Bug#693282: Fix for this?
On dim., 2013-04-21 at 13:40 +0200, Yann Leboulanger wrote:
> I don't know against what it applies, but not against the one in
> debian
> unstable.
This was against 0.15.1-4 from unstable.
> The first commit I listed seems to be already in your
> package.
But indeed it missed part of the diff. I've attached the correct one.
> But except from that, that seems good.
>
> I've not tested against squeeze 0.15 package though.
Yeah I didn't yet tried to work on Squeeze.
Regards,
--
Yves-Alexis
diff --git a/debian/changelog b/debian/changelog
index f5a3245..d995210 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+gajim (0.15.1-4.1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches:
+- 02_fix-cert-validation.diff added, fix certificate validation
+ (CVE-2012-5524) closes: #693282
+- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+ improve SSL/TLS handling.
+
+ -- Yves-Alexis Perez Wed, 17 Apr 2013 22:22:30 +0200
+
gajim (0.15.1-4) unstable; urgency=low
* apply patches using dpatch in debian/rules
diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/00list b/debian/patches/00list
index 98ad47e..5d106de 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,2 +1,5 @@
00_connection_handlers.diff
01_accel_group.diff
+02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/02_fix-cert-validation.diff b/debian/patches/02_fix-cert-validation.diff
new file mode 100755
index 000..b74ede3
--- /dev/null
+++ b/debian/patches/02_fix-cert-validation.diff
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_fix-cert-validation.diff by
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix certificate validation
+#
+# Description: fix certificate validation
+# Author: Yann Leboulanger
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+
+@DPATCH@
+
+Index: gajim/src/common/connection.py
+===
+--- gajim/src/common/connection.py (revision 14377)
gajim/src/common/connection.py (revision 14379)
+@@ -1312,19 +1312,22 @@
+ errnum = con.Connection.ssl_errnum
+ except AttributeError:
+-errnum = -1 # we don't have an errnum
+-if errnum > 0 and str(errnum) not in gajim.config.get_per('accounts',
+-self.name, 'ignore_ssl_errors').split():
+-text = _('The authenticity of the %s certificate could be invalid.'
+-) % hostname
+-if errnum in ssl_error:
+-text += _('\nSSL Error: %s') % ssl_error[errnum]
+-else:
+-text += _('\nUnknown SSL error: %d') % errnum
+-gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
+-error_text=text, error_num=errnum,
+-cert=con.Connection.ssl_cert_pem,
+-fingerprint=con.Connection.ssl_fingerprint_sha1,
+-certificate=con.Connection.ssl_certificate))
+-return True
++errnum = [] # we don't have an errnum
++i = 0
++for er in errnum:
++if er > 0 and str(er) not in gajim.config.get_per('accounts',
++self.name, 'ignore_ssl_errors').split():
++text = _('The authenticity of the %s certificate could be '
++'invalid.') % hostname
++if er in ssl_error:
++text += _('\nSSL Error: %s') % ssl_error[er]
++else:
++text += _('\nUnknown SSL error: %d') % er
++gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
++error_text=text, error_num=er,
++cert=con.Connection.ssl_cert_pem[i],
++fingerprint=con.Connection.ssl_fingerprint_sha1[i],
++certificate=con.Connection.ssl_certificate[i]))
++return True
++i += 1
+ if hasattr(con.Connection, 'ssl_fingerprint_sha1'):
+ saved_fingerprint = gajim.config.get_per('accounts', self.name,
+@@ -1332,12 +1335,15 @@
+ if saved_fingerprint:
+ # Check sha1 fingerprint
+-if con.Connection.ssl_fingerprint_sha1 != saved_fingerprint:
++if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+ gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+-conn=self, certificate=con.Connection.ssl_certificate,
+-new_f
Bug#693282: Fix for this?
On 04/21/2013 01:32 PM, Yves-Alexis Perez wrote: On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote: On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 all those commits are needed to fix this issue: http://hg.gajim.org/gajim/rev/1d8caae49a31 http://hg.gajim.org/gajim/rev/6ab8ea2313aa http://hg.gajim.org/gajim/rev/d34a996f87b8 http://hg.gajim.org/gajim/rev/35a555c4a107 Thanks. Is the attached NMU ok for you? Moritz, what was the reason for the severity downgrade? Shouldn't we push this to Squeeze& Wheezy? I don't know against what it applies, but not against the one in debian unstable. The first commit I listed seems to be already in your package. But except from that, that seems good. I've not tested against squeeze 0.15 package though. -- Yann -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693282: Fix for this?
On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote:
> On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote:
> > On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote:
> >> Hey,
> >>
> >> it seems that there's an upstream fix for this at
> >> https://trac.gajim.org/ticket/7252 /
> >> https://trac.gajim.org/changeset/1d8caae49a31
>
> all those commits are needed to fix this issue:
>
> http://hg.gajim.org/gajim/rev/1d8caae49a31
> http://hg.gajim.org/gajim/rev/6ab8ea2313aa
> http://hg.gajim.org/gajim/rev/d34a996f87b8
> http://hg.gajim.org/gajim/rev/35a555c4a107
>
Thanks. Is the attached NMU ok for you? Moritz, what was the reason for
the severity downgrade? Shouldn't we push this to Squeeze & Wheezy?
Regards,
--
Yves-Alexis
diff --git a/debian/changelog b/debian/changelog
index aa48c0b..d995210 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ gajim (0.15.1-4.1) UNRELEASED; urgency=high
* debian/patches:
- 02_fix-cert-validation.diff added, fix certificate validation
(CVE-2012-5524) closes: #693282
+- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+ improve SSL/TLS handling.
