Hi, Attached is a debdiff of the changes I made for 8.14.3-9.1 0-day NMU.
Cheers, Giuseppe
diff -u sendmail-8.14.3/debian/changelog sendmail-8.14.3/debian/changelog
--- sendmail-8.14.3/debian/changelog
+++ sendmail-8.14.3/debian/changelog
@@ -1,3 +1,11 @@
+sendmail (8.14.3-9.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
+ name (Closes: #564581)
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Fri, 29 Jan 2010 14:16:07 +0100
+
sendmail (8.14.3-9) unstable; urgency=low
* Batting 1000, build-depend on quilt Closes: #517676
diff -u sendmail-8.14.3/debian/patches/8.14/8.14.3/series
sendmail-8.14.3/debian/patches/8.14/8.14.3/series
--- sendmail-8.14.3/debian/patches/8.14/8.14.3/series
+++ sendmail-8.14.3/debian/patches/8.14/8.14.3/series
@@ -11,0 +12 @@
+CVE-2009-4565
only in patch2:
unchanged:
--- sendmail-8.14.3.orig/debian/patches/8.14/8.14.3/CVE-2009-4565
+++ sendmail-8.14.3/debian/patches/8.14/8.14.3/CVE-2009-4565
@@ -0,0 +1,112 @@
+CVE-2009-4565
+diff -pruN sendmail-8.14.3/cf/README sendmail-8.14.4/cf/README
+--- sendmail-8.14.3/cf/README 2008-02-16 00:05:32.000000000 +0100
++++ sendmail-8.14.4/cf/README 2009-05-08 01:46:17.000000000 +0200
+@@ -3142,7 +3142,7 @@ starts with '+' and the items are separa
+ extensions are:
+
+ CN:name name must match ${cn_subject}
+-CN ${server_name} must match ${cn_subject}
++CN ${client_name}/${server_name} must match ${cn_subject}
+ CS:name name must match ${cert_subject}
+ CI:name name must match ${cert_issuer}
+
+diff -pruN sendmail-8.14.3/doc/op/op.me sendmail-8.14.4/doc/op/op.me
+--- sendmail-8.14.3/doc/op/op.me 2007-06-23 01:08:59.000000000 +0200
++++ sendmail-8.14.4/doc/op/op.me 2009-12-13 05:12:46.000000000 +0100
+@@ -4952,9 +4953,21 @@ as "(may be forged)".
+ .ip ${cn_issuer}
+ The CN (common name) of the CA that signed the presented certificate
+ (STARTTLS only).
++Note: if the CN cannot be extracted properly it will be replaced by
++one of these strings based on the encountered error:
++.(b
++.ta 25n
++BadCertificateContainsNUL CN contains a NUL character
++BadCertificateTooLong CN is too long
++BadCertificateUnknown CN could not be extracted
++.)b
++In the last case, some other (unspecific) error occurred.
+ .ip ${cn_subject}
+ The CN (common name) of the presented certificate
+ (STARTTLS only).
++See
++.b ${cn_issuer}
++for possible replacements.
+ .ip ${currHeader}
+ Header value as quoted string
+ (possibly truncated to
+diff -pruN sendmail-8.14.3/sendmail/tls.c sendmail-8.14.4/sendmail/tls.c
+--- sendmail-8.14.3/sendmail/tls.c 2006-10-12 23:35:11.000000000 +0200
++++ sendmail-8.14.4/sendmail/tls.c 2009-08-10 17:11:09.000000000 +0200
+@@ -1196,23 +1200,62 @@ tls_get_info(ssl, srv, host, mac, certre
+ if (cert != NULL)
+ {
+ unsigned int n;
++ X509_NAME *subj, *issuer;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ char buf[MAXNAME];
+
+- X509_NAME_oneline(X509_get_subject_name(cert),
+- buf, sizeof(buf));
++ subj = X509_get_subject_name(cert);
++ issuer = X509_get_issuer_name(cert);
++ X509_NAME_oneline(subj, buf, sizeof(buf));
+ macdefine(mac, A_TEMP, macid("{cert_subject}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_oneline(X509_get_issuer_name(cert),
+- buf, sizeof(buf));
++ X509_NAME_oneline(issuer, buf, sizeof(buf));
+ macdefine(mac, A_TEMP, macid("{cert_issuer}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
+- NID_commonName, buf, sizeof(buf));
++
++#define CHECK_X509_NAME(which) \
++ do { \
++ if (r == -1) \
++ { \
++ sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s,
status=failed to extract CN", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ else if ((size_t)r >= sizeof(buf) - 1) \
++ { \
++ sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s,
status=CN too long", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ else if ((size_t)r > strlen(buf)) \
++ { \
++ sm_strlcpy(buf, "BadCertificateContainsNUL", \
++ sizeof(buf)); \
++ if (LogLevel > 7) \
++ sm_syslog(LOG_INFO, NOQID, \
++ "STARTTLS=%s, relay=%.100s, field=%s,
status=CN contains NUL", \
++ who, \
++ host == NULL ? "local" : host, \
++ which); \
++ } \
++ } while (0)
++
++ r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf,
++ sizeof buf);
++ CHECK_X509_NAME("cn_subject");
+ macdefine(mac, A_TEMP, macid("{cn_subject}"),
+ xtextify(buf, "<>\")"));
+- X509_NAME_get_text_by_NID(X509_get_issuer_name(cert),
+- NID_commonName, buf, sizeof(buf));
++ r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf,
++ sizeof buf);
++ CHECK_X509_NAME("cn_issuer");
+ macdefine(mac, A_TEMP, macid("{cn_issuer}"),
+ xtextify(buf, "<>\")"));
+ n = 0;
signature.asc
Description: OpenPGP digital signature
