libesmtp does not check NULL bytes in commonNames of certificates

Debian Bug report logs - #572960
libesmtp does not check NULL bytes in commonNames of certificates

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libesmtp does not check NULL bytes in commonNames of certificates

Date: Sun, 07 Mar 2010 21:23:40 +0100

Package: libesmtp
Severity: grave
Tags: security

Kees Cook reported this on the oss-security mailing list:

http://www.openwall.com/lists/oss-security/2010/03/03/6

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 572960@bugs.debian.org (full text, mbox, reply):

From: Alexander Sack <asac@ubuntu.com>

To: 572960@bugs.debian.org

Subject: #572960 - libesmtp does not check NULL bytes in commonNames of certificates

Date: Fri, 28 May 2010 03:29:42 +0200

Any update on this security issue?

 - Alexander

Message #15 received at 572960@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>

To: Alexander Sack <asac@ubuntu.com>, 572960@bugs.debian.org, 572960-submitter@bugs.debian.org

Subject: Re: Bug#572960: #572960 - libesmtp does not check NULL bytes in commonNames of certificates

Date: Fri, 28 May 2010 07:45:02 +0200

[Message part 1 (text/plain, inline)]

Hi all

On Fri, May 28, 2010 at 03:29:42AM +0200, Alexander Sack wrote:
> Any update on this security issue?

There was an ongoing discussion about that, in [1] still. RedHat
Bugtracker has two proposed patches too [2,3,4].

 [1] http://thread.gmane.org/gmane.comp.security.oss.general/2637
 [2] https://bugzilla.redhat.com/attachment.cgi?id=399130&action=diff
 [3] https://bugzilla.redhat.com/attachment.cgi?id=399131&action=diff
 [4] https://bugzilla.redhat.com/show_bug.cgi?id=571817

Some comments on this?

Bests
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 572960@bugs.debian.org (full text, mbox, reply):

From: "Jeremy T. Bouse" <jbouse@debian.org>

To: 572960@bugs.debian.org

Cc: libesmtp@stafford.uklinux.net

Subject: Re: Bug#572960: #572960 - libesmtp does not check NULL bytes in commonNames of certificates

Date: Sun, 11 Jul 2010 16:00:39 -0400

[Message part 1 (text/plain, inline)]

forwarded 572960 libesmtp@stafford.uklinux.net
tags 572960 upstream
thanks

Brian,

	I've had this bug [1] filed and given a grave status as it relates to
NULL bytes in the commonNames of certificates. I've not tried to dig
into it myself as I'm not that familiar with it but was merely
forwarding it on to you to look into. This has been assigned
CVE-2010-1192 and shows vulnerable in every version of libESMTP that is
within the Debian mirrors (1.0.3 and 1.0.4).

	Regards,
	Jeremy

1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572960

On 05/28/2010 01:45 AM, Salvatore Bonaccorso wrote:
> Hi all
> 
> On Fri, May 28, 2010 at 03:29:42AM +0200, Alexander Sack wrote:
>> Any update on this security issue?
> 
> There was an ongoing discussion about that, in [1] still. RedHat
> Bugtracker has two proposed patches too [2,3,4].
> 
>  [1] http://thread.gmane.org/gmane.comp.security.oss.general/2637
>  [2] https://bugzilla.redhat.com/attachment.cgi?id=399130&action=diff
>  [3] https://bugzilla.redhat.com/attachment.cgi?id=399131&action=diff
>  [4] https://bugzilla.redhat.com/show_bug.cgi?id=571817
> 
> Some comments on this?
> 
> Bests
> Salvatore

[signature.asc (application/pgp-signature, attachment)]

Message #32 received at 572960-close@bugs.debian.org (full text, mbox, reply):

From: jbouse@debian.org (Jeremy T. Bouse)

To: 572960-close@bugs.debian.org

Subject: Bug#572960: fixed in libesmtp 1.0.4-5

Date: Wed, 21 Jul 2010 04:17:07 +0000

Source: libesmtp
Source-Version: 1.0.4-5

We believe that the bug you reported is fixed in the latest version of
libesmtp, which is due to be installed in the Debian FTP archive:

libesmtp-dev_1.0.4-5_i386.deb
  to main/libe/libesmtp/libesmtp-dev_1.0.4-5_i386.deb
libesmtp5_1.0.4-5_i386.deb
  to main/libe/libesmtp/libesmtp5_1.0.4-5_i386.deb
libesmtp_1.0.4-5.diff.gz
  to main/libe/libesmtp/libesmtp_1.0.4-5.diff.gz
libesmtp_1.0.4-5.dsc
  to main/libe/libesmtp/libesmtp_1.0.4-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy T. Bouse <jbouse@debian.org> (supplier of updated libesmtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jul 2010 00:00:47 -0400
Source: libesmtp
Binary: libesmtp5 libesmtp-dev
Architecture: source i386
Version: 1.0.4-5
Distribution: unstable
Urgency: low
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Changed-By: Jeremy T. Bouse <jbouse@debian.org>
Description: 
 libesmtp-dev - LibESMTP SMTP client library development files
 libesmtp5  - LibESMTP SMTP client library
Closes: 572960
Changes: 
 libesmtp (1.0.4-5) unstable; urgency=low
 .
   * debian/control: Updated Standards-Version to 3.9.0
   * Fixes for CVE-2010-1192 handling NULL bytes (Closes: #572960) -
     thanks to Jan Lieskovsky
Checksums-Sha1: 
 c05d78867d45011ac55f51a9c6596d8cf8a0b912 1214 libesmtp_1.0.4-5.dsc
 c88e3977cabe90e7b954a000bb73d5f7ec817b7b 9039 libesmtp_1.0.4-5.diff.gz
 ac8595f398f65bfd259e2288780cf6741314ecff 55730 libesmtp5_1.0.4-5_i386.deb
 45402e306c7690c4823356ed0a750203395d17f6 55690 libesmtp-dev_1.0.4-5_i386.deb
Checksums-Sha256: 
 15765108a5cb355d7f984c5ffa63148cbf4ff53e5bdf0c5c338ab0614910cb2d 1214 libesmtp_1.0.4-5.dsc
 48cf4125a396102d8c3c10e9591376a68f3a446b1c15b84403b37265949fba53 9039 libesmtp_1.0.4-5.diff.gz
 11c14f4ba64b182232a1db72bb930cc5e9e71417890d917b7d8df132e233b949 55730 libesmtp5_1.0.4-5_i386.deb
 18f6e36e6d9bf685d26992cd14d0fb3c82ab542b594b524220a0d2553ab4b982 55690 libesmtp-dev_1.0.4-5_i386.deb
Files: 
 99ba990448f47493bff28ab47e8d63ff 1214 libs optional libesmtp_1.0.4-5.dsc
 c070f91890cc6df0aa18dc2268ecddb3 9039 libs optional libesmtp_1.0.4-5.diff.gz
 e1c96530362294757aea613127828230 55730 libs optional libesmtp5_1.0.4-5_i386.deb
 ce402e8c48e69e91fd456e2801a9fdcc 55690 libdevel optional libesmtp-dev_1.0.4-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAkxGc7oACgkQ8C9U2GaKnteBAQEAp1CR8JfrCY5PoMPVUvNV+b0y
RFvtqDix79uuWQ1ybGsBAMftpHYTLH1RDr/DnwuFEWvaWRKR/Aqno82rN61+3EZy
=XqBv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.