rpms/evolution-data-server/F-10 evolution-data-server-2.24.5-CVE-2009-0547.patch, NONE, 1.1 evolution-data-server-2.24.5-CVE-2009-0582.patch, NONE, 1.1 evolution-data-server.spec, 1.247, 1.248
Matthew Barnes
mbarnes at fedoraproject.org
Tue Mar 17 18:15:33 UTC 2009
- Previous message (by thread): rpms/digikam/F-10 .cvsignore, 1.31, 1.32 digikam.spec, 1.78, 1.79 sources, 1.31, 1.32
- Next message (by thread): rpms/evolution-data-server/F-9 evolution-data-server-2.22.3-CVE-2009-0547.patch, NONE, 1.1 evolution-data-server-2.22.3-CVE-2009-0582.patch, NONE, 1.1 evolution-data-server.spec, 1.220, 1.221
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mbarnes
Update of /cvs/pkgs/rpms/evolution-data-server/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9358
Modified Files:
evolution-data-server.spec
Added Files:
evolution-data-server-2.24.5-CVE-2009-0547.patch
evolution-data-server-2.24.5-CVE-2009-0582.patch
Log Message:
* Tue Mar 17 2009 Matthew Barnes <mbarnes at redhat.com> - 2.25.5-4.fc10
- Add patch for RH bug #484925 (CVE-2009-0547, S/MIME signatures).
- Add patch for RH bug #487685 (CVE-2009-0582, NTLM authentication).
evolution-data-server-2.24.5-CVE-2009-0547.patch:
--- NEW FILE evolution-data-server-2.24.5-CVE-2009-0547.patch ---
diff -up evolution-data-server-2.24.5/camel/camel-smime-context.c.CVE-2009-0547 evolution-data-server-2.24.5/camel/camel-smime-context.c
--- evolution-data-server-2.24.5/camel/camel-smime-context.c.CVE-2009-0547 2008-09-22 06:53:58.000000000 -0400
+++ evolution-data-server-2.24.5/camel/camel-smime-context.c 2009-03-17 13:48:43.000000000 -0400
@@ -40,6 +40,7 @@
#include <smime.h>
#include <pkcs11t.h>
#include <pk11func.h>
+#include <secoid.h>
#include <errno.h>
@@ -534,6 +535,7 @@ sm_verify_cmsg(CamelCipherContext *conte
for (i = 0; i < count; i++) {
NSSCMSContentInfo *cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
SECOidTag typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+ int which_digest;
switch (typetag) {
case SEC_OID_PKCS7_SIGNED_DATA:
@@ -543,45 +545,49 @@ sm_verify_cmsg(CamelCipherContext *conte
goto fail;
}
- /* need to build digests of the content */
- if (!NSS_CMSSignedData_HasDigests(sigd)) {
- if (extstream == NULL) {
- camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Digests missing from enveloped data"));
- goto fail;
- }
+ if (extstream == NULL) {
+ camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Digests missing from enveloped data"));
+ goto fail;
+ }
- if ((poolp = PORT_NewArena(1024)) == NULL) {
- camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
- goto fail;
- }
+ if ((poolp = PORT_NewArena(1024)) == NULL) {
+ camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
+ goto fail;
+ }
- digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
-
- digcx = NSS_CMSDigestContext_StartMultiple(digestalgs);
- if (digcx == NULL) {
- camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
- goto fail;
- }
+ digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
+
+ digcx = NSS_CMSDigestContext_StartMultiple(digestalgs);
+ if (digcx == NULL) {
+ camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
+ goto fail;
+ }
+
+ mem = (CamelStreamMem *)camel_stream_mem_new();
+ camel_stream_write_to_stream(extstream, (CamelStream *)mem);
+ NSS_CMSDigestContext_Update(digcx, mem->buffer->data, mem->buffer->len);
+ camel_object_unref(mem);
- mem = (CamelStreamMem *)camel_stream_mem_new();
- camel_stream_write_to_stream(extstream, (CamelStream *)mem);
- NSS_CMSDigestContext_Update(digcx, mem->buffer->data, mem->buffer->len);
- camel_object_unref(mem);
+ if (NSS_CMSDigestContext_FinishMultiple(digcx, poolp, &digests) != SECSuccess) {
+ camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
+ goto fail;
+ }
- if (NSS_CMSDigestContext_FinishMultiple(digcx, poolp, &digests) != SECSuccess) {
- camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
+ for (which_digest = 0; digests[which_digest] != NULL; which_digest++) {
+ SECOidData *digest_alg = SECOID_FindOID(&digestalgs[which_digest]->algorithm);
+ if (digest_alg == NULL) {
+ camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot set message digests"));
goto fail;
}
-
- if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) != SECSuccess) {
+ if (NSS_CMSSignedData_SetDigestValue(sigd, digest_alg->offset, digests[which_digest]) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot set message digests"));
