[meego-commits] 5697: Changes to MeeGo:1.0:Core:Update:Testing/w3m

Wed Jul 14 10:22:50 UTC 2010

Hi,
I have made the following changes to w3m in project MeeGo:1.0:Core:Update:Testing. Please review and accept ASAP.

Thank You,
Kangkai Yin

[This message was auto-generated]

---

Request #5697:

  submit:   home:kai:branches:MeeGo:1.0:Core:Update:Testing/w3m(r2)(cleanup) -> MeeGo:1.0:Core:Update:Testing/w3m


Message:
    Integrate two patch to fix CVE 2010-2074, BMC #3350

State:   new          2010-07-13T22:17:39 kai
Comment: None



changes files:
--------------

--- w3m.changes
+++ w3m.changes
@@ -0,0 +1,3 @@
+* Wed Jul 2010 Yin Kangkai <kangkai.yin at intel.com> - 0.5.2
+- Integrate two patch to fix CVE 2010-2074, BMC #3350
+

new:
----
  w3m-0.5.2-nulcn.patch
  w3m-0.5.2-ssl_verify_server_on.patch

spec files:
-----------
--- w3m.spec
+++ w3m.spec
@@ -29,6 +29,10 @@
 Patch21:  w3m-0.5.1-gcc4.patch
 Patch24:  w3m-0.5.2-multilib.patch
 
+# CVE 2010-2074, BMC #3350
+Patch25: w3m-0.5.2-nulcn.patch
+Patch26: w3m-0.5.2-ssl_verify_server_on.patch
+
 Summary:  A pager with Web browsing abilities
 Group:    Applications/Internet
 Provides:  webclient
@@ -55,6 +59,8 @@
 %patch15 -p1
 %patch21 -p1
 %patch24 -p1
+%patch25 -p1
+%patch26 -p1
 
 %if %{with_utf8}
 pushd doc-jp

other changes:
--------------

++++++ w3m-0.5.2-nulcn.patch (new)
--- w3m-0.5.2-nulcn.patch
+++ w3m-0.5.2-nulcn.patch
+http://www.openwall.com/lists/oss-security/2010/06/14/4
+From: Ludwig Nussel [mailto:ludwig.nussel at suse.de]
+Sent: 2010年6月14日 19:25
+To: oss-security at lists.openwall.com
+Subject: [oss-security] CVE Request: w3m does not check null bytes
+CN/subjAltName
+
+Hi,
+
+Yet another occurrence of CVE-2009-2408, this time in w3m. I tried
+contacting the w3m developers listed on sourceforge but got no
+response. In the default configuration the missing null checks don't
+make the situation worse though as w3m doesn't verify certificates
+by default ('ssl_verify_server' is off by default). Attached two
+patches turn on 'ssl_verify_server' and fix the null handling.
+
+cu
+Ludwig
+
+
+Index: w3m-0.5.2/istream.c
+===================================================================
+--- w3m-0.5.2.orig/istream.c
++++ w3m-0.5.2/istream.c
+@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos
+ 
+ 		    if (!seen_dnsname)
+ 			seen_dnsname = Strnew();
++		    /* replace \0 to make full string visible to user */
++		    if (sl != strlen(sn)) {
++			int i;
++			for (i = 0; i < sl; ++i) {
++			    if (!sn[i])
++				sn[i] = '!';
++			}
++		    }
+ 		    Strcat_m_charp(seen_dnsname, sn, " ", NULL);
+-		    if (ssl_match_cert_ident(sn, sl, hostname))
++		    if (sl == strlen(sn) /* catch \0 in SAN */
++			&& ssl_match_cert_ident(sn, sl, hostname))
+ 			break;
+ 		}
+ 	    }
+@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos
+     if (match_ident == FALSE && ret == NULL) {
+ 	X509_NAME *xn;
+ 	char buf[2048];
++	int slen;
+ 
+ 	xn = X509_get_subject_name(x);
+ 
+-	if (X509_NAME_get_text_by_NID(xn, NID_commonName,
+-				      buf, sizeof(buf)) == -1)
++	slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
++	if ( slen == -1)
+ 	    /* FIXME: gettextize? */
+ 	    ret = Strnew_charp("Unable to get common name from peer cert");
+-	else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
++	else if (slen != strlen(buf)
++		|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
++	    /* replace \0 to make full string visible to user */
++	    if (slen != strlen(buf)) {
++		int i;
++		for (i = 0; i < slen; ++i) {
++		    if (!buf[i])
++			buf[i] = '!';
++		}
++	    }
+ 	    /* FIXME: gettextize? */
+ 	    ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
++	}
+ 	else
+ 	    match_ident = TRUE;
+     }

++++++ w3m-0.5.2-ssl_verify_server_on.patch (new)
--- w3m-0.5.2-ssl_verify_server_on.patch
+++ w3m-0.5.2-ssl_verify_server_on.patch
+http://www.openwall.com/lists/oss-security/2010/06/14/4
+From: Ludwig Nussel [mailto:ludwig.nussel at suse.de]
+Sent: 2010年6月14日 19:25
+To: oss-security at lists.openwall.com
+Subject: [oss-security] CVE Request: w3m does not check null bytes
+CN/subjAltName
+
+Hi,
+
+Yet another occurrence of CVE-2009-2408, this time in w3m. I tried
+contacting the w3m developers listed on sourceforge but got no
+response. In the default configuration the missing null checks don't
+make the situation worse though as w3m doesn't verify certificates
+by default ('ssl_verify_server' is off by default). Attached two
+patches turn on 'ssl_verify_server' and fix the null handling.
+
+cu
+Ludwig
+
+
+verify SSL certificates by default. SSL support really is pointless without doing that.
+Also disable use of SSLv2 by default as it's insecure, deprecated, dead since last century.
+Index: w3m-0.5.2/fm.h
+===================================================================
+--- w3m-0.5.2.orig/fm.h
++++ w3m-0.5.2/fm.h
+@@ -1120,7 +1120,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+ 
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+@@ -1129,7 +1129,7 @@ global int ssl_path_modified init(FALSE)
+ #endif				/* defined(USE_SSL) &&
+ 				 * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2");
+ #endif
+ 
+ global int is_redisplay init(FALSE);
