On ven., 2013-04-19 at 09:04 +0200, Yann Leboulanger wrote: > On 04/17/2013 11:16 PM, Yves-Alexis Perez wrote: > > On jeu., 2013-04-04 at 07:40 +0200, Yves-Alexis Perez wrote: > >> Hey, > >> > >> it seems that there's an upstream fix for this at > >> https://trac.gajim.org/ticket/7252 / > >> https://trac.gajim.org/changeset/1d8caae49a31 > > all those commits are needed to fix this issue: > > http://hg.gajim.org/gajim/rev/1d8caae49a31 > http://hg.gajim.org/gajim/rev/6ab8ea2313aa > http://hg.gajim.org/gajim/rev/d34a996f87b8 > http://hg.gajim.org/gajim/rev/35a555c4a107 > Thanks. Is the attached NMU ok for you? Moritz, what was the reason for the severity downgrade? Shouldn't we push this to Squeeze & Wheezy?
Regards, -- Yves-Alexis
diff --git a/debian/changelog b/debian/changelog
index aa48c0b..d995210 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ gajim (0.15.1-4.1) UNRELEASED; urgency=high
* debian/patches:
- 02_fix-cert-validation.diff added, fix certificate validation
(CVE-2012-5524) closes: #693282
+ - 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+ improve SSL/TLS handling.
-- Yves-Alexis Perez <[email protected]> Wed, 17 Apr 2013 22:22:30 +0200
diff --git a/debian/patches/00_connection_handlers.diff b/debian/patches/00_connection_handlers.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/00list b/debian/patches/00list
index 62b48a1..5d106de 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,3 +1,5 @@
00_connection_handlers.diff
01_accel_group.diff
02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
diff --git a/debian/patches/01_accel_group.diff b/debian/patches/01_accel_group.diff
old mode 100644
new mode 100755
diff --git a/debian/patches/03_correctly-get-SSL-certificate.diff b/debian/patches/03_correctly-get-SSL-certificate.diff
new file mode 100755
index 0000000..76e61d8
--- /dev/null
+++ b/debian/patches/03_correctly-get-SSL-certificate.diff
@@ -0,0 +1,50 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_correctly-get-SSL-certificate.diff by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: correctly get SSL certificate from nbxmpp. Fixes #7283
+#
+# Description: correctly get SSL certificate from nbxmpp. Fixes #7283
+# Author: Yann Leboulanger <[email protected]>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# HG changeset patch
+# User Yann Leboulanger <[email protected]>
+# Date 1356455919 -3600
+# Node ID 6ab8ea2313aa4a17f62d1811d334c8f44d1ef393
+# Parent 1d8caae49a31201a79529d2b81d231b06ce8c91c
+
+@DPATCH@
+
+diff -r 1d8caae49a31 -r 6ab8ea2313aa src/common/connection.py
+--- a/src/common/connection.py Sun Dec 23 17:48:11 2012 +0100
++++ b/src/common/connection.py Tue Dec 25 18:18:39 2012 +0100
+@@ -1337,7 +1337,7 @@
+ if con.Connection.ssl_fingerprint_sha1[-1] != saved_fingerprint:
+ gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+ conn=self,
+- certificate=con.Connection.ssl_certificate,
++ certificate=con.Connection.ssl_certificate[-1],
+ new_fingerprint=con.Connection.ssl_fingerprint_sha1[
+ -1]))
+ return True
+@@ -1345,8 +1345,8 @@
+ gajim.config.set_per('accounts', self.name,
+ 'ssl_fingerprint_sha1',
+ con.Connection.ssl_fingerprint_sha1[-1])
+- if not check_X509.check_certificate(con.Connection.ssl_certificate,
+- hostname) and '100' not in gajim.config.get_per('accounts',
++ if not check_X509.check_certificate(con.Connection.ssl_certificate[
++ -1], hostname) and '100' not in gajim.config.get_per('accounts',
+ self.name, 'ignore_ssl_errors').split():
+ txt = _('The authenticity of the %s certificate could be '
+ 'invalid.\nThe certificate does not cover this domain.') % \
+@@ -1355,7 +1355,7 @@
+ error_text=txt, error_num=100,
+ cert=con.Connection.ssl_cert_pem[-1],
+ fingerprint=con.Connection.ssl_fingerprint_sha1[-1],
+- certificate=con.Connection.ssl_certificate))
++ certificate=con.Connection.ssl_certificate[-1]))
+ return True
+
+ self._register_handlers(con, con_type)
+
diff --git a/debian/patches/04_store-all-ssl-errors.diff b/debian/patches/04_store-all-ssl-errors.diff
new file mode 100755
index 0000000..456e831
--- /dev/null
+++ b/debian/patches/04_store-all-ssl-errors.diff
@@ -0,0 +1,64 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_store-all-ssl-errors.diff by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: store all SSL errors
+#
+# Description: store all SSL errors
+# Author: Yann Leboulanger <[email protected]>
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+# HG changeset patch
+# User Yann Leboulanger <[email protected]>
+# Date 1360768361 -3600
+# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595
+# Parent 385f8a1fad668fbcd1d9bee10f61531a8ca7d890
+
+@DPATCH@
+
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py
+--- a/src/common/xmpp/tls_nb.py Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/tls_nb.py Wed Feb 13 16:12:41 2013 +0100
+@@ -393,7 +393,7 @@
+ flags |= 16384
+ tcpsock._sslContext.set_options(flags)
+
+- tcpsock.ssl_errnum = 0
++ tcpsock.ssl_errnum = [0]
+ tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER,
+ self._ssl_verify_callback)
+ try:
+@@ -449,11 +449,11 @@
+ def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
+ # Exceptions can't propagate up through this callback, so print them here.
+ try:
+- self._owner.ssl_fingerprint_sha1 = cert.digest('sha1')
+- self._owner.ssl_certificate = cert
+- self._owner.ssl_errnum = errnum
+- self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate(
+- OpenSSL.crypto.FILETYPE_PEM, cert)
++ self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1'))
++ self._owner.ssl_certificate.append(cert)
++ self._owner.ssl_errnum.append(errnum)
++ self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate(
++ OpenSSL.crypto.FILETYPE_PEM, cert))
+ return True
+ except:
+ log.error("Exception caught in _ssl_info_callback:", exc_info=True)
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py
+--- a/src/common/xmpp/transports_nb.py Wed Feb 13 16:10:44 2013 +0100
++++ b/src/common/xmpp/transports_nb.py Wed Feb 13 16:12:41 2013 +0100
+@@ -311,6 +311,12 @@
+ self.proxy_dict = proxy_dict
+ self.on_remote_disconnect = self.disconnect
+
++ # ssl variables
++ self.ssl_fingerprint_sha1 = []
++ self.ssl_certificate = []
++ self.ssl_errnum = []
++ self.ssl_cert_pem = []
++
+ # FIXME: transport should not be aware xmpp
+ def start_disconnect(self):
+ NonBlockingTransport.start_disconnect(self)
+
signature.asc
Description: This is a digitally signed message part

