Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 700017 Details for
Bug 909977
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Improved second piece of the patchset
0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch (text/plain), 2.41 KB, created by
Adam Tkac
on 2013-02-20 13:03:22 UTC
(
hide
)
Description:
Improved second piece of the patchset
Filename:
MIME Type:
Creator:
Adam Tkac
Created:
2013-02-20 13:03:22 UTC
Size:
2.41 KB
patch
obsolete
>From b62fb077d5504deadea931fd16075729f39b8f47 Mon Sep 17 00:00:00 2001 >From: Oswald Buddenhagen <ossi@kde.org> >Date: Fri, 15 Feb 2013 12:50:35 -0800 >Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the > host > >We did not check a valid certificate's subject at all, and would >have happily talked with a wrong host after connecting to an >incorrect address and getting a valid certificate that does not >belong to the host we intended to talk to. > >Signed-off-by: Oswald Buddenhagen <ossi@kde.org> >Signed-off-by: Junio C Hamano <gitster@pobox.com> >--- > imap-send.c | 39 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > >diff --git a/imap-send.c b/imap-send.c >index 94f53c2..0b9c464 100644 >--- a/imap-send.c >+++ b/imap-send.c >@@ -275,6 +275,35 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > > #else > >+static int host_matches(const char *host, const char *pattern) >+{ >+ if (pattern[0] == '*' && pattern[1] == '.') { >+ pattern += 2; >+ if (!(host = strchr(host, '.'))) >+ return 0; >+ host++; >+ } >+ >+ return *host && *pattern && !strcasecmp(host, pattern); >+} >+ >+static int verify_hostname(X509 *cert, const char *hostname) >+{ >+ int len; >+ X509_NAME *subj; >+ char cname[1000]; >+ >+ /* try the common name */ >+ if (!(subj = X509_get_subject_name(cert))) >+ return error("cannot get certificate subject"); >+ if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) >+ return error("cannot get certificate common name"); >+ if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) >+ return 0; >+ return error("certificate owner '%s' does not match hostname '%s'", >+ cname, hostname); >+} >+ > static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) > { > #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) >@@ -284,6 +313,7 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > #endif > SSL_CTX *ctx; > int ret; >+ X509 *cert; > > SSL_library_init(); > SSL_load_error_strings(); >@@ -327,6 +357,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve > return -1; > } > >+ if (verify) { >+ /* make sure the hostname matches that of the certificate */ >+ cert = SSL_get_peer_certificate(sock->ssl); >+ if (!cert) >+ return error("unable to get peer certificate."); >+ if (verify_hostname(cert, server.host) < 0) >+ return -1; >+ } >+ > return 0; > } > #endif >-- >1.8.1.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=700017">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 909977
:
699610
|
699611
|
699612
| 700017