Debian Bug report logs -
#587445
CVE-2010-2074
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 28 Jun 2010 17:33:02 UTC
Severity: grave
Tags: patch, security
Fixed in version w3m/0.5.2-5
Done: Tatsuya Kinoshita <tats@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#587445; Package w3m.
(Mon, 28 Jun 2010 17:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tatsuya Kinoshita <tats@debian.org>.
(Mon, 28 Jun 2010 17:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: w3m
Severity: grave
Tags: security
Hi,
several applications fail to correct SSL certificates properly
and w3m is among them:
http://www.openwall.com/lists/oss-security/2010/06/14/4
This has been assigned CVE-2010-2074.
The impact of this bug doesn't warrant a DSA, but you can still
fix in in Lenny through a stable point update:
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages w3m depends on:
ii libc6 2.10.2-9 Embedded GNU C Library: Shared lib
pn libgc1c2 <none> (no description available)
ii libgpm2 1.20.4-3.3 General Purpose Mouse - shared lib
ii libncurses5 5.7+20100313-2 shared libraries for terminal hand
ii libssl0.9.8 0.9.8n-1 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages w3m recommends:
ii ca-certificates 20090814 Common CA certificates
Versions of packages w3m suggests:
ii man-db 2.5.7-3 on-line manual pager
ii menu 2.1.43 generates programs menu for all me
pn migemo <none> (no description available)
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
pn w3m-el <none> (no description available)
pn w3m-img <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#587445; Package w3m.
(Sat, 03 Jul 2010 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to d+deb@vdr.jp:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Sat, 03 Jul 2010 05:39:03 GMT) (full text, mbox, link).
Message #10 received at 587445@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 587445 + patch
thanks
CVE-2010-2074 w3m: doesn't handle NULL in Common Name properly
https://bugzilla.redhat.com/show_bug.cgi?id=604855#c2
> check for null bytes in CN/subjAltName
>
> Patch provided by Ludwig Nussel from the SUSE security team.
--
Regards,
dai
GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Sat, 03 Jul 2010 05:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#587445; Package w3m.
(Sat, 03 Jul 2010 12:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tatsuya Kinoshita <tats@debian.org>:
Extra info received and forwarded to list.
(Sat, 03 Jul 2010 12:51:05 GMT) (full text, mbox, link).
Message #17 received at 587445@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On June 28, 2010 at 7:31PM +0200,
jmm (at debian.org) wrote:
> Package: w3m
> Severity: grave
> Tags: security
>
> Hi,
> several applications fail to correct SSL certificates properly
> and w3m is among them:
> http://www.openwall.com/lists/oss-security/2010/06/14/4
>
> This has been assigned CVE-2010-2074.
>
> The impact of this bug doesn't warrant a DSA, but you can still
> fix in in Lenny through a stable point update:
> http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
OK, I'll upload w3m 0.5.2-2+lenny1 to stable with the attached patch.
w3m (0.5.2-2+lenny1) stable; urgency=high
.
* debian/patches/60_check-null-cn.patch: Patch to check for null bytes
in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]
Thanks,
--
Tatsuya Kinoshita
[w3m-0.5.2-2+lenny1.patch (text/x-patch, inline)]
diff -urN w3m-0.5.2-2/debian/changelog w3m-0.5.2/debian/changelog
--- w3m-0.5.2-2/debian/changelog 2010-07-03 20:52:47.000000000 +0900
+++ w3m-0.5.2/debian/changelog 2010-07-03 20:54:45.000000000 +0900
@@ -1,3 +1,10 @@
+w3m (0.5.2-2+lenny1) stable; urgency=high
+
+ * debian/patches/60_check-null-cn.patch: Patch to check for null bytes
+ in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]
+
+ -- Tatsuya Kinoshita <tats@debian.org> Sat, 03 Jul 2010 20:53:06 +0900
+
w3m (0.5.2-2) unstable; urgency=low
* debian/control:
diff -urN w3m-0.5.2-2/debian/patches/60_check-null-cn.patch w3m-0.5.2/debian/patches/60_check-null-cn.patch
--- w3m-0.5.2-2/debian/patches/60_check-null-cn.patch 1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.2/debian/patches/60_check-null-cn.patch 2010-07-03 18:40:03.000000000 +0900
@@ -0,0 +1,57 @@
+Description: Check for null bytes in CN/subjAltName
+Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+Author: Ludwig Nussel <ludwig.nussel@suse.de>
+Bug-Debian: http://bugs.debian.org/587445
+
+--- w3m-0.5.2.orig/istream.c
++++ w3m-0.5.2/istream.c
+@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos
+
+ if (!seen_dnsname)
+ seen_dnsname = Strnew();
++ /* replace \0 to make full string visible to user */
++ if (sl != strlen(sn)) {
++ int i;
++ for (i = 0; i < sl; ++i) {
++ if (!sn[i])
++ sn[i] = '!';
++ }
++ }
+ Strcat_m_charp(seen_dnsname, sn, " ", NULL);
+- if (ssl_match_cert_ident(sn, sl, hostname))
++ if (sl == strlen(sn) /* catch \0 in SAN */
++ && ssl_match_cert_ident(sn, sl, hostname))
+ break;
+ }
+ }
+@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos
+ if (match_ident == FALSE && ret == NULL) {
+ X509_NAME *xn;
+ char buf[2048];
++ int slen;
+
+ xn = X509_get_subject_name(x);
+
+- if (X509_NAME_get_text_by_NID(xn, NID_commonName,
+- buf, sizeof(buf)) == -1)
++ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
++ if ( slen == -1)
+ /* FIXME: gettextize? */
+ ret = Strnew_charp("Unable to get common name from peer cert");
+- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
++ else if (slen != strlen(buf)
++ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
++ /* replace \0 to make full string visible to user */
++ if (slen != strlen(buf)) {
++ int i;
++ for (i = 0; i < slen; ++i) {
++ if (!buf[i])
++ buf[i] = '!';
++ }
++ }
+ /* FIXME: gettextize? */
+ ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
++ }
+ else
+ match_ident = TRUE;
+ }
diff -urN w3m-0.5.2-2/debian/patches/series w3m-0.5.2/debian/patches/series
--- w3m-0.5.2-2/debian/patches/series 2010-07-03 20:52:47.000000000 +0900
+++ w3m-0.5.2/debian/patches/series 2010-07-03 20:52:16.000000000 +0900
@@ -1,3 +1,4 @@
03-w3m.1-debian-fix
04-ja-w3m.1-debian-fix
05-config-debian-fix
+60_check-null-cn.patch
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Tatsuya Kinoshita <tats@debian.org>:
You have taken responsibility.
