Bug#864257: python3-sleekxmpp: TLS certificate verification fails

Mon, 05 Jun 2017 12:42:32 -0700 

Control: tags -1 + patch

Attached is a patch that adds quilt patch 003-fix_tls_date_check.patch
which removes two-digit-year variants from certificate validity date
decoding.

-- 
Gerald Turner <gtur...@unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

commit 90189c8c64a6e7ccd967b244b2d5639600f4edc8
Author: Gerald Turner <gtur...@unzane.com>
Date:   Mon Jun 5 12:22:29 2017 -0700

    Added patch 003-fix_tls_date_check.patch which removes two-digit-year variants
    from certificate validity date decoding (Closes: #864257)

diff --git a/debian/patches/003-fix_tls_date_check.patch b/debian/patches/003-fix_tls_date_check.patch
new file mode 100644
index 0000000..2f873d1
--- /dev/null
+++ b/debian/patches/003-fix_tls_date_check.patch
@@ -0,0 +1,32 @@
+Description: Remove two-digit-year variants from certificate validity date
+ decoding.
+Author: Gerald Turner <gtur...@unzane.com>
+Bug-Debian: https://bugs.debian.org/864257
+Forwarded: no
+Last-Update: 2017-06-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/xmlstream/cert.py
++++ b/sleekxmpp/xmlstream/cert.py
+@@ -108,19 +108,11 @@ def extract_dates(raw_cert):
+ 
+     not_before = validity.getComponentByName('notBefore')
+     not_before = str(not_before.getComponent())
++    not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ')
+ 
+     not_after = validity.getComponentByName('notAfter')
+     not_after = str(not_after.getComponent())
+-
+-    if isinstance(not_before, GeneralizedTime):
+-        not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ')
+-    else:
+-        not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')
+-
+-    if isinstance(not_after, GeneralizedTime):
+-        not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
+-    else:
+-        not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ')
++    not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
+ 
+     return not_before, not_after
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 37acb6c..840f2a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 CVE-2017-5591.patch
 0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch
 002-fix_tls_version_check.patch
+003-fix_tls_date_check.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to