Bug#693282: Fix for this?
On dim., 2013-04-21 at 13:40 +0200, Yann Leboulanger wrote: > I don't know against what it applies, but not against the one in > debian > unstable. This was against 0.15.1-4 from unstable. > The first commit I listed seems to be already in your > package. But indeed it missed part of the diff. I've attached the correct one. > But except from that, that seems good. > > I've not tested against squeeze 0.15 package though. Yeah I didn't yet tried to work on Squeeze. Regards, -- Yves-Alexis diff --git a/debian/changelog b/debian/changelog index f5a3245..d995210 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +gajim (0.15.1-4.1) UNRELEASED; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: +- 02_fix-cert-validation.diff added, fix certificate validation + (CVE-2012-5524) closes: #693282 +- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added, + improve SSL/TLS handling. + + -- Yves-Alexis Perez Wed, 17 Apr 2013 22:22:30 +0200 + gajim (0.15.1-4) unstable; urgency=low * apply patches using dpatch in debian/rules diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff old mode 100644 new mode 100755 diff --git a/debian/patches/00list b/debian/patches/00list index 98ad47e..5d106de 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,2 +1,5 @@ 00_connection_handlers.diff 01_accel_group.diff +02_fix-cert-validation.diff +03_correctly-get-SSL-certificate.diff +04_store-all-ssl-errors.diff diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff old mode 100644 new mode 100755 diff --git a/debian/patches/02_fix-cert-validation.diff b/debian/patches/02_fix-cert-validation.diff new file mode 100755 index 000..b74ede3 --- /dev/null +++ b/debian/patches/02_fix-cert-validation.diff @@ -0,0 +1,84 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02_fix-cert-validation.diff by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix certificate validation +# +# Description: fix certificate validation +# Author: Yann Leboulanger +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# Last-Update: 2013-04-17 + +@DPATCH@ + +Index: gajim/src/common/connection.py +=== +--- gajim/src/common/connection.py (revision 14377) gajim/src/common/connection.py (revision 14379) +@@ -1312,19 +1312,22 @@ + errnum = con.Connection.ssl_errnum + except AttributeError: +-errnum = -1 # we don't have an errnum +-if errnum > 0 and str(errnum) not in gajim.config.get_per('accounts', +-self.name, 'ignore_ssl_errors').split(): +-text = _('The authenticity of the %s certificate could be invalid.' +-) % hostname +-if errnum in ssl_error: +-text += _('\nSSL Error: %s') % ssl_error[errnum] +-else: +-text += _('\nUnknown SSL error: %d') % errnum +-gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self, +-error_text=text, error_num=errnum, +-cert=con.Connection.ssl_cert_pem, +-fingerprint=con.Connection.ssl_fingerprint_sha1, +-certificate=con.Connection.ssl_certificate)) +-return True ++errnum = [] # we don't have an errnum ++i = 0 ++for er in errnum: ++if er > 0 and str(er) not in gajim.config.get_per('accounts', ++self.name, 'ignore_ssl_errors').split(): ++text = _('The authenticity of the %s certificate could be ' ++'invalid.') % hostname ++if er in ssl_error: ++text += _('\nSSL Error: %s') % ssl_error[er] ++else: ++text += _('\nUnknown SSL error: %d') % er ++gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self, ++error_text=text, error_num=er, ++cert=con.Connection.ssl_cert_pem[i], ++fingerprint=con.Connection.ssl_fingerprint_sha1[i], ++certificate=con.Connection.ssl_certificate[i])) ++return True ++i += 1 + if hasattr(con.Connection, 'ssl_fingerprint_sha1'): + saved_fingerprint = gajim.config.get_per('accounts', self.name, +@@ -1332,12 +1335,15 @@ + if saved_fingerprint: + # Check sha1 fingerprint +-if con.Connection.ssl_fingerprint_sha1 != saved_fingerprint: ++if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint: + gajim.nec.push_incoming_event(FingerprintErrorEvent(None, +-conn=self, certificate=con.Connection.ssl_certificate, +-new_f
Bug#693282: Fix for this?
On 04/21/2013 01:32 PM, Yves-Alexis Perez wrote: On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote: On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 all those commits are needed to fix this issue: http://hg.gajim.org/gajim/rev/1d8caae49a31 http://hg.gajim.org/gajim/rev/6ab8ea2313aa http://hg.gajim.org/gajim/rev/d34a996f87b8 http://hg.gajim.org/gajim/rev/35a555c4a107 Thanks. Is the attached NMU ok for you? Moritz, what was the reason for the severity downgrade? Shouldn't we push this to Squeeze& Wheezy? I don't know against what it applies, but not against the one in debian unstable. The first commit I listed seems to be already in your package. But except from that, that seems good. I've not tested against squeeze 0.15 package though. -- Yann -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693282: Fix for this?