goto fail;
}
-
- PORT_FreeArena(poolp, PR_FALSE);
- poolp = NULL;
}
+ PORT_FreeArena(poolp, PR_FALSE);
+ poolp = NULL;
+
/* import all certificates present */
if (NSS_CMSSignedData_ImportCerts(sigd, p->certdb, certUsageEmailSigner, PR_TRUE) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Certificate import failed"));
evolution-data-server-2.24.5-CVE-2009-0582.patch:
--- NEW FILE evolution-data-server-2.24.5-CVE-2009-0582.patch ---
diff -up evolution-data-server-2.24.5/camel/camel-sasl-ntlm.c.CVE-2009-0582 evolution-data-server-2.24.5/camel/camel-sasl-ntlm.c
--- evolution-data-server-2.24.5/camel/camel-sasl-ntlm.c.CVE-2009-0582 2008-09-22 06:53:58.000000000 -0400
+++ evolution-data-server-2.24.5/camel/camel-sasl-ntlm.c 2009-03-17 13:52:17.000000000 -0400
@@ -74,9 +74,8 @@ camel_sasl_ntlm_get_type (void)
#define NTLM_REQUEST "NTLMSSP\x00\x01\x00\x00\x00\x06\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00"
-#define NTLM_CHALLENGE_NONCE_OFFSET 24
-#define NTLM_CHALLENGE_DOMAIN_OFFSET 48
-#define NTLM_CHALLENGE_DOMAIN_LEN_OFFSET 44
+#define NTLM_CHALLENGE_DOMAIN_OFFSET 12
+#define NTLM_CHALLENGE_NONCE_OFFSET 24
#define NTLM_RESPONSE_HEADER "NTLMSSP\x00\x03\x00\x00\x00"
#define NTLM_RESPONSE_FLAGS "\x82\x01"
@@ -93,22 +92,60 @@ static void ntlm_calc_response (const
guchar results[24]);
static void ntlm_lanmanager_hash (const char *password, char hash[21]);
static void ntlm_nt_hash (const char *password, char hash[21]);
-static void ntlm_set_string (GByteArray *ba, int offset,
- const char *data, int len);
+
+typedef struct {
+ guint16 length;
+ guint16 allocated;
+ guint32 offset;
+} SecurityBuffer;
+
+static GString *
+ntlm_get_string (GByteArray *ba, int offset)
+{
+ SecurityBuffer *secbuf;
+ GString *string;
+ gchar *buf_string;
+ guint16 buf_length;
+ guint32 buf_offset;
+
+ secbuf = (SecurityBuffer *) &ba->data[offset];
+ buf_length = GUINT16_FROM_LE (secbuf->length);
+ buf_offset = GUINT32_FROM_LE (secbuf->offset);
+
+ if (ba->len < buf_offset + buf_length)
+ return NULL;
+
+ string = g_string_sized_new (buf_length);
+ buf_string = (gchar *) &ba->data[buf_offset];
+ g_string_append_len (string, buf_string, buf_length);
+
+ return string;
+}
+
+static void
+ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
+{
+ SecurityBuffer *secbuf;
+
+ secbuf = (SecurityBuffer *) &ba->data[offset];
+ secbuf->length = GUINT16_TO_LE (len);
+ secbuf->offset = GUINT32_TO_LE (ba->len);
+ secbuf->allocated = secbuf->length;
+
+ g_byte_array_append (ba, (guint8 *) data, len);
+}
static GByteArray *
ntlm_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex)
{
GByteArray *ret;
guchar nonce[8], hash[21], lm_resp[24], nt_resp[24];
+ GString *domain;
ret = g_byte_array_new ();
- if (!token || !token->len) {
- g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
- sizeof (NTLM_REQUEST) - 1);
- return ret;
- }
+ if (!token || token->len < NTLM_CHALLENGE_NONCE_OFFSET + 8)
+ goto fail;
memcpy (nonce, token->data + NTLM_CHALLENGE_NONCE_OFFSET, 8);
ntlm_lanmanager_hash (sasl->service->url->passwd, (char *) hash);
@@ -116,7 +153,11 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
ntlm_nt_hash (sasl->service->url->passwd, (char *) hash);
ntlm_calc_response (hash, nonce, nt_resp);
- ret = g_byte_array_new ();
+ domain = ntlm_get_string (token, NTLM_CHALLENGE_DOMAIN_OFFSET);
+ if (domain == NULL)
+ goto fail;
+
+ /* Don't jump to 'fail' label after this point. */
g_byte_array_set_size (ret, NTLM_RESPONSE_BASE_SIZE);
memset (ret->data, 0, NTLM_RESPONSE_BASE_SIZE);
memcpy (ret->data, NTLM_RESPONSE_HEADER,
@@ -125,8 +166,7 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
NTLM_RESPONSE_FLAGS, sizeof (NTLM_RESPONSE_FLAGS) - 1);
ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
- (const char *) token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
- atoi ((char *) token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));
+ domain->str, domain->len);
ntlm_set_string (ret, NTLM_RESPONSE_USER_OFFSET,
sasl->service->url->user,
strlen (sasl->service->url->user));
@@ -138,6 +178,18 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
(const char *) nt_resp, sizeof (nt_resp));
sasl->authenticated = TRUE;
+
+ g_string_free (domain, TRUE);
+
+ goto exit;
+
+fail:
+ /* If the challenge is malformed, restart authentication.
