Add a fix for SA36540 (SSL certificate spoofing vulnerability) taken

from the source repository.
2009-09-14 12:06:12 +00:00 · 2009-09-14 12:06:12 +00:00 · 384b1f7bae
commit 384b1f7bae
parent e6ae5f0ddf
3 changed files with 70 additions and 2 deletions
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@ -1,12 +1,14 @@
-# $NetBSD: Makefile,v 1.99 2008/07/18 09:36:39 wiz Exp $
+# $NetBSD: Makefile,v 1.100 2009/09/14 12:06:12 tron Exp $

 DISTNAME=	wget-1.11.4
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_GNU:=wget/}

 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.gnu.org/software/wget/wget.html
 COMMENT=	Retrieve files from the 'net via HTTP and FTP
+LICENSE=	gnu-gpl-v3

 PKG_DESTDIR_SUPPORT=	user-destdir

--- a/net/wget/distinfo
+++ b/net/wget/distinfo
@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.33 2008/07/18 09:36:39 wiz Exp $
+$NetBSD: distinfo,v 1.34 2009/09/14 12:06:12 tron Exp $

 SHA1 (wget-1.11.4.tar.gz) = a78a3b71fd59504df3ff3dbc0a2195a1410e9eac
 RMD160 (wget-1.11.4.tar.gz) = 1cec99b073fcf64dd362977b0b88a55f8f47bbb8
 Size (wget-1.11.4.tar.gz) = 1475149 bytes
+SHA1 (patch-aa) = eb8852e90ba61f2672fb2eea16f6148e27a6ee2b
--- a/net/wget/patches/patch-aa
+++ b/net/wget/patches/patch-aa
@ -0,0 +1,65 @@
+$NetBSD: patch-aa,v 1.9 2009/09/14 12:06:13 tron Exp $
+
+Fix for SA36540 (SSL certificate spoofing vulnerability) taken from here:
+
+http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d
+http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b
+
+--- src/openssl.c.orig	2008-04-27 05:48:23.000000000 +0100
+++ src/openssl.c	2009-09-14 13:03:13.000000000 +0100
+@@ -561,9 +561,11 @@
+      - Ensure that ASN1 strings from the certificate are encoded as
+        UTF-8 which can be meaningfully compared to HOST.  */
+ 
+  X509_NAME *xname = X509_get_subject_name(cert);
+   common_name[0] = '\0';
+-  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
+-                             NID_commonName, common_name, sizeof (common_name));
+  X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
+                             sizeof (common_name));
+
+   if (!pattern_match (common_name, host))
+     {
+       logprintf (LOG_NOTQUIET, _("\
+@@ -571,6 +573,41 @@
+                  severity, escnonprint (common_name), escnonprint (host));
+       success = false;
+     }
+  else
+    {
+      /* We now determine the length of the ASN1 string. If it differs from
+       * common_name's length, then there is a \0 before the string terminates.
+       * This can be an instance of a null-prefix attack.
+       *
+       * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+       * */
+
+      int i = -1, j;
+      X509_NAME_ENTRY *xentry;
+      ASN1_STRING *sdata;
+
+      if (xname) {
+        for (;;)
+          {
+            j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
+            if (j == -1) break;
+            i = j;
+          }
+      }
+
+      xentry = X509_NAME_get_entry(xname,i);
+      sdata = X509_NAME_ENTRY_get_data(xentry);
+      if (strlen (common_name) != ASN1_STRING_length (sdata)) 
+        {
+          logprintf (LOG_NOTQUIET, _("\
+%s: certificate common name is invalid (contains a NUL character).\n\
+This may be an indication that the host is not who it claims to be\n\
+(that is, it is not the real %s).\n"),
+                     severity, escnonprint (host));
+          success = false;
+        }
+    }
+  
+ 
+   if (success)
+     DEBUGP (("X509 certificate successfully verified and matches host %s\n",