(Sat, 03 Jul 2010 16:57:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 03 Jul 2010 16:57:13 GMT) (full text, mbox, link).
Message #22 received at 587445-close@bugs.debian.org (full text, mbox, reply):
Source: w3m
Source-Version: 0.5.2-5
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive:
w3m-img_0.5.2-5_i386.deb
to main/w/w3m/w3m-img_0.5.2-5_i386.deb
w3m_0.5.2-5.debian.tar.gz
to main/w/w3m/w3m_0.5.2-5.debian.tar.gz
w3m_0.5.2-5.dsc
to main/w/w3m/w3m_0.5.2-5.dsc
w3m_0.5.2-5_i386.deb
to main/w/w3m/w3m_0.5.2-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 587445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <tats@debian.org> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 03 Jul 2010 19:08:07 +0900
Source: w3m
Binary: w3m w3m-img
Architecture: source i386
Version: 0.5.2-5
Distribution: unstable
Urgency: high
Maintainer: Tatsuya Kinoshita <tats@debian.org>
Changed-By: Tatsuya Kinoshita <tats@debian.org>
Description:
w3m - WWW browsable pager with excellent tables/frames support
w3m-img - inline image extension support utilities for w3m
Closes: 587445
Changes:
w3m (0.5.2-5) unstable; urgency=high
.
* debian/patches/60_check-null-cn.patch: Patch to check for null bytes
in CN/subjAltName, provided by Ludwig Nussel. (Closes: #587445)
[CVE-2010-2074]
* debian/patches/70_ssl-init.patch: Patch to force ssl_verify_server on
and disable SSLv2 support, provided by Ludwig Nussel.
* debian/patches/*: Renumbered.
* debian/control: Update Standards-Version to 3.9.0.
Checksums-Sha1:
7f8c1dc0fe55f3f8f9e2d3459abf7e45aed36a8a 1136 w3m_0.5.2-5.dsc
c1896fcf36078cb20c85a309fe6dd3dd43269557 40778 w3m_0.5.2-5.debian.tar.gz
aec127ac1cb1697fc9d0d09e063d839f888eba6c 1113178 w3m_0.5.2-5_i386.deb
383e1313a5b48749b8a6abfefced3b1ae1c8be8d 96906 w3m-img_0.5.2-5_i386.deb
Checksums-Sha256:
6f0d19670c5df5a3a5a4a8a3b8b7cc34a8b6fa15e8b4ded547e2a7544a6be0cc 1136 w3m_0.5.2-5.dsc
f55a749e52faa08c3d4202729aa3a75c06c5e58b75177d68ebfa97421b7ff018 40778 w3m_0.5.2-5.debian.tar.gz
3b26ac35f09596a1f8d7bacf456f6379f1b2eb90844daf9e969277356f21fc62 1113178 w3m_0.5.2-5_i386.deb
d859fad5959e6834f732836fcca1033f2b5234fadd9819405e5d4f914a7c92cd 96906 w3m-img_0.5.2-5_i386.deb
Files:
ba9c257d38e534b612c14da17c1f0a3c 1136 web standard w3m_0.5.2-5.dsc
721e705d8b7376b0bb67fb8deec9dfba 40778 web standard w3m_0.5.2-5.debian.tar.gz
c720053bdc5a7faf73e8c9f0c741b142 1113178 web standard w3m_0.5.2-5_i386.deb
2617b6978cfc04d9d7541629f096114e 96906 web optional w3m-img_0.5.2-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwvEB8ACgkQgV4LPvpMUpi87wCePaAbA84aAq9SfLs72hB+KFud
41kAn1cEe6Z3Kzv5xLet4EIUPLNizoSg
=pv7l
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 Sep 2010 07:36:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon