[Pkg-gnutls-commits] r607 - in /packages/gnutls26/trunk/debian: changelog patches/20_GNUTLS-SA-2008-3.patch

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Wed Nov 12 18:38:27 UTC 2008 

Author: ametzler
Date: Wed Nov 12 18:38:27 2008
New Revision: 607

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=607
Log:
Fix a crash on trying to verify self-signed certificates introduced by the patch for CVE-2008-4989. #505279

Modified:
    packages/gnutls26/trunk/debian/changelog
    packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=607&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Wed Nov 12 18:38:27 2008
@@ -1,8 +1,9 @@
-gnutls26 (2.4.2-3) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org>  Mon, 10 Nov 2008 20:09:16 +0100
+gnutls26 (2.4.2-3) unstable; urgency=low
+
+  * Fix a crash on trying to verify self-signed certificates introduced by the
+    patch for CVE-2008-4989. Closes: #505279
+
+ -- Andreas Metzler <ametzler at debian.org>  Wed, 12 Nov 2008 19:23:23 +0100
 
 gnutls26 (2.4.2-2) unstable; urgency=medium
 

Modified: packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch?rev=607&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch (original)
+++ packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch Wed Nov 12 18:38:27 2008
@@ -1,37 +1,6 @@
-From 5c27c1a50cabe9db19afd114a56416bb78923fd3 Mon Sep 17 00:00:00 2001
-From: Martin von Gagern <Martin.vGagern at gmx.net>
-Date: Mon, 3 Nov 2008 13:35:13 +0100
-Subject: [PATCH] Drop self signed certificate from certificate chain before validating
- certificates. This avoids the penultimate certificate to get incorrectly
- trusted.
-
----
- lib/x509/verify.c |   22 +++++++++++-----------
- 1 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index 041a450..8fa90dc 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -374,6 +374,17 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
-   int i = 0, ret;
-   unsigned int status = 0, output;
- 
-+  /* Check if the last certificate in the path is self signed.
-+   * In that case ignore it (a certificate is trusted only if it
-+   * leads to a trusted party by us, not the server's).
-+   */
-+  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
-+				    certificate_list[clist_size - 1]) > 0
-+      && clist_size > 0)
-+    {
-+      clist_size--;
-+    }
-+
-   /* Verify the last certificate in the certificate path
-    * against the trusted CA certificate list.
-    *
-@@ -412,17 +423,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+--- lib/x509/verify.c.origal	2008-11-11 18:46:43.000000000 +0000
++++ lib/x509/verify.c	2008-11-11 18:48:08.000000000 +0000
+@@ -414,17 +414,6 @@
      }
  #endif
  
@@ -49,6 +18,3 @@
    /* Verify the certificate path (chain) 
     */
    for (i = clist_size - 1; i > 0; i--)
--- 
-1.6.0.3
-

More information about the Pkg-gnutls-commits mailing list