Public bug reported:
Please sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian
unstable (main)
This version addresses two critical problems which will effect ubuntu users.
-These are not filed in launchpad, but were debian bugs.
The first is that if an application using moonshot-gss-eap deletes a security
context (read closes a session) all uses of openssl in the same process break.
The second is that there's a parsing bug that prevents credentials issued by
the world's only production Moonshot service (JISC Assent) from being used.
While Ubuntu users are free to set up their own moonshot services, we know that
several sites in the target customer base of JISC Assent do use Ubuntu and we'd
like moonshot-gss-eap in Ubuntu to work for them.
I've included a debdiff to illustrate that the changes are small and
well-contained.
Changelog entries since current vivid version 0.9.2-3:
moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium
* Incorporate upstream deltas:
- 6dbf073: Allow white space in CA certificates, Closes: #781312
- 90f04c98: Don't shut down openssl on last context deletion,
Closes: #781311
-- Sam Hartman <hartm...@debian.org> Fri, 27 Mar 2015 08:16:18 -0400
diff --git a/debian/changelog b/debian/changelog
index 5aa07bc..3027275 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium
+
+ * Incorporate upstream deltas:
+ - 6dbf073: Allow white space in CA certificates, Closes: #781312
+ - 90f04c98: Don't shut down openssl on last context deletion,
+ Closes: #781311
+
+ -- Sam Hartman <hartm...@debian.org> Fri, 27 Mar 2015 08:16:18 -0400
+
moonshot-gss-eap (0.9.2-3) unstable; urgency=medium
* Review security of libeap/wpa_supplicant and send mail to security
diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c
index c0a40f9..d155c09 100644
--- a/libeap/src/crypto/tls_openssl.c
+++ b/libeap/src/crypto/tls_openssl.c
@@ -767,13 +767,7 @@ void tls_deinit(void *ssl_ctx)
tls_openssl_ref_count--;
if (tls_openssl_ref_count == 0) {
-#ifndef OPENSSL_NO_ENGINE
- ENGINE_cleanup();
-#endif /* OPENSSL_NO_ENGINE */
- CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
- ERR_free_strings();
- EVP_cleanup();
os_free(tls_global);
tls_global = NULL;
}
diff --git a/mech_eap/util_base64.c b/mech_eap/util_base64.c
index aaa1ea8..0ec1cdc 100644
--- a/mech_eap/util_base64.c
+++ b/mech_eap/util_base64.c
@@ -124,9 +124,15 @@ base64Decode(const char *str, void *data)
q = data;
p = str;
- while (*p && *p && (*p == '=' || strchr(base64_chars, *p))) {
- unsigned int val = token_decode(p);
- unsigned int marker = (val >> 24) & 0xff;
+ while (*p && (*p == '=' || strchr(base64_chars, *p) || isspace(*p))) {
+ unsigned int val;
+ unsigned int marker;
+ if (isspace(*p)) {
+ p++;
+ continue;
+ }
+ val = token_decode(p);
+ marker = (val >> 24) & 0xff;
if (val == DECODE_ERROR)
return -1;
*q++ = (val >> 16) & 0xff;
@@ -135,8 +141,6 @@ base64Decode(const char *str, void *data)
if (marker < 1)
*q++ = val & 0xff;
p += 4;
- if (*p == '\n')
- p++;
}
return q - (unsigned char *) data;
}
diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c
index ce05322..68537a3 100644
--- a/mech_eap/util_moonshot.c
+++ b/mech_eap/util_moonshot.c
@@ -241,8 +241,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
blobLength = base64Decode(caCertificate, blobData);
- if ((blobLength <= 0) ||
- (blobLength < maxLength - 2)) {
+ if (blobLength <= 0) {
major = GSS_S_DEFECTIVE_CREDENTIAL;
*minor = GSSEAP_BAD_CACERTIFICATE;
GSSEAP_FREE(blobData);
** Affects: moonshot-gss-eap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1438483
Title:
Sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian unstable
(main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1438483/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
