Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
The version of telepathy-idle in wheezy does not validate IRC servers'
SSL certificates when used with SSL (#706094, CVE ID requested).
The version in sid was already newer than wheezy, so I uploaded the
fixed upstream version there directly. For wheezy, I suggest a more minimal
patch (attached) - this breaks a regression test which uses a pre-generated
self-signed certificate, but we don't run those tests in Debian anyway.
Yves-Alexis Perez has indicated that this is not DSA material. Would you
like me to upload to t-p-u before wheezy r0, or to s-p-u after r0 is out,
or neither?
Regards,
S
diffstat for telepathy-idle-0.1.11 telepathy-idle-0.1.11
changelog | 6 ++
gbp.conf | 2
patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch | 28 ++++++++++
patches/series | 1
4 files changed, 36 insertions(+), 1 deletion(-)
diff -Nru telepathy-idle-0.1.11/debian/changelog telepathy-idle-0.1.11/debian/changelog
--- telepathy-idle-0.1.11/debian/changelog 2011-11-02 07:12:25.000000000 +0000
+++ telepathy-idle-0.1.11/debian/changelog 2013-04-24 16:45:31.000000000 +0100
@@ -1,3 +1,9 @@
+telepathy-idle (0.1.11-2+deb7u1) UNRELEASED; urgency=low
+
+ * Validate TLS certificates (Closes: #706094)
+
+ -- Simon McVittie <s...@debian.org> Wed, 24 Apr 2013 16:43:37 +0100
+
telepathy-idle (0.1.11-2) unstable; urgency=low
* debian/patches/Support-trailing-parameter-without-a-initial.patch:
diff -Nru telepathy-idle-0.1.11/debian/gbp.conf telepathy-idle-0.1.11/debian/gbp.conf
--- telepathy-idle-0.1.11/debian/gbp.conf 2011-11-02 07:12:25.000000000 +0000
+++ telepathy-idle-0.1.11/debian/gbp.conf 2013-04-24 16:45:31.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian
+debian-branch = debian-wheezy
upstream-branch = upstream
pristine-tar = True
diff -Nru telepathy-idle-0.1.11/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch telepathy-idle-0.1.11/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
--- telepathy-idle-0.1.11/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch 1970-01-01 01:00:00.000000000 +0100
+++ telepathy-idle-0.1.11/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch 2013-04-24 16:45:31.000000000 +0100
@@ -0,0 +1,28 @@
+From: Simon McVittie <s...@debian.org>
+Date: Wed, 24 Apr 2013 16:43:00 +0100
+Subject: Don't disable parts of TLS certificate validation
+
+This breaks one regression test, but is a simpler fix than was used
+upstream.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63810
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706094
+Forwarded: not-needed, fixed differently upstream
+---
+ src/idle-server-connection.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/idle-server-connection.c b/src/idle-server-connection.c
+index 5b8629c..8c8eeff 100644
+--- a/src/idle-server-connection.c
++++ b/src/idle-server-connection.c
+@@ -469,9 +469,4 @@ IdleServerConnectionState idle_server_connection_get_state(IdleServerConnection
+ void idle_server_connection_set_tls(IdleServerConnection *conn, gboolean tls) {
+ IdleServerConnectionPrivate *priv = IDLE_SERVER_CONNECTION_GET_PRIVATE(conn);
+ g_socket_client_set_tls(priv->socket_client, tls);
+- g_socket_client_set_tls_validation_flags(priv->socket_client,
+- G_TLS_CERTIFICATE_VALIDATE_ALL
+- & ~G_TLS_CERTIFICATE_UNKNOWN_CA
+- & ~G_TLS_CERTIFICATE_BAD_IDENTITY
+- & ~G_TLS_CERTIFICATE_EXPIRED);
+ }
diff -Nru telepathy-idle-0.1.11/debian/patches/series telepathy-idle-0.1.11/debian/patches/series
--- telepathy-idle-0.1.11/debian/patches/series 2011-11-02 07:12:25.000000000 +0000
+++ telepathy-idle-0.1.11/debian/patches/series 2013-04-24 16:45:31.000000000 +0100
@@ -1 +1,2 @@
Support-trailing-parameter-without-a-initial.patch
+0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
