diff options
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/8.14/8.14.3/CVE-2009-4565 | 112 | ||||
| -rw-r--r-- | debian/patches/8.14/8.14.3/series | 1 |
3 files changed, 121 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index f4d7da0..e553e8a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +sendmail (8.14.3-9.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in + name (Closes: #564581) + + -- Giuseppe Iuculano <iuculano@debian.org> Fri, 29 Jan 2010 14:16:07 +0100 + sendmail (8.14.3-9) unstable; urgency=low * Batting 1000, build-depend on quilt Closes: #517676 diff --git a/debian/patches/8.14/8.14.3/CVE-2009-4565 b/debian/patches/8.14/8.14.3/CVE-2009-4565 new file mode 100644 index 0000000..7ab3677 --- /dev/null +++ b/debian/patches/8.14/8.14.3/CVE-2009-4565 @@ -0,0 +1,112 @@ +CVE-2009-4565 +diff -pruN sendmail-8.14.3/cf/README sendmail-8.14.4/cf/README +--- sendmail-8.14.3/cf/README 2008-02-16 00:05:32.000000000 +0100 ++++ sendmail-8.14.4/cf/README 2009-05-08 01:46:17.000000000 +0200 +@@ -3142,7 +3142,7 @@ starts with '+' and the items are separa + extensions are: + + CN:name name must match ${cn_subject} +-CN ${server_name} must match ${cn_subject} ++CN ${client_name}/${server_name} must match ${cn_subject} + CS:name name must match ${cert_subject} + CI:name name must match ${cert_issuer} + +diff -pruN sendmail-8.14.3/doc/op/op.me sendmail-8.14.4/doc/op/op.me +--- sendmail-8.14.3/doc/op/op.me 2007-06-23 01:08:59.000000000 +0200 ++++ sendmail-8.14.4/doc/op/op.me 2009-12-13 05:12:46.000000000 +0100 +@@ -4952,9 +4953,21 @@ as "(may be forged)". + .ip ${cn_issuer} + The CN (common name) of the CA that signed the presented certificate + (STARTTLS only). ++Note: if the CN cannot be extracted properly it will be replaced by ++one of these strings based on the encountered error: ++.(b ++.ta 25n ++BadCertificateContainsNUL CN contains a NUL character ++BadCertificateTooLong CN is too long ++BadCertificateUnknown CN could not be extracted ++.)b ++In the last case, some other (unspecific) error occurred. + .ip ${cn_subject} + The CN (common name) of the presented certificate + (STARTTLS only). ++See ++.b ${cn_issuer} ++for possible replacements. + .ip ${currHeader} + Header value as quoted string + (possibly truncated to +diff -pruN sendmail-8.14.3/sendmail/tls.c sendmail-8.14.4/sendmail/tls.c +--- sendmail-8.14.3/sendmail/tls.c 2006-10-12 23:35:11.000000000 +0200 ++++ sendmail-8.14.4/sendmail/tls.c 2009-08-10 17:11:09.000000000 +0200 +@@ -1196,23 +1200,62 @@ tls_get_info(ssl, srv, host, mac, certre + if (cert != NULL) + { + unsigned int n; ++ X509_NAME *subj, *issuer; + unsigned char md[EVP_MAX_MD_SIZE]; + char buf[MAXNAME]; + +- X509_NAME_oneline(X509_get_subject_name(cert), +- buf, sizeof(buf)); ++ subj = X509_get_subject_name(cert); ++ issuer = X509_get_issuer_name(cert); ++ X509_NAME_oneline(subj, buf, sizeof(buf)); + macdefine(mac, A_TEMP, macid("{cert_subject}"), + xtextify(buf, "<>\")")); +- X509_NAME_oneline(X509_get_issuer_name(cert), +- buf, sizeof(buf)); ++ X509_NAME_oneline(issuer, buf, sizeof(buf)); + macdefine(mac, A_TEMP, macid("{cert_issuer}"), + xtextify(buf, "<>\")")); +- X509_NAME_get_text_by_NID(X509_get_subject_name(cert), +- NID_commonName, buf, sizeof(buf)); ++ ++#define CHECK_X509_NAME(which) \ ++ do { \ ++ if (r == -1) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ else if ((size_t)r >= sizeof(buf) - 1) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ else if ((size_t)r > strlen(buf)) \ ++ { \ ++ sm_strlcpy(buf, "BadCertificateContainsNUL", \ ++ sizeof(buf)); \ ++ if (LogLevel > 7) \ ++ sm_syslog(LOG_INFO, NOQID, \ ++ "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL", \ ++ who, \ ++ host == NULL ? "local" : host, \ ++ which); \ ++ } \ ++ } while (0) ++ ++ r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, ++ sizeof buf); ++ CHECK_X509_NAME("cn_subject"); + macdefine(mac, A_TEMP, macid("{cn_subject}"), + xtextify(buf, "<>\")")); +- X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), +- NID_commonName, buf, sizeof(buf)); ++ r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf, ++ sizeof buf); ++ CHECK_X509_NAME("cn_issuer"); + macdefine(mac, A_TEMP, macid("{cn_issuer}"), + xtextify(buf, "<>\")")); + n = 0; diff --git a/debian/patches/8.14/8.14.3/series b/debian/patches/8.14/8.14.3/series index e216bd6..bbe29e8 100644 --- a/debian/patches/8.14/8.14.3/series +++ b/debian/patches/8.14/8.14.3/series @@ -9,3 +9,4 @@ mailer_cyrus mailer_fax maxseq rmail.odi +CVE-2009-4565 |