Bug#693282: Fix for this?

Yves-Alexis Perez Sun, 21 Apr 2013 04:36:23 -0700

On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote:
> On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote:
> > On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote:
> >> Hey,
> >>
> >> it seems that there's an upstream fix for this at
> >> https://trac.gajim.org/ticket/7252 /
> >> https://trac.gajim.org/changeset/1d8caae49a31
> 
> all those commits are needed to fix this issue:
> 
> http://hg.gajim.org/gajim/rev/1d8caae49a31
> http://hg.gajim.org/gajim/rev/6ab8ea2313aa
> http://hg.gajim.org/gajim/rev/d34a996f87b8
> http://hg.gajim.org/gajim/rev/35a555c4a107
> 
Thanks. Is the attached NMU ok for you? Moritz, what was the reason for
the severity downgrade? Shouldn't we push this to Squeeze & Wheezy?


Regards,
-- 
Yves-Alexis

diff --git a/debian/changelog b/debian/changelog
index aa48c0b..d995210 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ gajim (0.15.1-4.1) UNRELEASED; urgency=high
   * debian/patches:
     - 02_fix-cert-validation.diff added, fix certificate validation
       (CVE-2012-5524)                                           closes: #693282
+    - 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+      improve SSL/TLS handling.
 
  -- Yves-Alexis Perez <cor...@debian.org>  Wed, 17 Apr 2013 22:22:30 +0200
 
diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/00list b/debian/patches/00list
index 62b48a1..5d106de 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,3 +1,5 @@
 00_connection_handlers.diff
 01_accel_group.diff
 02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/03_correctly-get-SSL-certificate.diff b/debian/patches/03_correctly-get-SSL-certificate.diff
new file mode 100755
index 0000000..76e61d8
--- /dev/null
+++ b/debian/patches/03_correctly-get-SSL-certificate.diff
@@ -0,0 +1,50 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_correctly-get-SSL-certificate.diff by <aste...@lagaule.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: correctly get SSL certificate from nbxmpp. Fixes #7283
+#
+# Description: correctly get SSL certificate from nbxmpp. Fixes #7283
+# Author: Yann Leboulanger <aste...@lagaule.org>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# HG changeset patch
+# User Yann Leboulanger <aste...@lagaule.org>
+# Date 1356455919 -3600
+# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393
+# Parent  1d8caae49a31201a79529d2b81d231b06ce8c91c
+
+@DPATCH@
+
+diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py
+--- a/src/common/connection.py	Sun Dec 23 17:48:11 2012 +0100
++++ b/src/common/connection.py	Tue Dec 25 18:18:39 2012 +0100
+@@ -1337,7 +1337,7 @@
+                 if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+                     gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+                         conn=self,
+-                        certificate=con.Connection.ssl_certificate,
++                        certificate=con.Connection.ssl_certificate[-1],
+                         new_fingerprint=con.Connection.ssl_fingerprint_sha1[
+                         -1]))
+                     return True
+@@ -1345,8 +1345,8 @@
+                 gajim.config.set_per('accounts', self.name,
+                     'ssl_fingerprint_sha1',
+                     con.Connection.ssl_fingerprint_sha1[-1])
+-            if not check_X509.check_certificate(con.Connection.ssl_certificate,
+-            hostname) and '100' not in gajim.config.get_per('accounts',
++            if not check_X509.check_certificate(con.Connection.ssl_certificate[
++            -1], hostname) and '100' not in gajim.config.get_per('accounts',
+             self.name, 'ignore_ssl_errors').split():
+                 txt = _('The authenticity of the %s certificate could be '
+                     'invalid.\nThe certificate does not cover this domain.') % \
+@@ -1355,7 +1355,7 @@
+                     error_text=txt, error_num=100,
+                     cert=con.Connection.ssl_cert_pem[-1],
+                     fingerprint=con.Connection.ssl_fingerprint_sha1[-1],
+-                    certificate=con.Connection.ssl_certificate))
++                    certificate=con.Connection.ssl_certificate[-1]))
+                 return True
+ 
+         self._register_handlers(con, con_type)
+
diff --git a/debian/patches/04_store-all-ssl-errors.diff b/debian/patches/04_store-all-ssl-errors.diff
new file mode 100755
index 0000000..456e831
--- /dev/null
+++ b/debian/patches/04_store-all-ssl-errors.diff
@@ -0,0 +1,64 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_store-all-ssl-errors.diff by <aste...@lagaule.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: store all SSL errors
+#
+# Description: store all SSL errors
+# Author: Yann Leboulanger <aste...@lagaule.org>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+# HG changeset patch
+# User Yann Leboulanger <aste...@lagaule.org>
+# Date 1360768361 -3600
+# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595
+# Parent  385f8a1fad668fbcd1d9bee10f61531a8ca7d890
+
+@DPATCH@
+
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py
+--- a/src/common/xmpp/tls_nb.py	Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/tls_nb.py	Wed Feb 13 16:12:41 2013 +0100
+@@ -393,7 +393,7 @@
+                 flags |= 16384
+             tcpsock._sslContext.set_options(flags)
+ 
+-        tcpsock.ssl_errnum = 0
++        tcpsock.ssl_errnum = [0]
+         tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER,
+                 self._ssl_verify_callback)
+         try:
+@@ -449,11 +449,11 @@
+     def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
+         # Exceptions can't propagate up through this callback, so print them here.
+         try:
+-            self._owner.ssl_fingerprint_sha1 = cert.digest('sha1')
+-            self._owner.ssl_certificate = cert
+-            self._owner.ssl_errnum = errnum
+-            self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate(
+-                    OpenSSL.crypto.FILETYPE_PEM, cert)
++            self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1'))
++            self._owner.ssl_certificate.append(cert)
++            self._owner.ssl_errnum.append(errnum)
++            self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate(
++                OpenSSL.crypto.FILETYPE_PEM, cert))
+             return True
+         except:
+             log.error("Exception caught in _ssl_info_callback:", exc_info=True)
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py
+--- a/src/common/xmpp/transports_nb.py	Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/transports_nb.py	Wed Feb 13 16:12:41 2013 +0100
+@@ -311,6 +311,12 @@
+         self.proxy_dict = proxy_dict
+         self.on_remote_disconnect = self.disconnect
+ 
++        # ssl variables
++        self.ssl_fingerprint_sha1 = []
++        self.ssl_certificate = []
++        self.ssl_errnum = []
++        self.ssl_cert_pem = []
++
+     # FIXME: transport should not be aware xmpp
+     def start_disconnect(self):
+         NonBlockingTransport.start_disconnect(self)
+

signature.asc
Description: This is a digitally signed message part

Bug#693282: Fix for this?

Reply via email to