Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please unblock package haskell-tls-extra
It fixes a security problem where certificates would not be checked
correctly.
I applied a somewhat dirty trick to avoid having to recompile all
depending libraries, so it will be sufficient to just migrate this
package.
Attached is the output of
$ debdiff haskell-tls-extra_0.4.6-1.dsc haskell-tls-extra_0.4.6.1-1.dsc
unblock haskell-tls-extra/0.4.6.1-1
- -- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlD8clMACgkQ9ijrk0dDIGzfswCfSV5GVWqfICGw5u/QNFJUq6uN
Nk8An0YaatI6C+4CE6dmiKvjome1PC6P
=vJzl
-----END PGP SIGNATURE-----
diff -Nru haskell-tls-extra-0.4.6/debian/changelog haskell-tls-extra-0.4.6.1/debian/changelog
--- haskell-tls-extra-0.4.6/debian/changelog 2012-05-15 03:03:03.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/debian/changelog 2013-01-20 23:26:26.000000000 +0100
@@ -1,3 +1,15 @@
+haskell-tls-extra (0.4.6.1-1) unstable; urgency=low
+
+ * New upstream release, aimed for wheezy.
+ Closes: #698545, a certificate validation security flaw.
+ * Added patch: patches/pretend-lower-version
+ This upstream release contains a bugfix that does not modify the ABI of
+ the resulting library. To avoid having to recompile its reverse
+ dependencies, we patch the .cabal file to pretend to be still version
+ 0.4.6.
+
+ -- Joachim Breitner <nome...@debian.org> Sun, 20 Jan 2013 23:26:26 +0100
+
haskell-tls-extra (0.4.6-1) unstable; urgency=low
* New upstream version.
diff -Nru haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version
--- haskell-tls-extra-0.4.6/debian/patches/pretend-lower-version 1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/pretend-lower-version 2013-01-20 23:25:56.000000000 +0100
@@ -0,0 +1,16 @@
+This upstream release contains a bugfix that does not modify the ABI of
+the resulting library. To avoid having to recompile its reverse
+dependencies, we patch the .cabal file to pretend to be still version
+0.4.6.
+
+Index: haskell-tls-extra-0.4.6.1/tls-extra.cabal
+===================================================================
+--- haskell-tls-extra-0.4.6.1.orig/tls-extra.cabal 2013-01-20 23:13:58.937092809 +0100
++++ haskell-tls-extra-0.4.6.1/tls-extra.cabal 2013-01-20 23:13:58.933092809 +0100
+@@ -1,5 +1,5 @@
+ Name: tls-extra
+-Version: 0.4.6.1
++Version: 0.4.6
+ Description:
+ a set of extra definitions, default values and helpers for tls.
+ License: BSD3
diff -Nru haskell-tls-extra-0.4.6/debian/patches/series haskell-tls-extra-0.4.6.1/debian/patches/series
--- haskell-tls-extra-0.4.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ haskell-tls-extra-0.4.6.1/debian/patches/series 2013-01-20 23:13:34.000000000 +0100
@@ -0,0 +1 @@
+pretend-lower-version
diff -Nru haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs
--- haskell-tls-extra-0.4.6/Network/TLS/Extra/Certificate.hs 2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/Network/TLS/Extra/Certificate.hs 2013-01-20 15:49:28.000000000 +0100
@@ -73,14 +73,31 @@
validChain <- certificateVerifyAgainst x sysx509
if validChain
then return CertificateUsageAccept
- else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+ else return certificateChainDoesntMatch
Nothing -> case xs of
[] -> return $ CertificateUsageReject CertificateRejectUnknownCA
- _ -> do
- validChain <- certificateVerifyAgainst x (head xs)
- if validChain
- then certificateVerifyChain_ xs
- else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other")
+ cert:_ -> do
+ let exts = certExtensions (x509Cert cert)
+ case checkCA exts of
+ Just r -> return r
+ Nothing -> do
+ validChain <- certificateVerifyAgainst x cert
+ if validChain
+ then certificateVerifyChain_ xs
+ else return certificateChainDoesntMatch
+ where
+ checkCA Nothing = return $ certificateNotAllowedToSign
+ checkCA (Just es) = do
+ let kuCanCertSign = case extensionGet es of
+ Just (ExtKeyUsage l) -> elem KeyUsage_keyCertSign l
+ Nothing -> False
+ case extensionGet es of
+ Just (ExtBasicConstraints True)
+ | kuCanCertSign -> Nothing
+ | otherwise -> Just certificateNotAllowedToSign
+ _ -> Just certificateNotAllowedToSign
+ certificateNotAllowedToSign = CertificateUsageReject $ CertificateRejectOther "certificate is not allowed to sign another certificate"
+ certificateChainDoesntMatch = CertificateUsageReject $ CertificateRejectOther "chain doesn't match each other"
#endif
-- | verify a certificates chain using the system certificates available.
diff -Nru haskell-tls-extra-0.4.6/tls-extra.cabal haskell-tls-extra-0.4.6.1/tls-extra.cabal
--- haskell-tls-extra-0.4.6/tls-extra.cabal 2012-04-19 22:41:22.000000000 +0200
+++ haskell-tls-extra-0.4.6.1/tls-extra.cabal 2013-01-20 15:49:28.000000000 +0100
@@ -1,5 +1,5 @@
Name: tls-extra
-Version: 0.4.6
+Version: 0.4.6.1
Description:
a set of extra definitions, default values and helpers for tls.
License: BSD3
