diff --git a/kdelibs-3.5.10-CVE-2009-2702.patch b/kdelibs-3.5.10-CVE-2009-2702.patch new file mode 100644 index 0000000..e6f06a7 --- /dev/null +++ b/kdelibs-3.5.10-CVE-2009-2702.patch @@ -0,0 +1,62 @@ +diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc kdelibs-3.5.4/kio/kssl/kopenssl.cc +--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc 2009-08-31 20:50:12.000000000 +0200 ++++ kdelibs-3.5.4/kio/kssl/kopenssl.cc 2009-08-31 21:46:47.000000000 +0200 +@@ -196,6 +196,7 @@ static int (*K_X509_NAME_add_entry_by_tx + static X509_NAME *(*K_X509_NAME_new)() = 0L; + static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L; + static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L; ++static int (*K_ASN1_STRING_length)(ASN1_STRING*) = 0L; + static STACK_OF(SSL_CIPHER) *(*K_SSL_get_ciphers)(const SSL *ssl) = 0L; + + #endif +@@ -498,6 +499,7 @@ KConfig *cfg; + K_X509_NAME_new = (X509_NAME *(*)()) _cryptoLib->symbol("X509_NAME_new"); + K_X509_REQ_set_subject_name = (int (*)(X509_REQ*,X509_NAME*)) _cryptoLib->symbol("X509_REQ_set_subject_name"); + K_ASN1_STRING_data = (unsigned char *(*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_data"); ++ K_ASN1_STRING_length = (int (*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_length"); + #endif + } + +@@ -1549,6 +1551,13 @@ unsigned char *KOpenSSLProxy::ASN1_STRIN + return 0L; + } + ++ ++int KOpenSSLProxy::ASN1_STRING_length(ASN1_STRING *x) { ++ if (K_ASN1_STRING_length) return (K_ASN1_STRING_length)(x); ++ return 0L; ++} ++ ++ + STACK_OF(SSL_CIPHER) *KOpenSSLProxy::SSL_get_ciphers(const SSL* ssl) { + if (K_SSL_get_ciphers) return (K_SSL_get_ciphers)(ssl); + return 0L; +diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.h kdelibs-3.5.4/kio/kssl/kopenssl.h +--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.h 2006-07-22 10:16:39.000000000 +0200 ++++ kdelibs-3.5.4/kio/kssl/kopenssl.h 2009-08-31 21:46:47.000000000 +0200 +@@ -622,6 +622,11 @@ public: + unsigned char *ASN1_STRING_data(ASN1_STRING *x); + + /* ++ * ASN1_STRING_length ++ */ ++ int ASN1_STRING_length(ASN1_STRING *x); ++ ++ /* + * + */ + int OBJ_obj2nid(ASN1_OBJECT *o); +diff -pruN kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc kdelibs-3.5.4/kio/kssl/ksslcertificate.cc +--- kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc 2006-01-19 18:06:12.000000000 +0100 ++++ kdelibs-3.5.4/kio/kssl/ksslcertificate.cc 2009-08-31 21:54:38.000000000 +0200 +@@ -1099,7 +1099,9 @@ QStringList KSSLCertificate::subjAltName + } + + QString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5); +- if (!s.isEmpty()) { ++ if (!s.isEmpty() && ++ /* skip subjectAltNames with embedded NULs */ ++ s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) { + rc += s; + } + } diff --git a/kdelibs3.spec b/kdelibs3.spec index 4dd736e..e17f1b5 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -36,7 +36,7 @@ Summary: K Desktop Environment 3 - Libraries Version: 3.5.10 -Release: 13%{?dist} +Release: 13%{?dist}.1 %if 0%{?fedora} > 8 Name: kdelibs3 @@ -108,6 +108,8 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch Patch203: kdelibs-3.5.4-CVE-2009-1690.patch # fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling Patch204: kdelibs-3.5.10-cve-2009-1698.patch +# fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName +Patch205: kdelibs-3.5.10-CVE-2009-2702.patch #{?arts:Requires: arts >= %{arts_ev}} #Requires: %{qt3} >= %{qt3_ev} @@ -289,6 +291,7 @@ format for easy browsing %patch202 -p1 -b .cve-2009-1687 %patch203 -p1 -b .cve-2009-1690 %patch204 -p1 -b .cve-2009-1698 +%patch205 -p1 -b .cve-2009-2702 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h @@ -640,6 +643,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %changelog +* Sun Sep 06 2009 Kevin Kofler - 3.5.10-13.1 +- fix for CVE-2009-2702 + * Sun Jul 26 2009 Kevin Kofler - 3.5.10-13 - fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references