Package: gnutls26
Version: 2.4.2-1
Severity: important
Hi,
gnutls openssl-compat library has a similar problem as lynx-cur's
reported in #499945. Attached is a verbose description and patch.
The typical failure condition is when the certificate chain has length
one (as in the case discussed in #499945).
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
libextra/gnutls_openssl.c: fix X509_get_issuer_name to return issuer
name of given certificate and not try to get the subject dn of the
issuer certificate wich may or may not exist. (Checked how openssl
does this, too.) This fixes a accessing an array outside its bounds.
Debian bug #499945 is instructive about the problem. While lynx-cur
credits Thomas Dickey for the bug, the code and implications are
essentially the same for the gnutls openssl-compat libary.
-- Thomas Viehmann <[EMAIL PROTECTED]> Fri, 03 Oct 2008 21:03:34 +0200
--- gnutls26-2.4.2.orig/libextra/gnutls_openssl.c
+++ gnutls26-2.4.2/libextra/gnutls_openssl.c
@@ -858,7 +858,7 @@
{
gnutls_x509_dn *dn;
dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
- if (gnutls_x509_extract_certificate_dn (&cert[0], dn) < 0)
+ if (gnutls_x509_extract_certificate_dn (cert, dn) < 0)
{
free (dn);
return NULL;
@@ -871,7 +871,7 @@
{
gnutls_x509_dn *dn;
dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
- if (gnutls_x509_extract_certificate_dn (&cert[1], dn) < 0)
+ if (gnutls_x509_extract_certificate_issuer_dn (cert, dn) < 0)
{
free (dn);
return NULL;
