Bug#964861: stretch-pu: package glib-networking/2.50.0-1+deb9u1

Emilio Pozuelo Monfort Sat, 11 Jul 2020 04:57:14 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


This fixes CVE-2020-13645 for stretch. balsa in stretch doesn't
use GIO for connecting to the servers or validating the certificates,
so we don't need any further changes here.

Thanks,
Emilio

diff -Nru glib-networking-2.50.0/debian/changelog 
glib-networking-2.50.0/debian/changelog
--- glib-networking-2.50.0/debian/changelog     2016-09-19 21:01:51.000000000 
+0200
+++ glib-networking-2.50.0/debian/changelog     2020-07-07 16:57:37.000000000 
+0200
@@ -1,3 +1,11 @@
+glib-networking (2.50.0-1+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * d/p/Return-bad-identity-error-if-identity-is-unset.patch:
+    Backport fix for CVE-2020-13645 from upstream (Closes: #961756)
+
+ -- Emilio Pozuelo Monfort <po...@debian.org>  Tue, 07 Jul 2020 16:57:37 +0200
+
 glib-networking (2.50.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch 
glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch
--- glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch  1970-01-01 
01:00:00.000000000 +0100
+++ glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch  2020-07-07 
16:56:41.000000000 +0200
@@ -0,0 +1,139 @@
+Backported from upstream patch:
+From 29513946809590c4912550f6f8620468f9836d94 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanz...@gnome.org>
+Date: Mon, 4 May 2020 17:47:28 -0500
+Subject: [PATCH] Return bad identity error if identity is unset
+
+When the server-identity property of GTlsClientConnection is unset, the
+documentation sasy we need to fail the certificate verification with
+G_TLS_CERTIFICATE_BAD_IDENTITY. This is important because otherwise,
+it's easy for applications to fail to specify server identity.
+
+Unfortunately, we did not correctly implement the intended, documented
+behavior. When server identity is missing, we check the validity of the
+TLS certificate, but do not check if it corresponds to the expected
+server (since we have no expected server). Then we assume the identity
+is good, instead of returning bad identity, as documented. This means,
+for example, that evil.com can present a valid certificate issued to
+evil.com, and we would happily accept it for paypal.com.
+
+Fixes #135
+---
+ tls/gnutls/gtlsconnection-gnutls.c | 20 +++++-----
+ tls/tests/connection.c         | 70 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 81 insertions(+), 9 deletions(-)
+
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -1174,18 +1174,18 @@ verify_peer_certificate (GTlsConnectionG
+                        GTlsCertificate      *peer_certificate)
+ {
+   GTlsConnection *conn = G_TLS_CONNECTION (gnutls);
+-  GSocketConnectable *peer_identity;
++  GSocketConnectable *peer_identity = NULL;
+   GTlsDatabase *database;
+-  GTlsCertificateFlags errors;
++  GTlsCertificateFlags errors = 0;
+   gboolean is_client;
+ 
+   is_client = G_IS_TLS_CLIENT_CONNECTION (gnutls);
+   if (is_client)
+-    peer_identity = g_tls_client_connection_get_server_identity 
(G_TLS_CLIENT_CONNECTION (gnutls));
+-  else
+-    peer_identity = NULL;
+-
+-  errors = 0;
++    {
++      peer_identity = g_tls_client_connection_get_server_identity 
(G_TLS_CLIENT_CONNECTION (gnutls));
++      if (!peer_identity)
++        errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
++    }
+ 
+   database = g_tls_connection_get_database (conn);
+   if (database == NULL)
+--- a/tls/tests/connection.c
++++ b/tls/tests/connection.c
+@@ -1964,6 +1964,74 @@ test_output_stream_close (TestConnection
+   g_assert (ret);
+ }
+ 
++static void
++test_connection_missing_server_identity (TestConnection *test,
++                                         gconstpointer   data)
++{
++  GIOStream *connection;
++  GError *error = NULL;
++
++  test->database = g_tls_file_database_new (tls_test_file_path 
("ca-roots.pem"), &error);
++  g_assert_no_error (error);
++  g_assert_nonnull (test->database);
++
++  /* We pass NULL instead of test->identity when creating the client
++   * connection. This means verification must fail with
++   * G_TLS_CERTIFICATE_BAD_IDENTITY.
++   */
++  connection = start_async_server_and_connect_to_it (test, 
G_TLS_AUTHENTICATION_NONE);
++  test->client_connection = g_tls_client_connection_new (connection, NULL, 
&error);
++  g_assert_no_error (error);
++  g_assert_nonnull (test->client_connection);
++  g_object_unref (connection);
++
++  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), 
test->database);
++
++  /* All validation in this test */
++  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION 
(test->client_connection),
++                                                
G_TLS_CERTIFICATE_VALIDATE_ALL);
++
++  read_test_data_async (test);
++  g_main_loop_run (test->loop);
++  wait_until_server_finished (test);
++
++  g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
++
++#ifdef BACKEND_IS_GNUTLS
++  g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
++#elif defined(BACKEND_IS_OPENSSL)
++  /* FIXME: This is not OK. There should be a NOT_TLS errors. But some times
++   * we either get no error or BROKEN_PIPE
++   */
++#endif
++
++  g_clear_error (&test->read_error);
++  g_clear_error (&test->server_error);
++
++  g_clear_object (&test->client_connection);
++  g_clear_object (&test->server_connection);
++
++  /* Now do the same thing again, this time ignoring bad identity. */
++
++  connection = start_async_server_and_connect_to_it (test, 
G_TLS_AUTHENTICATION_NONE);
++  test->client_connection = g_tls_client_connection_new (connection, NULL, 
&error);
++  g_assert_no_error (error);
++  g_assert_nonnull (test->client_connection);
++  g_object_unref (connection);
++
++  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), 
test->database);
++
++  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION 
(test->client_connection),
++                                                
G_TLS_CERTIFICATE_VALIDATE_ALL & ~G_TLS_CERTIFICATE_BAD_IDENTITY);
++
++  read_test_data_async (test);
++  g_main_loop_run (test->loop);
++  wait_until_server_finished (test);
++
++  g_assert_no_error (test->read_error);
++  g_assert_no_error (test->server_error);
++}
++
+ int
+ main (int   argc,
+       char *argv[])
+@@ -2061,6 +2129,8 @@ main (int   argc,
+   g_test_add ("/tls/connection/fallback/subprocess/" PRIORITY_TLS_FALLBACK,
+             TestConnection, NULL,
+               setup_connection, test_fallback_subprocess, 
teardown_connection);
++  g_test_add ("/tls/connection/missing-server-identity", TestConnection, NULL,
++              setup_connection, test_connection_missing_server_identity, 
teardown_connection);
+ 
+   ret = g_test_run();
+ 
diff -Nru glib-networking-2.50.0/debian/patches/series 
glib-networking-2.50.0/debian/patches/series
--- glib-networking-2.50.0/debian/patches/series        2014-10-22 
23:32:59.000000000 +0200
+++ glib-networking-2.50.0/debian/patches/series        2020-07-07 
16:57:35.000000000 +0200
@@ -1 +1,2 @@
 01_connection_test.patch
+CVE-2020-13645.patch

Bug#964861: stretch-pu: package glib-networking/2.50.0-1+deb9u1

Reply via email to