File fetchmail-CVE-2009-2666.patch of Package fetchmail

Overview Repositories Revisions Requests Users Attributes Meta

File fetchmail-CVE-2009-2666.patch of Package fetchmail

Index: socket.c
===================================================================
--- socket.c.orig	2008-01-31 10:14:34.000000000 +0100
+++ socket.c	2009-08-06 14:02:39.000000000 +0200
@@ -629,6 +629,12 @@ static int SSL_verify_callback( int ok_r
 				report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
 				return (0);
 			}
+			if ((size_t)i > strlen(buf)) {
+				/* Name contains embedded NUL characters, so we complain. This is likely
+				 * a certificate spoofing attack. */
+				report(stderr, GT_("Bad certificate: Subject CommonName contains NUL, aborting!\n"));
+				return 0;
+			}
 			if (_ssl_server_cname != NULL) {
 				char *p1 = buf;
 				char *p2 = _ssl_server_cname;
@@ -640,12 +646,19 @@ static int SSL_verify_callback( int ok_r
 				 * first find a match among alternative names */
 				gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
 				if (gens) {
-					int i, r;
-					for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
-						const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+					int j, r;
+					for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
+						const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
 						if (gn->type == GEN_DNS) {
 							char *p1 = (char *)gn->d.ia5->data;
 							char *p2 = _ssl_server_cname;
+							/* Name contains embedded NUL characters, so we complain. This
+							 * is likely a certificate spoofing attack. */
+							if ((size_t)gn->d.ia5->length != strlen(p1)) {
+								report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n"));
+								sk_GENERAL_NAME_free(gens);
+								return 0;
+							}
 							if (outlevel >= O_VERBOSE)
 								report(stderr, "Subject Alternative Name: %s\n", p1);
 							if (*p1 == '*') {

Places

File fetchmail-CVE-2009-2666.patch of Package fetchmail

Places