diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/8.13/8.13.8/CVE-2009-4565.patch | 115 |
2 files changed, 123 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 7c4b734..f5ea9e2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +sendmail (8.13.8-3+etch1) oldstable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in + name (Closes: #564581) + + -- Giuseppe Iuculano <iuculano@debian.org> Sat, 30 Jan 2010 18:10:23 +0100 + sendmail (8.13.8-3) unstable; urgency=high * !!! Fix some serious issues wrt upcomming transition !!! diff --git a/debian/patches/8.13/8.13.8/CVE-2009-4565.patch b/debian/patches/8.13/8.13.8/CVE-2009-4565.patch new file mode 100644 index 0000000..c5ece4f --- /dev/null +++ b/debian/patches/8.13/8.13.8/CVE-2009-4565.patch @@ -0,0 +1,115 @@ +diff --git a/build-tree/sendmail-8.13.8/cf/README b/build-tree/sendmail-8.13.8/cf/README +index fce316e..0384c4b 100644 +--- sendmail-8.13.8/cf/README ++++ sendmail-8.13.8/cf/README +@@ -3051,7 +3051,7 @@ starts with '+' and the items are separated by '++'. Allowed + extensions are: + + CN:name name must match ${cn_subject} +-CN ${server_name} must match ${cn_subject} ++CN ${client_name}/${server_name} must match ${cn_subject} + CS:name name must match ${cert_subject} + CI:name name must match ${cert_issuer} + +diff --git a/build-tree/sendmail-8.13.8/doc/op/op.me b/build-tree/sendmail-8.13.8/doc/op/op.me +index 3f4f0a5..db595db 100644 +--- sendmail-8.13.8/doc/op/op.me ++++ sendmail-8.13.8/doc/op/op.me +@@ -4929,9 +4929,21 @@ as "(may be forged)". + .ip ${cn_issuer} + The CN (common name) of the CA that signed the presented certificate + (STARTTLS only). ++Note: if the CN cannot be extracted properly it will be replaced by ++one of these strings based on the encountered error: ++.(b ++.ta 25n ++BadCertificateContainsNUL CN contains a NUL character ++BadCertificateTooLong CN is too long ++BadCertificateUnknown CN could not be extracted ++.)b ++In the last case, some other (unspecific) error occurred. + .ip ${cn_subject} + The CN (common name) of the presented certificate + (STARTTLS only). ++See ++.b ${cn_issuer} ++for possible replacements. + .ip ${currHeader} + Header value as quoted string + (possibly truncated to +diff --git a/build-tree/sendmail-8.13.8/sendmail/tls.c b/build-tree/sendmail-8.13.8/sendmail/tls.c +index 71fcdc3..8499c65 100644 +--- sendmail-8.13.8/sendmail/tls.c ++++ sendmail-8.13.8/sendmail/tls.c +@@ -1194,23 +1194,63 @@ tls_get_info(ssl, srv, host, mac, certreq) + if (cert != NULL) + { + unsigned int n; ++ X509_NAME *subj, *issuer; + unsigned char md[EVP_MAX_MD_SIZE]; + char buf[MAXNAME]; + +- X509_NAME_oneline(X509_get_subject_name(cert), +- buf, sizeof buf); ++ subj = X509_get_subject_name(cert); ++ issuer = X509_get_issuer_name(cert); ++ X509_NAME_oneline(subj, buf, sizeof(buf)); + macdefine(mac, A_TEMP, macid("{cert_subject}"), + xtextify(buf, "<>\")")); +- X509_NAME_oneline(X509_get_issuer_name(cert), +- buf, sizeof buf); ++ X509_NAME_oneline(issuer, buf, sizeof(buf)); + macdefine(mac, A_TEMP, macid("{cert_issuer}"), + xtextify(buf, "<>\")")); +- X509_NAME_get_text_by_NID(X509_get_subject_name(cert), +- NID_commonName, buf, sizeof buf); ++ ++#define CHECK_X509_NAME(which) \ ++ do { \ ++ if (r == -1) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ else if ((size_t)r >= sizeof(buf) - 1) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ else if ((size_t)r > strlen(buf)) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateContainsNUL", \ ++ sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ } while (0) ++ ++ r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, ++ sizeof buf); ++ CHECK_X509_NAME("cn_subject"); ++ + macdefine(mac, A_TEMP, macid("{cn_subject}"), + xtextify(buf, "<>\")")); +- X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), +- NID_commonName, buf, sizeof buf); ++ r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf, ++ sizeof buf); ++ CHECK_X509_NAME("cn_issuer"); + macdefine(mac, A_TEMP, macid("{cn_issuer}"), + xtextify(buf, "<>\")")); + n = 0; |