Bug#714543: ruby1.9.1: diff for NMU version 1.9.3.194-8.2

[Salvatore Bonaccorso]

tags 714543 + pending
thanks

Hi Antonio

(Cc'ing Thijs Kinkhorst)

I've prepared an NMU for ruby1.9.1 (versioned as 1.9.3.194-8.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

p.s.: I know you wanted to upload a new upstream version, this is only
      for short term have it fixing in unstable already. Feel free to
      override this upload at any time!

Regards,
Salvatore

diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
--- ruby1.9.1-1.9.3.194/debian/changelog	2013-03-08 21:49:19.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/changelog	2013-08-03 13:48:38.000000000 +0200
@@ -1,3 +1,12 @@
+ruby1.9.1 (1.9.3.194-8.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2013-4073.patch patch.
+    CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
+    (Closes: #714543)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 07 Jul 2013 10:37:03 +0200
+
 ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4073.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4073.patch
--- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4073.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4073.patch	2013-08-03 13:48:38.000000000 +0200
@@ -0,0 +1,79 @@
+Description: Fix hostname check bypassing vulnerability in SSL client
+ CVE-2013-4073: Hostname identity check did not properly handle
+ hostnames in the certificate that contain null bytes.
+Origin: upstream, https://github.com/ruby/ruby/commit/2669b84d407ab431e965145c827db66c91158f89,
+ https://bugs.ruby-lang.org/issues/8575
+Bug-Debian: http://bugs.debian.org/714543
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-07-07
+Applied-Upstream: 1.9.3-p448, 1.8.7-p374.
+
+--- a/ext/openssl/lib/openssl/ssl-internal.rb
++++ b/ext/openssl/lib/openssl/ssl-internal.rb
+@@ -88,14 +88,22 @@
+       should_verify_common_name = true
+       cert.extensions.each{|ext|
+         next if ext.oid != "subjectAltName"
+-        ext.value.split(/,\s+/).each{|general_name|
+-          if /\ADNS:(.*)/ =~ general_name
++       ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
++        sequence = OpenSSL::ASN1.decode(ostr.value)
++        sequence.value.each{|san|
++          case san.tag
++          when 2 # dNSName in GeneralName (RFC5280)
+             should_verify_common_name = false
+-            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
++            reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
+             return true if /\A#{reg}\z/i =~ hostname
+-          elsif /\AIP Address:(.*)/ =~ general_name
++          when 7 # iPAddress in GeneralName (RFC5280)
+             should_verify_common_name = false
+-            return true if $1 == hostname
++            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
++            if san.value.size == 4
++              return true if san.value.unpack('C*').join('.') == hostname
++            elsif san.value.size == 16
++              return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
++            end
+           end
+         }
+       }
+--- a/test/openssl/test_ssl.rb
++++ b/test/openssl/test_ssl.rb
+@@ -351,6 +351,35 @@
+     }
+   end
+ 
++  def test_verify_certificate_identity
++    [true, false].each do |criticality|
++      cert = create_null_byte_SAN_certificate(criticality)
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
++    end
++  end
++
++  # Create NULL byte SAN certificate
++  def create_null_byte_SAN_certificate(critical = false)
++    ef = OpenSSL::X509::ExtensionFactory.new
++    cert = OpenSSL::X509::Certificate.new
++    cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"
++    ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)
++    ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)
++    san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo }
++    san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)
++    san_list_asn1.value[0].value = 'www.example.com\0.evil.com'
++    pos = critical ? 2 : 1
++    ext_asn1.value[pos].value = san_list_asn1.to_der
++    real_ext = OpenSSL::X509::Extension.new ext_asn1
++    cert.add_extension(real_ext)
++    cert
++  end
++
+   def test_tlsext_hostname
+     return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname)
+ 
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2013-03-08 21:49:19.000000000 +0100
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2013-08-03 13:48:38.000000000 +0200
@@ -22,3 +22,4 @@
 CVE-2013-0256.patch
 CVE-2013-0269.patch
 CVE-2013-1821.patch
+CVE-2013-4073.patch