On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote: > On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: > > On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: > >> Hey, > >> > >> it seems that there's an upstream fix for this at > >> https://trac.gajim.org/ticket/7252 / > >> https://trac.gajim.org/changeset/1d8caae49a31 > > all those commits are needed to fix this issue: > > http://hg.gajim.org/gajim/rev/1d8caae49a31 > http://hg.gajim.org/gajim/rev/6ab8ea2313aa > http://hg.gajim.org/gajim/rev/d34a996f87b8 > http://hg.gajim.org/gajim/rev/35a555c4a107 > Thanks. Is the attached NMU ok for you? Moritz, what was the reason for the severity downgrade? Shouldn't we push this to Squeeze & Wheezy? Regards, -- Yves-Alexis diff --git a/debian/changelog b/debian/changelog index aa48c0b..d995210 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ gajim (0.15.1-4.1) UNRELEASED; urgency=high * debian/patches: - 02_fix-cert-validation.diff added, fix certificate validation (CVE-2012-5524) closes: #693282 +- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added, + improve SSL/TLS handling. -- Yves-Alexis Perez Wed, 17 Apr 2013 22:22:30 +0200 diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff old mode 100644 new mode 100755 diff --git a/debian/patches/00list b/debian/patches/00list index 62b48a1..5d106de 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,3 +1,5 @@ 00_connection_handlers.diff 01_accel_group.diff 02_fix-cert-validation.diff +03_correctly-get-SSL-certificate.diff +04_store-all-ssl-errors.diff diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff old mode 100644 new mode 100755 diff --git a/debian/patches/03_correctly-get-SSL-certificate.diff b/debian/patches/03_correctly-get-SSL-certificate.diff new file mode 100755 index 000..76e61d8 --- /dev/null +++ b/debian/patches/03_correctly-get-SSL-certificate.diff @@ -0,0 +1,50 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_correctly-get-SSL-certificate.diff by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: correctly get SSL certificate from nbxmpp. Fixes #7283 +# +# Description: correctly get SSL certificate from nbxmpp. Fixes #7283 +# Author: Yann Leboulanger +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# HG changeset patch +# User Yann Leboulanger +# Date 1356455919 -3600 +# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393 +# Parent 1d8caae49a31201a79529d2b81d231b06ce8c91c + +@DPATCH@ + +diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py +--- a/src/common/connection.py Sun Dec 23 17:48:11 2012 +0100 b/src/common/connection.py Tue Dec 25 18:18:39 2012 +0100 +@@ -1337,7 +1337,7 @@ + if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint: + gajim.nec.push_incoming_event(FingerprintErrorEvent(None, + conn=self, +-certificate=con.Connection.ssl_certificate, ++certificate=con.Connection.ssl_certificate[-1], + new_fingerprint=con.Connection.ssl_fingerprint_sha1[ + -1])) + return True +@@ -1345,8 +1345,8 @@ + gajim.config.set_per('accounts', self.name, + 'ssl_fingerprint_sha1', + con.Connection.ssl_fingerprint_sha1[-1]) +-if not check_X509.check_certificate(con.Connection.ssl_certificate, +-hostname) and '100' not in gajim.config.get_per('accounts', ++if not check_X509.check_certificate(con.Connection.ssl_certificate[ ++-1], hostname) and '100' not in gajim.config.get_per('accounts', + self.name, 'ignore_ssl_errors').split(): + txt = _('The authenticity of the %s certificate could be ' + 'invalid.\nThe certificate does not cover this domain.') % \ +@@ -1355,7 +1355,7 @@ + error_text=txt, error_num=100, + cert=con.Connection.ssl_cert_pem[-1], + fingerprint=con.Connection.ssl_fingerprint_sha1[-1], +-certificate=con.Connection.ssl_certificate)) ++certificate=con.Connection.ssl_certificate[-1])) + return True + + self._register_handlers(con, con_type) + diff --git a/debian/patches/04_store-all-ssl-errors.diff b/debian/patches/04_store-all-ssl-errors.diff new file mode 100755 index 000..456e831 --- /dev/null +++ b/debian/patches/04_store-all-ssl-errors.diff @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_store-all-ssl-errors.diff by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: store all SSL errors +# +# Description: store all SSL errors +# Author: Yann L
Bug#693282: Fix for this?
On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 all those commits are needed to fix this issue: http://hg.gajim.org/gajim/rev/1d8caae49a31 http://hg.gajim.org/gajim/rev/6ab8ea2313aa http://hg.gajim.org/gajim/rev/d34a996f87b8 http://hg.gajim.org/gajim/rev/35a555c4a107 -- Yann -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693282: Fix for this?
On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: > Hey, > > it seems that there's an upstream fix for this at > https://trac.gajim.org/ticket/7252 / > https://trac.gajim.org/changeset/1d8caae49a31 > > I'm not too sure why the severity was downgraded since it really looks > bad at first sight. I don't have a test server with an expired > certificate so I can't really confirm the behavior but it looks like > adding the patch would be a good idea anyway. > > I guess I can prepare an NMU if needed. Ok, seems that just adding the patch is not enough, I get: Traceback (most recent call last): File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 533, in _process_events return IdleQueue._process_events(self, fd, flags) File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 394, in _process_events obj.pollin() File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 414, in pollin self._do_receive() File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 600, in _do_receive self._on_receive(received) File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 614, in _on_receive self.on_receive(data) File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 310, in self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data)) File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 365, in _xmpp_connect_machine self._xmpp_connect_machine(mode='STREAM_STARTED') File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 368, in _xmpp_connect_machine self._on_stream_start() File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 404, in _on_stream_start self._on_connect() File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 441, in _on_connect self.on_connect(self, self.connected) File "/usr/share/gajim/src/common/connection.py", line 1285, in _connect_success return self.connection_accepted(con, con_type) File "/usr/share/gajim/src/common/connection.py", line 1317, in connection_accepted for er in errnum: TypeError: 'int' object is not iterable so it seems I might miss something else. Yann, any idea if there's something easily backportable for Wheezy and Squeeze? Also, afaict the bug is fixed in experimental. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#693282: Fix for this?
Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 I'm not too sure why the severity was downgraded since it really looks bad at first sight. I don't have a test server with an expired certificate so I can't really confirm the behavior but it looks like adding the patch would be a good idea anyway. I guess I can prepare an NMU if needed. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part