|
1 This patch fixes CVE-2013-0308. |
|
2 It was created from a diff between the version 1.8.1.4 of this file |
|
3 from the community and the current one. The only changes to this file |
|
4 are for addressing this CVE. |
|
5 Here is the community diff: |
|
6 https://github.com/gitster/git/commit/0ee7198f457c8ea031b09b528cfd88f0f0e630d8 |
|
7 |
|
8 --- git-1.7.9.2/imap-send.c_orig 2012-02-22 18:04:18.000000000 -0800 |
|
9 +++ git-1.7.9.2/imap-send.c 2015-03-25 12:23:29.465800340 -0700 |
|
10 @@ -31,6 +31,7 @@ |
|
11 #else |
|
12 #include <openssl/evp.h> |
|
13 #include <openssl/hmac.h> |
|
14 +#include <openssl/x509v3.h> |
|
15 #endif |
|
16 |
|
17 struct store_conf { |
|
18 @@ -266,12 +267,64 @@ |
|
19 } |
|
20 } |
|
21 |
|
22 +#ifdef NO_OPENSSL |
|
23 static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) |
|
24 { |
|
25 -#ifdef NO_OPENSSL |
|
26 fprintf(stderr, "SSL requested but SSL support not compiled in\n"); |
|
27 return -1; |
|
28 +} |
|
29 + |
|
30 #else |
|
31 + |
|
32 +static int host_matches(const char *host, const char *pattern) |
|
33 +{ |
|
34 + if (pattern[0] == '*' && pattern[1] == '.') { |
|
35 + pattern += 2; |
|
36 + if (!(host = strchr(host, '.'))) |
|
37 + return 0; |
|
38 + host++; |
|
39 + } |
|
40 + |
|
41 + return *host && *pattern && !strcasecmp(host, pattern); |
|
42 +} |
|
43 + |
|
44 +static int verify_hostname(X509 *cert, const char *hostname) |
|
45 +{ |
|
46 + int len; |
|
47 + X509_NAME *subj; |
|
48 + char cname[1000]; |
|
49 + int i, found; |
|
50 + STACK_OF(GENERAL_NAME) *subj_alt_names; |
|
51 + |
|
52 + /* try the DNS subjectAltNames */ |
|
53 + found = 0; |
|
54 + if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) { |
|
55 + int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names); |
|
56 + for (i = 0; !found && i < num_subj_alt_names; i++) { |
|
57 + GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); |
|
58 + if (subj_alt_name->type == GEN_DNS && |
|
59 + strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length && |
|
60 + host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data))) |
|
61 + found = 1; |
|
62 + } |
|
63 + sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free); |
|
64 + } |
|
65 + if (found) |
|
66 + return 0; |
|
67 + |
|
68 + /* try the common name */ |
|
69 + if (!(subj = X509_get_subject_name(cert))) |
|
70 + return error("cannot get certificate subject"); |
|
71 + if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) |
|
72 + return error("cannot get certificate common name"); |
|
73 + if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) |
|
74 + return 0; |
|
75 + return error("certificate owner '%s' does not match hostname '%s'", |
|
76 + cname, hostname); |
|
77 +} |
|
78 + |
|
79 +static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) |
|
80 +{ |
|
81 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) |
|
82 const SSL_METHOD *meth; |
|
83 #else |
|
84 @@ -279,6 +332,7 @@ |
|
85 #endif |
|
86 SSL_CTX *ctx; |
|
87 int ret; |
|
88 + X509 *cert; |
|
89 |
|
90 SSL_library_init(); |
|
91 SSL_load_error_strings(); |
|
92 @@ -322,9 +376,18 @@ |
|
93 return -1; |
|
94 } |
|
95 |
|
96 + if (verify) { |
|
97 + /* make sure the hostname matches that of the certificate */ |
|
98 + cert = SSL_get_peer_certificate(sock->ssl); |
|
99 + if (!cert) |
|
100 + return error("unable to get peer certificate."); |
|
101 + if (verify_hostname(cert, server.host) < 0) |
|
102 + return -1; |
|
103 + } |
|
104 + |
|
105 return 0; |
|
106 -#endif |
|
107 } |
|
108 +#endif |
|
109 |
|
110 static int socket_read(struct imap_socket *sock, char *buf, int len) |
|
111 { |
|
112 @@ -1022,7 +1085,7 @@ |
|
113 |
|
114 ret = socket_write(&ctx->imap->buf.sock, response, strlen(response)); |
|
115 if (ret != strlen(response)) |
|
116 - return error("IMAP error: sending response failed\n"); |
|
117 + return error("IMAP error: sending response failed"); |
|
118 |
|
119 free(response); |
|
120 |