Hello community, here is the log from the commit of package kdelibs4 for openSUSE:11.4 checked in at Fri Mar 25 10:40:32 CET 2011.
-------- --- old-versions/11.4/all/kdelibs4/kdelibs4.changes 2011-02-22 13:18:50.000000000 +0100 +++ 11.4/kdelibs4/kdelibs4.changes 2011-03-22 21:06:36.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Mar 22 20:05:02 UTC 2011 - [email protected] + +- Harden SSL verification against poisoned DNS attacks (bnc#669222) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/kdelibs4 Destination is old-versions/11.4/UPDATES/all/kdelibs4 calling whatdependson for 11.4-i586 New: ---- 23621737-ssl-wildcards.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4-apidocs.spec ++++++ --- /var/tmp/diff_new_pack.LGCABi/_old 2011-03-25 10:40:20.000000000 +0100 +++ /var/tmp/diff_new_pack.LGCABi/_new 2011-03-25 10:40:20.000000000 +0100 @@ -26,7 +26,7 @@ Summary: KDE 4 API documentation Url: http://www.kde.org Version: 4.6.0 -Release: 3.<RELEASE2> +Release: 3.<RELEASE3> Requires: kde4-filesystem Source0: kdelibs-%version.tar.bz2 Source1: baselibs.conf ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.LGCABi/_old 2011-03-25 10:40:20.000000000 +0100 +++ /var/tmp/diff_new_pack.LGCABi/_new 2011-03-25 10:40:20.000000000 +0100 @@ -44,7 +44,7 @@ Summary: KDE Base Libraries Url: http://www.kde.org Version: 4.6.0 -Release: 6.<RELEASE3> +Release: 6.<RELEASE13> Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`) Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) Requires: kdelibs4-core = %version @@ -76,6 +76,7 @@ Patch26: 590a1901-plasma-extenderitem-crashfix.diff Patch27: udisks-no-volume-label.diff Patch28: no_kbookmark_write_error.diff +Patch29: 23621737-ssl-wildcards.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %requires_ge libqt4-x11 %if 0%{?opensuse_bs} @@ -165,6 +166,7 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 # # define KDE version exactly # ++++++ 23621737-ssl-wildcards.diff ++++++ commit 23621737060e4df0fba238c25fb5b65f81181971 Author: David Faure <[email protected]> Date: Mon Jan 31 14:51:52 2011 +0100 Harden SSL verification against poisoned DNS attacks ... in the case of certificates that are issued against an IP address rather than a hostname. Patch by Tomas Hoger / Red Hat Security Response Team, reviewed by Jeff Mitchell and Richard Moore. diff --git a/kio/kio/tcpslavebase.cpp b/kio/kio/tcpslavebase.cpp index b03727a..e6f59ca 100644 --- a/kio/kio/tcpslavebase.cpp +++ b/kio/kio/tcpslavebase.cpp @@ -549,23 +549,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_) // domain<->certificate matching here. d->sslErrors = d->socket.sslErrors(); QSslCertificate peerCert = d->socket.peerCertificateChain().first(); - QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName)); - domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry); QMutableListIterator<KSslError> it(d->sslErrors); while (it.hasNext()) { // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits // *in the case of HostNameMismatch*. A HostNameMismatch, however, will always // be an error of the peer certificate so we just don't check the error's // certificate(). - if (it.next().error() != KSslError::HostNameMismatch) { - continue; + + // Remove all HostNameMismatch, we have to redo name checking later. + if (it.next().error() == KSslError::HostNameMismatch) { + it.remove(); } - Q_FOREACH (const QString &dp, domainPatterns) { - if (isMatchingHostname(dp, d->host)) { - it.remove(); - } + } + // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if + // host name does not match any of the names in server certificate. + // QSslSocket may not report HostNameMismatch error, when server + // certificate was issued for the IP we are connecting to. + QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName)); + domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry); + bool names_match = false; + foreach (const QString &dp, domainPatterns) { + if (isMatchingHostname(dp, d->host)) { + names_match = true; + break; } } + if (!names_match) { + d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert)); + } // TODO: review / rewrite / remove the comment // The app side needs the metadata now for the SSL error dialog (if any) but ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
