Michael Meskes <[EMAIL PROTECTED]> writes: > On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote: >> I think we have identified the problem, see: >> >> http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230 >> >> That patch at least solves the vulnerability and the crash, so possibly >> it could be uploaded to debian to avoid further troubles until we have >> released a 2.6.2 with a good fix. > > You mean just removing this code snippet instead of moving it? > > /* Check if the last certificate in the path is self signed. > * In that case ignore it (a certificate is trusted only if it > * leads to a trusted party by us, not the server's). > */ > if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], > certificate_list[clist_size - 1]) > 0 > && clist_size > 0) > { > clist_size--; > }
Yes. > Yes, this works. However, I wonder whether this code has any use. Getting Nikos' comment on this would be useful. I guess we have two choices: 1) Remove the code. Fixes both crash and vulnerability. 2) Change the test to clist_size>1. Fixes both crash and vulnerability. > If so, wouldn't it help to just use "clist_size > 1" instead of > "clist_size > 0"? The > 0 test is bogus if you access clist_size - 1 > afterwards, but with the > 1 test it works for me as well, i.e. no > segfault anymore. Yes, that version of the patch works too. I'm not sure what the semantic differences are between the two patches. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
