Control: tags -1 -moreinfo
On 2016-08-19 18:05:34, Antoine Beaupré wrote:
> On 2016-08-19 17:56:29, Adam D. Barratt wrote:
>> On Fri, 2016-08-19 at 17:35 -0400, Antoine Beaupré wrote:
>>> TL;DR: Charybdis 3.4 (Jessie) introduces a regression (CertFP broken)
>>> from Charybdis 3.3 (Wheezy). 7-line patch (attached) fixes the issue.
>>>
>>> Charybdis 3.4 suffers from a regression which breaks authentication in
>>> certain scenarios. The bug is now documented upstream here:
>>>
>>> https://github.com/charybdis-ircd/charybdis/pull/211
>> [...]
>>> I have produced a simple patch which fixes the issue for Charybdis 3.5
>>> here:
>>>
>>> https://github.com/charybdis-ircd/charybdis/pull/211/commits/0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467
>>
>> That patch doesn't appear to have been applied to the package in
>> unstable. That's a pre-requisite for considering it for an update in
>> stable.
>
> Understood. I am waiting for upstream to release 3.5.3 which will
> include that patch, tonight, before doing a new upload.
Turns out this took about three weeks instead of 24h. But 3.5.3 is
released, and I will push the update to unstable now.
The situation is a tad more complicated now because there was a security
issue disclosed in the meantime:
https://security-tracker.debian.org/tracker/CVE-2016-7143
... which 3.5.3 fixes. I have prepared a deb8u2 update for the security
team in #836714, which the attached debdiff builds upon.
diff -Nru charybdis-3.4.2/debian/changelog charybdis-3.4.2/debian/changelog
--- charybdis-3.4.2/debian/changelog 2016-09-05 19:45:08.000000000 -0400
+++ charybdis-3.4.2/debian/changelog 2016-09-05 20:11:24.000000000 -0400
@@ -1,3 +1,10 @@
+charybdis (3.4.2-5+deb8u3) stable; urgency=medium
+
+ * backport patch from testing: fix error handling in gnutls certfp
+ support
+
+ -- Antoine Beaupré <anar...@debian.org> Mon, 05 Sep 2016 20:11:19 -0400
+
charybdis (3.4.2-5+deb8u2) jessie-security; urgency=high
* add fix for CVE-2016-7143, backported from upstream (Closes: #836714)
diff -Nru charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch
--- charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch 1969-12-31 19:00:00.000000000 -0500
+++ charybdis-3.4.2/debian/patches/0001-fix-error-handling-in-gnutls-certfp-support.patch 2016-09-05 20:11:24.000000000 -0400
@@ -0,0 +1,41 @@
+Bug: https://github.com/charybdis-ircd/charybdis/pull/211
+
+will be factored into 3.5.3, so hold on before merging...
+
+From 0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
+Date: Fri, 19 Aug 2016 11:53:59 -0400
+Subject: [PATCH] fix error handling in gnutls certfp support
+
+---
+ libratbox/src/gnutls.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/libratbox/src/gnutls.c b/libratbox/src/gnutls.c
+index f51211f..9bb69bb 100644
+--- a/libratbox/src/gnutls.c
++++ b/libratbox/src/gnutls.c
+@@ -608,18 +608,17 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+ if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
+ return 0;
+
+- if (gnutls_x509_crt_init(&cert) < 0)
+- return 0;
+-
+ cert_list_size = 0;
+ cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
+- if (cert_list == NULL)
++ if (cert_list_size <= 0)
+ {
+- gnutls_x509_crt_deinit(cert);
+ return 0;
+ }
+
+- if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
++ if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS)
++ return 0;
++
++ if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS)
+ {
+ gnutls_x509_crt_deinit(cert);
+ return 0;
diff -Nru charybdis-3.4.2/debian/patches/series charybdis-3.4.2/debian/patches/series
--- charybdis-3.4.2/debian/patches/series 2016-09-05 19:45:08.000000000 -0400
+++ charybdis-3.4.2/debian/patches/series 2016-09-05 20:11:24.000000000 -0400
@@ -7,3 +7,4 @@
gnutls30
libratbox-gnutls-add-gnutls-v3-api-compatibility-wit.patch
CVE-2015-5290
+0001-fix-error-handling-in-gnutls-certfp-support.patch
I am running with those patches in production now.
Thanks and sorry for the delay.
A.
--
La propriété est un piège: ce que nous croyons posséder nous possède.
- Alphonse Karr