-- Yves-Alexis Perez Wed, 17 Apr 2013 22:22:30 +0200
diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/00list b/debian/patches/00list
index 62b48a1..5d106de 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,3 +1,5 @@
00_connection_handlers.diff
01_accel_group.diff
02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/03_correctly-get-SSL-certificate.diff b/debian/patches/03_correctly-get-SSL-certificate.diff
new file mode 100755
index 000..76e61d8
--- /dev/null
+++ b/debian/patches/03_correctly-get-SSL-certificate.diff
@@ -0,0 +1,50 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_correctly-get-SSL-certificate.diff by
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: correctly get SSL certificate from nbxmpp. Fixes #7283
+#
+# Description: correctly get SSL certificate from nbxmpp. Fixes #7283
+# Author: Yann Leboulanger
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# HG changeset patch
+# User Yann Leboulanger
+# Date 1356455919 -3600
+# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393
+# Parent 1d8caae49a31201a79529d2b81d231b06ce8c91c
+
+@DPATCH@
+
+diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py
+--- a/src/common/connection.py Sun Dec 23 17:48:11 2012 +0100
b/src/common/connection.py Tue Dec 25 18:18:39 2012 +0100
+@@ -1337,7 +1337,7 @@
+ if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+ gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+ conn=self,
+-certificate=con.Connection.ssl_certificate,
++certificate=con.Connection.ssl_certificate[-1],
+ new_fingerprint=con.Connection.ssl_fingerprint_sha1[
+ -1]))
+ return True
+@@ -1345,8 +1345,8 @@
+ gajim.config.set_per('accounts', self.name,
+ 'ssl_fingerprint_sha1',
+ con.Connection.ssl_fingerprint_sha1[-1])
+-if not check_X509.check_certificate(con.Connection.ssl_certificate,
+-hostname) and '100' not in gajim.config.get_per('accounts',
++if not check_X509.check_certificate(con.Connection.ssl_certificate[
++-1], hostname) and '100' not in gajim.config.get_per('accounts',
+ self.name, 'ignore_ssl_errors').split():
+ txt = _('The authenticity of the %s certificate could be '
+ 'invalid.\nThe certificate does not cover this domain.') % \
+@@ -1355,7 +1355,7 @@
+ error_text=txt, error_num=100,
+ cert=con.Connection.ssl_cert_pem[-1],
+ fingerprint=con.Connection.ssl_fingerprint_sha1[-1],
+-certificate=con.Connection.ssl_certificate))
++certificate=con.Connection.ssl_certificate[-1]))
+ return True
+
+ self._register_handlers(con, con_type)
+
diff --git a/debian/patches/04_store-all-ssl-errors.diff b/debian/patches/04_store-all-ssl-errors.diff
new file mode 100755
index 000..456e831
--- /dev/null
+++ b/debian/patches/04_store-all-ssl-errors.diff
@@ -0,0 +1,64 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_store-all-ssl-errors.diff by
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: store all SSL errors
+#
+# Description: store all SSL errors
+# Author: Yann L
Bug#693282: Fix for this?
On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 all those commits are needed to fix this issue: http://hg.gajim.org/gajim/rev/1d8caae49a31 http://hg.gajim.org/gajim/rev/6ab8ea2313aa http://hg.gajim.org/gajim/rev/d34a996f87b8 http://hg.gajim.org/gajim/rev/35a555c4a107 -- Yann -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693282: Fix for this?
On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: > Hey, > > it seems that there's an upstream fix for this at > https://trac.gajim.org/ticket/7252 / > https://trac.gajim.org/changeset/1d8caae49a31 > > I'm not too sure why the severity was downgraded since it really looks > bad at first sight. I don't have a test server with an expired > certificate so I can't really confirm the behavior but it looks like > adding the patch would be a good idea anyway. > > I guess I can prepare an NMU if needed. Ok, seems that just adding the patch is not enough, I get: Traceback (most recent call last): File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 533, in _process_events return IdleQueue._process_events(self, fd, flags) File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 394, in _process_events obj.pollin() File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 414, in pollin self._do_receive() File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 600, in _do_receive self._on_receive(received) File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 614, in _on_receive self.on_receive(data) File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 310, in self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data)) File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 365, in _xmpp_connect_machine self._xmpp_connect_machine(mode='STREAM_STARTED') File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 368, in _xmpp_connect_machine self._on_stream_start() File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 404, in _on_stream_start self._on_connect() File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 441, in _on_connect self.on_connect(self, self.connected) File "/usr/share/gajim/src/common/connection.py", line 1285, in _connect_success return self.connection_accepted(con, con_type) File "/usr/share/gajim/src/common/connection.py", line 1317, in connection_accepted for er in errnum: TypeError: 'int' object is not iterable so it seems I might miss something else. Yann, any idea if there's something easily backportable for Wheezy and Squeeze? Also, afaict the bug is fixed in experimental. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#693282: Fix for this?
Hey, it seems that there's an upstream fix for this at https://trac.gajim.org/ticket/7252 / https://trac.gajim.org/changeset/1d8caae49a31 I'm not too sure why the severity was downgraded since it really looks bad at first sight. I don't have a test server with an expired certificate so I can't really confirm the behavior but it looks like adding the patch would be a good idea anyway. I guess I can prepare an NMU if needed. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