+ * XXX A malicious server could make this loop indefinitely. */
+ g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
+ sizeof (NTLM_REQUEST) - 1);
+
+exit:
return ret;
}
@@ -201,17 +253,6 @@ ntlm_nt_hash (const char *password, char
g_free (buf);
}
-static void
-ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
-{
- ba->data[offset ] = ba->data[offset + 2] = len & 0xFF;
- ba->data[offset + 1] = ba->data[offset + 3] = (len >> 8) & 0xFF;
- ba->data[offset + 4] = ba->len & 0xFF;
- ba->data[offset + 5] = (ba->len >> 8) & 0xFF;
- g_byte_array_append (ba, (guint8 *) data, len);
-}
-
-
#define KEYBITS(k,s) \
(((k[(s)/8] << ((s)%8)) & 0xFF) | (k[(s)/8+1] >> (8-(s)%8)))
Index: evolution-data-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/evolution-data-server/F-10/evolution-data-server.spec,v
retrieving revision 1.247
retrieving revision 1.248
diff -u -r1.247 -r1.248
--- evolution-data-server.spec 13 Mar 2009 16:01:21 -0000 1.247
+++ evolution-data-server.spec 17 Mar 2009 18:15:02 -0000 1.248
@@ -29,7 +29,7 @@
Name: evolution-data-server
Version: 2.24.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: LGPLv2
Group: System Environment/Libraries
Summary: Backend data server for Evolution
@@ -54,6 +54,12 @@
# RH bug #489696 / GNOME bug #568322
Patch14: evolution-data-server-2.24.5-sqlite-fsync-rework.patch
+# RH bug #484925 / CVE-2009-0547
+Patch15: evolution-data-server-2.24.5-CVE-2009-0547.patch
+
+# RH bug #487685 / CVE-2009-0582
+Patch16: evolution-data-server-2.24.5-CVE-2009-0582.patch
+
### Build Dependencies ###
BuildRequires: GConf2-devel
@@ -133,6 +139,8 @@
%patch12 -p1 -b .camel-folder-summary-crash
%patch13 -p1 -b .fix-64bit-acinclude
%patch14 -p1 -b .sqlite-fsync-rework
+%patch15 -p1 -b .CVE-2009-0582
+%patch16 -p1 -b .CVE-2009-0587
mkdir -p krb5-fakeprefix/include
mkdir -p krb5-fakeprefix/lib
@@ -378,6 +386,10 @@
%{_datadir}/gtk-doc/html/libedataserverui
%changelog
+* Tue Mar 17 2009 Matthew Barnes <mbarnes at redhat.com> - 2.25.5-4.fc10
+- Add patch for RH bug #484925 (CVE-2009-0547, S/MIME signatures).
+- Add patch for RH bug #487685 (CVE-2009-0582, NTLM authentication).
+
* Fri Mar 13 2009 Matthew Barnes <mbarnes at redhat.com> - 2.25.5-3.fc10
- Revise patch for RH bug #568332 to match upstream commit.
- Previous message (by thread): rpms/digikam/F-10 .cvsignore, 1.31, 1.32 digikam.spec, 1.78, 1.79 sources, 1.31, 1.32
- Next message (by thread): rpms/evolution-data-server/F-9 evolution-data-server-2.22.3-CVE-2009-0547.patch, NONE, 1.1 evolution-data-server-2.22.3-CVE-2009-0582.patch, NONE, 1.1 evolution-data-server.spec, 1.220, 1.221
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list