Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 170927 Details for
Bug 245850
net-libs/gnutls <2.4.1-r2 Failure to check certificates (CVE-2008-4989)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
gnutls-2.2.5-selfsigned-trust.patch
gnutls-2.2.5-selfsigned-trust.patch (text/plain), 1.81 KB, created by
Robert Buchholz (RETIRED)
on 2008-11-06 17:58:19 UTC
(
hide
)
Description:
gnutls-2.2.5-selfsigned-trust.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-11-06 17:58:19 UTC
Size:
1.81 KB
patch
obsolete
>From 5c27c1a50cabe9db19afd114a56416bb78923fd3 Mon Sep 17 00:00:00 2001 >From: Martin von Gagern <Martin.vGagern@gmx.net> >Date: Mon, 3 Nov 2008 13:35:13 +0100 >Subject: [PATCH] Drop self signed certificate from certificate chain before validating > certificates. This avoids the penultimate certificate to get incorrectly > trusted. > >--- > lib/x509/verify.c | 22 +++++++++++----------- > 1 files changed, 11 insertions(+), 11 deletions(-) > >diff --git a/lib/x509/verify.c b/lib/x509/verify.c >index 041a450..8fa90dc 100644 >--- a/lib/x509/verify.c >+++ b/lib/x509/verify.c >@@ -374,6 +374,17 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, > int i = 0, ret; > unsigned int status = 0, output; > >+ /* Check if the last certificate in the path is self signed. >+ * In that case ignore it (a certificate is trusted only if it >+ * leads to a trusted party by us, not the server's). >+ */ >+ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], >+ certificate_list[clist_size - 1]) > 0 >+ && clist_size > 0) >+ { >+ clist_size--; >+ } >+ > /* Verify the last certificate in the certificate path > * against the trusted CA certificate list. > * >@@ -412,17 +423,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, > } > #endif > >- /* Check if the last certificate in the path is self signed. >- * In that case ignore it (a certificate is trusted only if it >- * leads to a trusted party by us, not the server's). >- */ >- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], >- certificate_list[clist_size - 1]) > 0 >- && clist_size > 0) >- { >- clist_size--; >- } >- > /* Verify the certificate path (chain) > */ > for (i = clist_size - 1; i > 0; i--) >-- >1.6.0.3
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 245850
:
170927
|
170942
|
170962
|
170965