ >+ if (!(subj = X509_get_subject_name(cert))) >+ return error("cannot get certificate subject"); >+ if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) >+ return error("cannot get certificate common name"); >+ if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) >+ return 0; >+ return error("certificate owner '%s' does not match hostname '%s'", >+ cname, hostname); >+} >+ > static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) > { > #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) >@@ -284,6 +313,7 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > #endif > SSL_CTX *ctx; > int ret; >+ X509 *cert; > > SSL_library_init(); > SSL_load_error_strings(); >@@ -327,6 +357,13 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > return -1; > } > >+ /* make sure the hostname matches that of the certificate */ >+ cert = SSL_get_peer_certificate(sock->ssl); >+ if (!cert) >+ return error("unable to get peer certificate."); >+ if (verify_hostname(cert, server.host) < 0) >+ return -1; >+ > return 0; > } > #endif >-- >1.8.1.3.701.g82b0977 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=699611">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 909977
:
699610
|
699611
|
699612
|
700017