Bug#706094: telepathy-idle: does not verify TLS certificates properly

[Simon McVittie]

On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
> issued by a trusted CA, or that it hasn't expired, or that it matches the
> server's hostname.

Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
security/s-p-u for wheezy r1.

    S

>From f94f157221692a3609a3cd27fdc8ec4ed8ab1f23 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Wed, 24 Apr 2013 16:45:31 +0100
Subject: [PATCH] Validate TLS certificates (Closes: #706094)

---
 debian/changelog                                   |    6 +++++
 debian/gbp.conf                                    |    2 +-
 ...sable-parts-of-TLS-certificate-validation.patch |   28 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 4 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch

diff --git a/debian/changelog b/debian/changelog
index d180e99..10f262e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+telepathy-idle (0.1.11-2+deb7u1) UNRELEASED; urgency=low
+
+  * Validate TLS certificates (Closes: #706094)
+
+ -- Simon McVittie <s...@debian.org>  Wed, 24 Apr 2013 16:43:37 +0100
+
 telepathy-idle (0.1.11-2) unstable; urgency=low
 
   * debian/patches/Support-trailing-parameter-without-a-initial.patch:
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 6837223..3b82926 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian
+debian-branch = debian-wheezy
 upstream-branch = upstream
 pristine-tar = True
 
diff --git a/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch b/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
new file mode 100644
index 0000000..308f11a
--- /dev/null
+++ b/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
@@ -0,0 +1,28 @@
+From: Simon McVittie <s...@debian.org>
+Date: Wed, 24 Apr 2013 16:43:00 +0100
+Subject: Don't disable parts of TLS certificate validation
+
+This breaks one regression test, but is a simpler fix than was used
+upstream.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63810
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706094
+Forwarded: not-needed, fixed differently upstream
+---
+ src/idle-server-connection.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/idle-server-connection.c b/src/idle-server-connection.c
+index 5b8629c..8c8eeff 100644
+--- a/src/idle-server-connection.c
++++ b/src/idle-server-connection.c
+@@ -469,9 +469,4 @@ IdleServerConnectionState idle_server_connection_get_state(IdleServerConnection
+ void idle_server_connection_set_tls(IdleServerConnection *conn, gboolean tls) {
+ 	IdleServerConnectionPrivate *priv = IDLE_SERVER_CONNECTION_GET_PRIVATE(conn);
+ 	g_socket_client_set_tls(priv->socket_client, tls);
+-	g_socket_client_set_tls_validation_flags(priv->socket_client,
+-		G_TLS_CERTIFICATE_VALIDATE_ALL
+-		& ~G_TLS_CERTIFICATE_UNKNOWN_CA
+-		& ~G_TLS_CERTIFICATE_BAD_IDENTITY
+-		& ~G_TLS_CERTIFICATE_EXPIRED);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4b55a70..7153ae5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 Support-trailing-parameter-without-a-initial.patch
+0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
-- 
1.7.10.4