From defebaa488f22c77009c7dfdd38045138baa342c Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 5 Aug 2009 22:59:58 +0000 Subject: Add CVE information, clear unrelated part from patch. svn path=/branches/BRANCH_6-3/; revision=5394 --- NEWS | 17 +++++++++++++---- fetchmail-SA-2009-01.txt | 20 ++++++++------------ 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index 46d97ea2..8b09f7d7 100644 --- a/NEWS +++ b/NEWS @@ -49,12 +49,21 @@ removed from a 6.4.0 or newer release.) -------------------------------------------------------------------------------- -fetchmail 6.3.11 (released XXXX-XX-XX - i. e. not yet): +fetchmail 6.3.11 (released 2009-08-06): # SECURITY BUGFIXES -* Fetchmail checks the Subject CommonName and Subject AltName X.509 certificate - fields for embedded NUL characters and aborts certificate verification to - counter recent SSL certificate verification attacks. Untested. +* CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a + part of a X.509 certificate's CommonName and subjectAltName fields. These + fields use opaque strings with a separate length field, so that the NUL + character isn't a special character inside the certificate. Fetchmail, being + written in the C language, used to treat these strings as C strings + nonetheless, so that the domain comparison would end at the first embedded NUL + character, rather than at the real end of the string. + Fetchmail will now abort certificate verification as failed if NULs are + encountered inside either of these fields regardless of their position, and + drop the connection even if --sslcertck is not used, because NUL is not a + valid character in legitimate DNS names. + See fetchmail-SA-2009-01.txt for details, including a minimal patch. # BUGFIXES * Remove the spurious message "message delimiter found while scanning headers". diff --git a/fetchmail-SA-2009-01.txt b/fetchmail-SA-2009-01.txt index 06b7a9c5..93622c99 100644 --- a/fetchmail-SA-2009-01.txt +++ b/fetchmail-SA-2009-01.txt @@ -4,18 +4,17 @@ Topics: Improper SSL certificate subject verification Author: Matthias Andree Version: 1.0 -Announced: 2009-08-XX +Announced: 2009-08-06 Type: Allows undetected Man-in-the-middle attacks against SSL/TLS. Impact: Credential disclose to eavesdroppers. -Danger: low -CVSS V2 vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C) +Danger: medium +CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C) -Credits: -CVE Name: CVE-2009-xxxx +CVE Name: CVE-2009-2666 URL: http://www.fetchmail.info/fetchmail-SA-2009-01.txt Project URL: http://www.fetchmail.info/ -Affects: fetchmail release before and excluding 6.3.11 +Affects: fetchmail releases up to and including 6.3.10 Not affected: fetchmail release 6.3.11 and newer @@ -33,6 +32,7 @@ References: "Null Prefix Attacks Against SSL/TLS Certificates", ================== 2009-08-05 0.1 first draft (visible in SVN) +2009-08-06 1.0 first release 1. Background @@ -131,7 +131,7 @@ Index: socket.c if (_ssl_server_cname != NULL) { char *p1 = buf; char *p2 = _ssl_server_cname; -@@ -643,14 +649,21 @@ +@@ -643,11 +649,18 @@ * first find a match among alternative names */ gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL); if (gens) { @@ -152,10 +152,6 @@ Index: socket.c + return 0; + } if (outlevel >= O_VERBOSE) -- report(stderr, "Subject Alternative Name: %s\n", p1); -+ report(stdout, GT_("Subject Alternative Name: %s\n"), p1); - if (*p1 == '*') { - ++p1; - n = strlen(p2) - strlen(p1); + report(stderr, "Subject Alternative Name: %s\n", p1); END OF fetchmail-SA-2009-01.txt -- cgit v1.2.3