Imported Debian patch 8.14.3-5+lenny1debian/8.14.3-5+lenny1

author: Giuseppe Iuculano <iuculano@debian.org> 2010-01-29 14:52:12 +0100
committer: Andreas Beckmann <debian@abeckmann.de> 2012-10-01 20:07:43 +0200
commit: e9131ee44af08b713462635e6827e095a8815571 (patch)
tree: a9ee66d0ca98565564e9314cac82ab6a4457340e
parent: cb83348f6c0b88c1d1104d6868be756aa51cc5fa (diff)
download: sendmail-e9131ee44af08b713462635e6827e095a8815571.tar.gz
2 files changed, 120 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 1a83e66..c73cf0c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sendmail (8.14.3-5+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
+    name (Closes: #564581)
+
+ -- Giuseppe Iuculano <iuculano@debian.org>  Fri, 29 Jan 2010 14:52:12 +0100
+
 sendmail (8.14.3-5) unstable; urgency=high
 
   * Sendmail uses the same filemode for pid/hoststat/dead.letter/etc
diff --git a/debian/patches/8.14/8.14.3/CVE-2009-4565.patch b/debian/patches/8.14/8.14.3/CVE-2009-4565.patch
new file mode 100644
index 0000000..7ab3677
--- /dev/null
+++ b/debian/patches/8.14/8.14.3/CVE-2009-4565.patch
@@ -0,0 +1,112 @@
+CVE-2009-4565
+diff -pruN sendmail-8.14.3/cf/README sendmail-8.14.4/cf/README
+--- sendmail-8.14.3/cf/README	2008-02-16 00:05:32.000000000 +0100
++++ sendmail-8.14.4/cf/README	2009-05-08 01:46:17.000000000 +0200
+@@ -3142,7 +3142,7 @@ starts with '+' and the items are separa
+ extensions are:
+ 
+ CN:name		name must match ${cn_subject}
+-CN		${server_name} must match ${cn_subject}
++CN		${client_name}/${server_name} must match ${cn_subject}
+ CS:name		name must match ${cert_subject}
+ CI:name		name must match ${cert_issuer}
+ 
+diff -pruN sendmail-8.14.3/doc/op/op.me sendmail-8.14.4/doc/op/op.me
+--- sendmail-8.14.3/doc/op/op.me	2007-06-23 01:08:59.000000000 +0200
++++ sendmail-8.14.4/doc/op/op.me	2009-12-13 05:12:46.000000000 +0100
+@@ -4952,9 +4953,21 @@ as "(may be forged)".
+ .ip ${cn_issuer}
+ The CN (common name) of the CA that signed the presented certificate
+ (STARTTLS only).
++Note: if the CN cannot be extracted properly it will be replaced by
++one of these strings based on the encountered error:
++.(b
++.ta 25n
++BadCertificateContainsNUL	CN contains a NUL character
++BadCertificateTooLong	CN is too long
++BadCertificateUnknown	CN could not be extracted
++.)b
++In the last case, some other (unspecific) error occurred.
+ .ip ${cn_subject}
+ The CN (common name) of the presented certificate
+ (STARTTLS only).
++See
++.b ${cn_issuer}
++for possible replacements.
+ .ip ${currHeader}
+ Header value as quoted string
+ (possibly truncated to
+diff -pruN sendmail-8.14.3/sendmail/tls.c sendmail-8.14.4/sendmail/tls.c
+--- sendmail-8.14.3/sendmail/tls.c	2006-10-12 23:35:11.000000000 +0200
++++ sendmail-8.14.4/sendmail/tls.c	2009-08-10 17:11:09.000000000 +0200
+@@ -1196,23 +1200,62 @@ tls_get_info(ssl, srv, host, mac, certre
+ 	if (cert != NULL)
+ 	{
+ 		unsigned int n;
++		X509_NAME *subj, *issuer;
+ 		unsigned char md[EVP_MAX_MD_SIZE];
+ 		char buf[MAXNAME];
+ 
+-		X509_NAME_oneline(X509_get_subject_name(cert),
+-				  buf, sizeof(buf));
++		subj = X509_get_subject_name(cert);
++		issuer = X509_get_issuer_name(cert);
++		X509_NAME_oneline(subj, buf, sizeof(buf));
+ 		macdefine(mac, A_TEMP, macid("{cert_subject}"),
+ 			 xtextify(buf, "<>\")"));
+-		X509_NAME_oneline(X509_get_issuer_name(cert),
+-				  buf, sizeof(buf));
++		X509_NAME_oneline(issuer, buf, sizeof(buf));
+ 		macdefine(mac, A_TEMP, macid("{cert_issuer}"),
+ 			 xtextify(buf, "<>\")"));
+-		X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
+-					  NID_commonName, buf, sizeof(buf));
++
++#define CHECK_X509_NAME(which)	\
++	do {	\
++		if (r == -1)	\
++		{		\
++			sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \
++			if (LogLevel > 7)	\
++				sm_syslog(LOG_INFO, NOQID,	\
++					"STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN",	\
++					who,	\
++					host == NULL ? "local" : host,	\
++					which);	\
++		}		\
++		else if ((size_t)r >= sizeof(buf) - 1)	\
++		{		\
++			sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \
++			if (LogLevel > 7)	\
++				sm_syslog(LOG_INFO, NOQID,	\
++					"STARTTLS=%s, relay=%.100s, field=%s, status=CN too long",	\
++					who,	\
++					host == NULL ? "local" : host,	\
++					which);	\
++		}		\
++		else if ((size_t)r > strlen(buf))	\
++		{		\
++			sm_strlcpy(buf, "BadCertificateContainsNUL",	\
++				sizeof(buf));	\
++			if (LogLevel > 7)	\
++				sm_syslog(LOG_INFO, NOQID,	\
++					"STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL",	\
++					who,	\
++					host == NULL ? "local" : host,	\
++					which);	\
++		}		\
++	} while (0)
++
++		r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf,
++			sizeof buf);
++		CHECK_X509_NAME("cn_subject");
+ 		macdefine(mac, A_TEMP, macid("{cn_subject}"),
+ 			 xtextify(buf, "<>\")"));
+-		X509_NAME_get_text_by_NID(X509_get_issuer_name(cert),
+-					  NID_commonName, buf, sizeof(buf));
++		r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf,
++			sizeof buf);
++		CHECK_X509_NAME("cn_issuer");
+ 		macdefine(mac, A_TEMP, macid("{cn_issuer}"),
+ 			 xtextify(buf, "<>\")"));
+ 		n = 0;
author	Giuseppe Iuculano <iuculano@debian.org>	2010-01-29 14:52:12 +0100
committer	Andreas Beckmann <debian@abeckmann.de>	2012-10-01 20:07:43 +0200
commit	e9131ee44af08b713462635e6827e095a8815571 (patch)
tree	a9ee66d0ca98565564e9314cac82ab6a4457340e
parent	cb83348f6c0b88c1d1104d6868be756aa51cc5fa (diff)
download	sendmail-e9131ee44af08b713462635e6827e095a8815571.tar.gz