rpms/fetchmail/F-11 fetchmail-6.3.9-CVE-2009-2666.patch, NONE, 1.1 fetchmail.spec, 1.65, 1.66

[vcrhonek]

Author: vcrhonek

Update of /cvs/extras/rpms/fetchmail/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18224

Modified Files:
	fetchmail.spec 
Added Files:
	fetchmail-6.3.9-CVE-2009-2666.patch 
Log Message:
Fix SSL null terminator bypass (CVE-2009-2666)

fetchmail-6.3.9-CVE-2009-2666.patch:
 socket.c |   26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--- NEW FILE fetchmail-6.3.9-CVE-2009-2666.patch ---
diff -up fetchmail-6.3.9/socket.c_orig fetchmail-6.3.9/socket.c
--- fetchmail-6.3.9/socket.c_orig	2009-08-06 11:34:12.000000000 +0200
+++ fetchmail-6.3.9/socket.c	2009-08-06 11:47:25.000000000 +0200
@@ -632,6 +632,13 @@ static int SSL_verify_callback( int ok_r
 				report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
 				return (0);
 			}
+			if ((size_t)i > strlen(buf)) {
+				/* Name contains embedded NUL characters, so we complain. This is likely
+				 * a certificate spoofing attack. */
+				report(stderr, GT_("Bad certificate: Subject CommonName contains NUL, aborting!\n"));
+				return 0;
+			}
+
 			if (_ssl_server_cname != NULL) {
 				char *p1 = buf;
 				char *p2 = _ssl_server_cname;
@@ -643,12 +650,19 @@ static int SSL_verify_callback( int ok_r
 				 * first find a match among alternative names */
 				gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
 				if (gens) {
-					int i, r;
-					for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
-						const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
-						if (gn->type == GEN_DNS) {
-							char *p1 = (char *)gn->d.ia5->data;
-							char *p2 = _ssl_server_cname;
+					int j, r;
+					for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
+						const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
+ 						if (gn->type == GEN_DNS) {
+ 							char *p1 = (char *)gn->d.ia5->data;
+ 							char *p2 = _ssl_server_cname;
+							/* Name contains embedded NUL characters, so we complain. This
+							 * is likely a certificate spoofing attack. */
+							if ((size_t)gn->d.ia5->length != strlen(p1)) {
+								report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n"));
+								sk_GENERAL_NAME_free(gens);
+								return 0;
+							}
 							if (outlevel >= O_VERBOSE)
 								report(stderr, "Subject Alternative Name: %s\n", p1);
 							if (*p1 == '*') {


Index: fetchmail.spec
===================================================================
RCS file: /cvs/extras/rpms/fetchmail/F-11/fetchmail.spec,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -p -r1.65 -r1.66
--- fetchmail.spec	9 Jun 2009 21:03:45 -0000	1.65
+++ fetchmail.spec	19 Aug 2009 08:53:18 -0000	1.66
@@ -4,11 +4,12 @@
 Summary: A remote mail retrieval and forwarding utility
 Name: fetchmail
 Version: 6.3.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 Requires: procmail
 Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.bz2
 Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.bz2.asc
 Patch0: fetchmail-6.2.5-addrconf.patch
+Patch1: fetchmail-6.3.9-CVE-2009-2666.patch
 URL: http://fetchmail.berlios.de/
 # For a breakdown of the licensing, see COPYING
 License: GPL+ and Public Domain
@@ -47,6 +48,7 @@ need to have Python and Tk installed in 
 %prep
 %setup -q
 %patch0 -p1 -b .addrconf
+%patch1 -p1 -b .cve_2009_2666
 
 %build
 %configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
@@ -85,6 +87,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Wed Aug 19 2009 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.9-5
+- Fix SSL null terminator bypass (CVE-2009-2666)
+
 * Tue Jun 09 2009 Adam Jackson <ajax at redhat.com> 6.3.9-4
 - Rebuild to get rid of libkrb4 dependency.