- fix chain verification issue CVE-2008-4989 (#470079)

2008-11-11 12:12:17 +00:00 · 2008-11-11 12:12:17 +00:00 · 202be7c37f
parent 4b31e92e95
commit 202be7c37f
2 changed files with 45 additions and 1 deletions
--- a/gnutls-1.4.1-cve-2008-4989.patch
+++ b/gnutls-1.4.1-cve-2008-4989.patch
@ -0,0 +1,39 @@
+diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
+--- gnutls-1.4.1/lib/x509/verify.c.chain-verify	2008-11-11 10:55:19.000000000 +0100
+++ gnutls-1.4.1/lib/x509/verify.c	2008-11-11 10:58:54.000000000 +0100
+@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
+   int i = 0, ret;
+   unsigned int status = 0, output;
+ 
+  /* Check if the last certificate in the path is self signed.
+   * In that case ignore it (a certificate is trusted only if it
+   * leads to a trusted party by us, not the server's).
+   */
+  if (clist_size > 1 &&
+      gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+				    certificate_list[clist_size - 1]) > 0)
+    {
+      clist_size--;
+    }
+
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
+     }
+ #endif
+ 
+-  /* Check if the last certificate in the path is self signed.
+-   * In that case ignore it (a certificate is trusted only if it
+-   * leads to a trusted party by us, not the server's).
+-   */
+-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+-				    certificate_list[clist_size - 1]) > 0
+-      && clist_size > 0)
+-    {
+-      clist_size--;
+-    }
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,7 +1,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 2.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@ -16,6 +16,7 @@ URL: http://www.gnutls.org/
 Source0: %{name}-%{version}-nosrp.tar.bz2
 Source1: libgnutls-config
 Patch1: gnutls-2.4.0-nosrp.patch
+Patch5: gnutls-1.4.1-cve-2008-4989.patch

 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libgcrypt >= 1.2.2
@ -68,6 +69,7 @@ This package contains Guile bindings for the library.
 %prep
 %setup -q
 %patch1 -p1 -b .nosrp
+%patch5 -p1 -b .chain-verify

 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
    touch lib/$i
@ -148,6 +150,9 @@ fi
 %{_datadir}/guile/site/gnutls.scm

 %changelog
+* Tue Nov 11 2008 Tomas Mraz <tmraz@redhat.com> 2.4.2-3
+- fix chain verification issue CVE-2008-4989 (#470079)
+
 * Thu Sep 25 2008 Tomas Mraz <tmraz@redhat.com> 2.4.2-2
 - add guile subpackage (#463735)
 - force new libtool through autoreconf to drop unnecessary rpaths