summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Iuculano <iuculano@debian.org>2010-01-29 14:16:07 +0100
committerAndreas Beckmann <debian@abeckmann.de>2012-10-01 20:07:46 +0200
commit37ee8ac78e67343e01c5368609ab3aa6f606ebf4 (patch)
treee93f756b7d790e9df4aec76a32b7c37f8208a87a
parentc195f35e4dd7b000cdcf75dae880501b13b8838a (diff)
downloadsendmail-37ee8ac78e67343e01c5368609ab3aa6f606ebf4.tar.gz
Imported Debian patch 8.14.3-9.1debian/8.14.3-9.1
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/8.14/8.14.3/CVE-2009-4565112
-rw-r--r--debian/patches/8.14/8.14.3/series1
3 files changed, 121 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index f4d7da0..e553e8a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sendmail (8.14.3-9.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
+ name (Closes: #564581)
+
+ -- Giuseppe Iuculano <iuculano@debian.org> Fri, 29 Jan 2010 14:16:07 +0100
+
sendmail (8.14.3-9) unstable; urgency=low
* Batting 1000, build-depend on quilt Closes: #517676
diff --git a/debian/patches/8.14/8.14.3/CVE-2009-4565 b/debian/patches/8.14/8.14.3/CVE-2009-4565
new file mode 100644
index 0000000..7ab3677
--- /dev/null
+++ b/debian/patches/8.14/8.14.3/CVE-2009-4565
@@ -0,0 +1,112 @@
+CVE-2009-4565
+diff -pruN sendmail-8.14.3/cf/README sendmail-8.14.4/cf/README
+--- sendmail-8.14.3/cf/README 2008-02-16 00:05:32.000000000 +0100
++++ sendmail-8.14.4/cf/README 2009-05-08 01:46:17.000000000 +0200
+@@ -3142,7 +3142,7 @@ starts with '+' and the items are separa
+ extensions are:
+
+ CN:name name must match ${cn_subject}
+-CN ${server_name} must match ${cn_subject}
++CN ${client_name}/${server_name} must match ${cn_subject}
+ CS:name name must match ${cert_subject}
+ CI:name name must match ${cert_issuer}
+
+diff -pruN sendmail-8.14.3/doc/op/op.me sendmail-8.14.4/doc/op/op.me
+--- sendmail-8.14.3/doc/op/op.me 2007-06-23 01:08:59.000000000 +0200
++++ sendmail-8.14.4/doc/op/op.me 2009-12-13 05:12:46.000000000 +0100
+@@ -4952,9 +4953,21 @@ as "(may be forged)".
+ .ip ${cn_issuer}
+ The CN (common name) of the CA that signed the presented certificate
+ (STARTTLS only).
++Note: if the CN cannot be extracted properly it will be replaced by
++one of these strings based on the encountered error:
++.(b
++.ta 25n
++BadCertificateContainsNUL CN contains a NUL character
++BadCertificateTooLong CN is too long
++BadCertificateUnknown CN could not be extracted
++.)b
++In the last case, some other (unspecific) error occurred.
+ .ip ${cn_subject}
+ The CN (common name) of the presented certificate
+ (STARTTLS only).
++See
++.b ${cn_issuer}
++for possible replacements.
+ .ip ${currHeader}
+ Header value as quoted string
+ (possibly truncated to
+diff -pruN sendmail-8.14.3/sendmail/tls.c sendmail-8.14.4/sendmail/tls.c
+--- sendmail-8.14.3/sendmail/tls.c 2006-10-12 23:35:11.000000000 +0200
++++ sendmail-8.14.4/sendmail/tls.c 2009-08-10 17:11:09.000000000 +0200
+@@ -1196,23 +1200,62 @@ tls_get_info(ssl, srv, host, mac, certre
+ if (cert != NULL)
+ {
+ unsigned int n;
++ X509_NAME *subj, *issuer;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ char buf[MAXNAME];
+
+- X509_NAME_oneline(X509_get_subject_name(cert),
+- buf, sizeof(buf));
++ subj = X509_get_subject_name(cert);
++ issuer = X509_get_issuer_name(cert);
++ X509_NAME_oneline(subj, buf, sizeof(buf));
+ macdefine(mac, A_TEMP, macid("{cert_subject}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_oneline(X509_get_issuer_name(cert),
+- buf, sizeof(buf));
++ X509_NAME_oneline(issuer, buf, sizeof(buf));
+ macdefine(mac, A_TEMP, macid("{cert_issuer}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
+- NID_commonName, buf, sizeof(buf));
++
++#define CHECK_X509_NAME(which) \
++ do { \
++ if (r == -1) \
++ { \
++ sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ else if ((size_t)r >= sizeof(buf) - 1) \
++ { \
++ sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ else if ((size_t)r > strlen(buf)) \
++ { \
++ sm_strlcpy(buf, "BadCertificateContainsNUL", \
++ sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ } while (0)
++
++ r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf,
++ sizeof buf);
++ CHECK_X509_NAME("cn_subject");
+ macdefine(mac, A_TEMP, macid("{cn_subject}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_get_text_by_NID(X509_get_issuer_name(cert),
+- NID_commonName, buf, sizeof(buf));
++ r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf,
++ sizeof buf);
++ CHECK_X509_NAME("cn_issuer");
+ macdefine(mac, A_TEMP, macid("{cn_issuer}"),
+ xtextify(buf, "<>\")"));
+ n = 0;
diff --git a/debian/patches/8.14/8.14.3/series b/debian/patches/8.14/8.14.3/series
index e216bd6..bbe29e8 100644
--- a/debian/patches/8.14/8.14.3/series
+++ b/debian/patches/8.14/8.14.3/series
@@ -9,3 +9,4 @@ mailer_cyrus
mailer_fax
maxseq
rmail.odi
+CVE-2009-4565