On dim., 2013-04-21 at 13:40 +0200, Yann Leboulanger wrote: > I don't know against what it applies, but not against the one in > debian > unstable.
This was against 0.15.1-4 from unstable. > The first commit I listed seems to be already in your > package. But indeed it missed part of the diff. I've attached the correct one. > But except from that, that seems good. > > I've not tested against squeeze 0.15 package though. Yeah I didn't yet tried to work on Squeeze. Regards, -- Yves-Alexis
diff --git a/debian/changelog b/debian/changelog index f5a3245..d995210 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +gajim (0.15.1-4.1) UNRELEASED; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: + - 02_fix-cert-validation.diff added, fix certificate validation + (CVE-2012-5524) closes: #693282 + - 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added, + improve SSL/TLS handling. + + -- Yves-Alexis Perez <cor...@debian.org> Wed, 17 Apr 2013 22:22:30 +0200 + gajim (0.15.1-4) unstable; urgency=low * apply patches using dpatch in debian/rules diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff old mode 100644 new mode 100755 diff --git a/debian/patches/00list b/debian/patches/00list index 98ad47e..5d106de 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,2 +1,5 @@ 00_connection_handlers.diff 01_accel_group.diff +02_fix-cert-validation.diff +03_correctly-get-SSL-certificate.diff +04_store-all-ssl-errors.diff diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff old mode 100644 new mode 100755 diff --git a/debian/patches/02_fix-cert-validation.diff b/debian/patches/02_fix-cert-validation.diff new file mode 100755 index 0000000..b74ede3 --- /dev/null +++ b/debian/patches/02_fix-cert-validation.diff @@ -0,0 +1,84 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02_fix-cert-validation.diff by <aste...@lagaule.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix certificate validation +# +# Description: fix certificate validation +# Author: Yann Leboulanger <aste...@lagaule.org> +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# Last-Update: 2013-04-17 + +@DPATCH@ + +Index: gajim/src/common/connection.py +=================================================================== +--- gajim/src/common/connection.py (revision 14377) ++++ gajim/src/common/connection.py (revision 14379) +@@ -1312,19 +1312,22 @@ + errnum = con.Connection.ssl_errnum + except AttributeError: +- errnum = -1 # we don't have an errnum +- if errnum > 0 and str(errnum) not in gajim.config.get_per('accounts', +- self.name, 'ignore_ssl_errors').split(): +- text = _('The authenticity of the %s certificate could be invalid.' +- ) % hostname +- if errnum in ssl_error: +- text += _('\nSSL Error: <b>%s</b>') % ssl_error[errnum] +- else: +- text += _('\nUnknown SSL error: %d') % errnum +- gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self, +- error_text=text, error_num=errnum, +- cert=con.Connection.ssl_cert_pem, +- fingerprint=con.Connection.ssl_fingerprint_sha1, +- certificate=con.Connection.ssl_certificate)) +- return True ++ errnum = [] # we don't have an errnum ++ i = 0 ++ for er in errnum: ++ if er > 0 and str(er) not in gajim.config.get_per('accounts', ++ self.name, 'ignore_ssl_errors').split(): ++ text = _('The authenticity of the %s certificate could be ' ++ 'invalid.') % hostname ++ if er in ssl_error: ++ text += _('\nSSL Error: <b>%s</b>') % ssl_error[er] ++ else: ++ text += _('\nUnknown SSL error: %d') % er ++ gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self, ++ error_text=text, error_num=er, ++ cert=con.Connection.ssl_cert_pem[i], ++ fingerprint=con.Connection.ssl_fingerprint_sha1[i], ++ certificate=con.Connection.ssl_certificate[i])) ++ return True ++ i += 1 + if hasattr(con.Connection, 'ssl_fingerprint_sha1'): + saved_fingerprint = gajim.config.get_per('accounts', self.name, +@@ -1332,12 +1335,15 @@ + if saved_fingerprint: + # Check sha1 fingerprint +- if con.Connection.ssl_fingerprint_sha1 != saved_fingerprint: ++ if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint: + gajim.nec.push_incoming_event(FingerprintErrorEvent(None, +- conn=self, certificate=con.Connection.ssl_certificate, +- new_fingerprint=con.Connection.ssl_fingerprint_sha1)) ++ conn=self, ++ certificate=con.Connection.ssl_certificate, ++ new_fingerprint=con.Connection.ssl_fingerprint_sha1[ ++ -1])) + return True + else: + gajim.config.set_per('accounts', self.name, +- 'ssl_fingerprint_sha1', con.Connection.ssl_fingerprint_sha1) ++ 'ssl_fingerprint_sha1', ++ con.Connection.ssl_fingerprint_sha1[-1]) + if not check_X509.check_certificate(con.Connection.ssl_certificate, + hostname) and '100' not in gajim.config.get_per('accounts', +@@ -1348,6 +1354,6 @@ + gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self, + error_text=txt, error_num=100, +- cert=con.Connection.ssl_cert_pem, +- fingerprint=con.Connection.ssl_fingerprint_sha1, ++ cert=con.Connection.ssl_cert_pem[-1], ++ fingerprint=con.Connection.ssl_fingerprint_sha1[-1], + certificate=con.Connection.ssl_certificate)) + return True diff --git a/debian/patches/03_correctly-get-SSL-certificate.diff b/debian/patches/03_correctly-get-SSL-certificate.diff new file mode 100755 index 0000000..76e61d8 --- /dev/null +++ b/debian/patches/03_correctly-get-SSL-certificate.diff @@ -0,0 +1,50 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_correctly-get-SSL-certificate.diff by <aste...