On 24/04/13 17:05, Simon McVittie wrote:
> On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
>> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
>> issued by a trusted CA, or that it hasn't expired, or that it matches the
>> server's hostname.
>
> Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> security/s-p-u for wheezy r1.
Security team: wheezy is vulnerable to this, and has a somewhat older
upstream version than unstable (so it can't migrate that way). How do
you want us to deal with this? I've re-attached the proposed patch for
wheezy for your reference.
I've requested a CVE ID on oss-security.
I don't have a patch for squeeze, which would require implementing
OpenSSL cert-checking in long-superseded code.
I don't think this is RC, particularly for squeeze: IRC is typically
used without SSL, and the telepathy-idle version in squeeze is a pretty
poor IRC implementation in general. It's telling that this is the one
Telepathy component that has never had a stable-branch...
S
>From f94f157221692a3609a3cd27fdc8ec4ed8ab1f23 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Wed, 24 Apr 2013 16:45:31 +0100
Subject: [PATCH] Validate TLS certificates (Closes: #706094)
---
debian/changelog | 6 +++++
debian/gbp.conf | 2 +-
...sable-parts-of-TLS-certificate-validation.patch | 28 ++++++++++++++++++++
debian/patches/series | 1 +
4 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644
debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
diff --git a/debian/changelog b/debian/changelog
index d180e99..10f262e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+telepathy-idle (0.1.11-2+deb7u1) UNRELEASED; urgency=low
+
+ * Validate TLS certificates (Closes: #706094)
+
+ -- Simon McVittie <s...@debian.org> Wed, 24 Apr 2013 16:43:37 +0100
+
telepathy-idle (0.1.11-2) unstable; urgency=low
* debian/patches/Support-trailing-parameter-without-a-initial.patch:
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 6837223..3b82926 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian
+debian-branch = debian-wheezy
upstream-branch = upstream
pristine-tar = True
diff --git
a/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
b/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
new file mode 100644
index 0000000..308f11a
--- /dev/null
+++
b/debian/patches/0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
@@ -0,0 +1,28 @@
+From: Simon McVittie <s...@debian.org>
+Date: Wed, 24 Apr 2013 16:43:00 +0100
+Subject: Don't disable parts of TLS certificate validation
+
+This breaks one regression test, but is a simpler fix than was used
+upstream.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63810
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706094
+Forwarded: not-needed, fixed differently upstream
+---
+ src/idle-server-connection.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/idle-server-connection.c b/src/idle-server-connection.c
+index 5b8629c..8c8eeff 100644
+--- a/src/idle-server-connection.c
++++ b/src/idle-server-connection.c
+@@ -469,9 +469,4 @@ IdleServerConnectionState
idle_server_connection_get_state(IdleServerConnection
+ void idle_server_connection_set_tls(IdleServerConnection *conn, gboolean tls)
{
+ IdleServerConnectionPrivate *priv =
IDLE_SERVER_CONNECTION_GET_PRIVATE(conn);
+ g_socket_client_set_tls(priv->socket_client, tls);
+- g_socket_client_set_tls_validation_flags(priv->socket_client,
+- G_TLS_CERTIFICATE_VALIDATE_ALL
+- & ~G_TLS_CERTIFICATE_UNKNOWN_CA
+- & ~G_TLS_CERTIFICATE_BAD_IDENTITY
+- & ~G_TLS_CERTIFICATE_EXPIRED);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4b55a70..7153ae5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
Support-trailing-parameter-without-a-initial.patch
+0002-Don-t-disable-parts-of-TLS-certificate-validation.patch
--
1.7.10.4
