Bug#714541: ruby1.8: diff for NMU version 1.8.7.358-7.1

Mon, 08 Jul 2013 09:39:50 -0700 

tags 714541 + pending
thanks

Dear Ruby maintainers!

I've prepared an NMU for ruby1.8 (versioned as 1.8.7.358-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog
--- ruby1.8-1.8.7.358/debian/changelog	2013-03-12 08:34:17.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/changelog	2013-07-08 16:37:30.000000000 +0200
@@ -1,3 +1,12 @@
+ruby1.8 (1.8.7.358-7.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2013-4073.patch patch.
+    CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
+    (Closes: #714541)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 07 Jul 2013 14:10:32 +0200
+
 ruby1.8 (1.8.7.358-7) unstable; urgency=high
 
   [ Salvatore Bonaccorso ]
diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch
--- ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch	2013-07-08 16:37:30.000000000 +0200
@@ -0,0 +1,81 @@
+Description: Fix hostname check bypassing vulnerability in SSL client
+ CVE-2013-4073: Hostname identity check did not properly handle
+ hostnames in the certificate that contain null bytes.
+Origin: upstream, https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f,
+ https://github.com/ruby/ruby/commit/469d4b9389cc2f877f2f17ba248146831d69c66b,
+ https://bugs.ruby-lang.org/issues/8575
+Bug-Debian: http://bugs.debian.org/714541
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-07-07
+Applied-Upstream: 1.9.3-p448, 1.8.7-p374.
+
+--- a/ext/openssl/lib/openssl/ssl-internal.rb
++++ b/ext/openssl/lib/openssl/ssl-internal.rb
+@@ -90,14 +90,22 @@
+       should_verify_common_name = true
+       cert.extensions.each{|ext|
+         next if ext.oid != "subjectAltName"
+-        ext.value.split(/,\s+/).each{|general_name|
+-          if /\ADNS:(.*)/ =~ general_name
++       ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
++        sequence = OpenSSL::ASN1.decode(ostr.value)
++        sequence.value.each{|san|
++          case san.tag
++          when 2 # dNSName in GeneralName (RFC5280)
+             should_verify_common_name = false
+-            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
++            reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
+             return true if /\A#{reg}\z/i =~ hostname
+-          elsif /\AIP Address:(.*)/ =~ general_name
++          when 7 # iPAddress in GeneralName (RFC5280)
+             should_verify_common_name = false
+-            return true if $1 == hostname
++            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
++            if san.value.size == 4
++              return true if san.value.unpack('C*').join('.') == hostname
++            elsif san.value.size == 16
++              return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
++            end
+           end
+         }
+       }
+--- a/test/openssl/test_ssl.rb
++++ b/test/openssl/test_ssl.rb
+@@ -547,6 +547,36 @@
+       ssl.close
+     }
+   end
++
++  def test_verify_certificate_identity$
++    [true, false].each do |criticality|$
++      cert = create_null_byte_SAN_certificate(criticality)$
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))$
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))$
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))$
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))$
++      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))$
++      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))$
++    end$
++  end$
++$
++  # Create NULL byte SAN certificate$
++  def create_null_byte_SAN_certificate(critical = false)$
++    ef = OpenSSL::X509::ExtensionFactory.new$
++    cert = OpenSSL::X509::Certificate.new$
++    cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"$
++    ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)$
++    ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)$
++    san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo }$
++    san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)$
++    san_list_asn1.value[0].value = 'www.example.com\0.evil.com'$
++    pos = critical ? 2 : 1$
++    ext_asn1.value[pos].value = san_list_asn1.to_der$
++    real_ext = OpenSSL::X509::Extension.new ext_asn1$
++    cert.add_extension(real_ext)$
++    cert$
++  end$
++$
+ end
+ 
+ end
diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series
--- ruby1.8-1.8.7.358/debian/patches/series	2013-03-12 08:32:40.000000000 +0100
+++ ruby1.8-1.8.7.358/debian/patches/series	2013-07-08 16:37:30.000000000 +0200
@@ -15,3 +15,4 @@
 use-ldflags.patch
 CVE-2012-4481.patch
 CVE-2013-1821.patch
+CVE-2013-4073.patch

Reply via email to