@lagaule.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: correctly get SSL certificate from nbxmpp. Fixes #7283 +# +# Description: correctly get SSL certificate from nbxmpp. Fixes #7283 +# Author: Yann Leboulanger <aste...@lagaule.org> +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# HG changeset patch +# User Yann Leboulanger <aste...@lagaule.org> +# Date 1356455919 -3600 +# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393 +# Parent 1d8caae49a31201a79529d2b81d231b06ce8c91c + +@DPATCH@ + +diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py +--- a/src/common/connection.py Sun Dec 23 17:48:11 2012 +0100 ++++ b/src/common/connection.py Tue Dec 25 18:18:39 2012 +0100 +@@ -1337,7 +1337,7 @@ + if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint: + gajim.nec.push_incoming_event(FingerprintErrorEvent(None, + conn=self, +- certificate=con.Connection.ssl_certificate, ++ certificate=con.Connection.ssl_certificate[-1], + new_fingerprint=con.Connection.ssl_fingerprint_sha1[ + -1])) + return True +@@ -1345,8 +1345,8 @@ + gajim.config.set_per('accounts', self.name, + 'ssl_fingerprint_sha1', + con.Connection.ssl_fingerprint_sha1[-1]) +- if not check_X509.check_certificate(con.Connection.ssl_certificate, +- hostname) and '100' not in gajim.config.get_per('accounts', ++ if not check_X509.check_certificate(con.Connection.ssl_certificate[ ++ -1], hostname) and '100' not in gajim.config.get_per('accounts', + self.name, 'ignore_ssl_errors').split(): + txt = _('The authenticity of the %s certificate could be ' + 'invalid.\nThe certificate does not cover this domain.') % \ +@@ -1355,7 +1355,7 @@ + error_text=txt, error_num=100, + cert=con.Connection.ssl_cert_pem[-1], + fingerprint=con.Connection.ssl_fingerprint_sha1[-1], +- certificate=con.Connection.ssl_certificate)) ++ certificate=con.Connection.ssl_certificate[-1])) + return True + + self._register_handlers(con, con_type) + diff --git a/debian/patches/04_store-all-ssl-errors.diff b/debian/patches/04_store-all-ssl-errors.diff new file mode 100755 index 0000000..456e831 --- /dev/null +++ b/debian/patches/04_store-all-ssl-errors.diff @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_store-all-ssl-errors.diff by <aste...@lagaule.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: store all SSL errors +# +# Description: store all SSL errors +# Author: Yann Leboulanger <aste...@lagaule.org> +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# Last-Update: 2013-04-17 +# HG changeset patch +# User Yann Leboulanger <aste...@lagaule.org> +# Date 1360768361 -3600 +# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595 +# Parent 385f8a1fad668fbcd1d9bee10f61531a8ca7d890 + +@DPATCH@ + +diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py +--- a/src/common/xmpp/tls_nb.py Wed Feb 13 16:10:44 2013 +0100 ++++ b/src/common/xmpp/tls_nb.py Wed Feb 13 16:12:41 2013 +0100 +@@ -393,7 +393,7 @@ + flags |= 16384 + tcpsock._sslContext.set_options(flags) + +- tcpsock.ssl_errnum = 0 ++ tcpsock.ssl_errnum = [0] + tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER, + self._ssl_verify_callback) + try: +@@ -449,11 +449,11 @@ + def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok): + # Exceptions can't propagate up through this callback, so print them here. + try: +- self._owner.ssl_fingerprint_sha1 = cert.digest('sha1') +- self._owner.ssl_certificate = cert +- self._owner.ssl_errnum = errnum +- self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate( +- OpenSSL.crypto.FILETYPE_PEM, cert) ++ self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1')) ++ self._owner.ssl_certificate.append(cert) ++ self._owner.ssl_errnum.append(errnum) ++ self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate( ++ OpenSSL.crypto.FILETYPE_PEM, cert)) + return True + except: + log.error("Exception caught in _ssl_info_callback:", exc_info=True) +diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py +--- a/src/common/xmpp/transports_nb.py Wed Feb 13 16:10:44 2013 +0100 ++++ b/src/common/xmpp/transports_nb.py Wed Feb 13 16:12:41 2013 +0100 +@@ -311,6 +311,12 @@ + self.proxy_dict = proxy_dict + self.on_remote_disconnect = self.disconnect + ++ # ssl variables ++ self.ssl_fingerprint_sha1 = [] ++ self.ssl_certificate = [] ++ self.ssl_errnum = [] ++ self.ssl_cert_pem = [] ++ + # FIXME: transport should not be aware xmpp + def start_disconnect(self): + NonBlockingTransport.start_disconnect(self) +
signature.asc
Description: This is a digitally signed message part
