Fixed hostname verification of x.509 certificates.
(rhbz#688756, CVE-2011-1429)
This commit is contained in:
parent
8056a91e0a
commit
a5d2d9c94b
30
mutt-1.5.21-testcert.patch
Normal file
30
mutt-1.5.21-testcert.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
diff -up mutt-1.5.21/mutt_ssl_gnutls.c.old mutt-1.5.21/mutt_ssl_gnutls.c
|
||||||
|
--- mutt-1.5.21/mutt_ssl_gnutls.c.old 2011-03-23 11:46:28.760386765 +0100
|
||||||
|
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2011-03-23 14:34:45.839456449 +0100
|
||||||
|
@@ -978,6 +978,7 @@ static int tls_check_certificate (CONNEC
|
||||||
|
unsigned int cert_list_size = 0;
|
||||||
|
gnutls_certificate_status certstat;
|
||||||
|
int certerr, i, preauthrc, savedcert, rc = 0;
|
||||||
|
+ int rcpeer;
|
||||||
|
|
||||||
|
if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
|
||||||
|
{
|
||||||
|
@@ -1003,6 +1004,9 @@ static int tls_check_certificate (CONNEC
|
||||||
|
for (i = 0; i < cert_list_size; i++) {
|
||||||
|
rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
|
||||||
|
&certerr, &savedcert);
|
||||||
|
+ if (i == 0)
|
||||||
|
+ rcpeer = rc;
|
||||||
|
+
|
||||||
|
preauthrc += rc;
|
||||||
|
|
||||||
|
if (savedcert)
|
||||||
|
@@ -1028,7 +1032,7 @@ static int tls_check_certificate (CONNEC
|
||||||
|
dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
|
||||||
|
|
||||||
|
certstat = tls_verify_peers (state);
|
||||||
|
- if (!certstat)
|
||||||
|
+ if (!certstat && !rcpeer)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
@ -16,7 +16,7 @@
|
|||||||
Summary: A text mode mail user agent
|
Summary: A text mode mail user agent
|
||||||
Name: mutt
|
Name: mutt
|
||||||
Version: 1.5.21
|
Version: 1.5.21
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Epoch: 5
|
Epoch: 5
|
||||||
# The entire source code is GPLv2+ except
|
# The entire source code is GPLv2+ except
|
||||||
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
|
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
|
||||||
@ -29,6 +29,7 @@ Patch3: mutt-1.5.18-muttrc.patch
|
|||||||
Patch4: mutt-1.5.18-manual.patch
|
Patch4: mutt-1.5.18-manual.patch
|
||||||
Patch5: mutt-1.5.21-updating.patch
|
Patch5: mutt-1.5.21-updating.patch
|
||||||
Patch6: mutt-1.5.21-hdrcnt.patch
|
Patch6: mutt-1.5.21-hdrcnt.patch
|
||||||
|
Patch7: mutt-1.5.21-testcert.patch
|
||||||
Url: http://www.mutt.org/
|
Url: http://www.mutt.org/
|
||||||
Requires: mailcap urlview
|
Requires: mailcap urlview
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
@ -70,6 +71,7 @@ for selecting groups of messages.
|
|||||||
%patch4 -p1 -b .manual
|
%patch4 -p1 -b .manual
|
||||||
%patch5 -p1 -b .updating
|
%patch5 -p1 -b .updating
|
||||||
%patch6 -p1 -b .hdrcnt
|
%patch6 -p1 -b .hdrcnt
|
||||||
|
%patch7 -p1 -b .testcert
|
||||||
|
|
||||||
sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
|
sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
|
||||||
|
|
||||||
@ -152,6 +154,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_mandir}/man5/muttrc.*
|
%{_mandir}/man5/muttrc.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 15 2011 Honza Horak <hhorak@redhat.com> - 5:1.5.21-5
|
||||||
|
- Fixed hostname verification of x.509 certificates.
|
||||||
|
(rhbz#688756, CVE-2011-1429)
|
||||||
|
|
||||||
* Tue Mar 29 2011 Honza Horak <hhorak@redhat.com> - 5:1.5.21-4
|
* Tue Mar 29 2011 Honza Horak <hhorak@redhat.com> - 5:1.5.21-4
|
||||||
- Fixed segmentation faults during reading message headers (rhbz#676074)
|
- Fixed segmentation faults during reading message headers (rhbz#676074)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user