Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312489 (CVE-2010-1192) - <net-libs/libesmtp-1.0.6: X.509 ASCII NUL spoofing (CVE-2010-{1192,1194})
Summary: <net-libs/libesmtp-1.0.6: X.509 ASCII NUL spoofing (CVE-2010-{1192,1194})
Status: RESOLVED FIXED
Alias: CVE-2010-1192
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-31 19:44 UTC by Alex Legler (RETIRED)
Modified: 2010-11-21 16:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:44:47 UTC 
CVE-2010-1192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1192):
  libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0'
  character in a domain name in the subject's Common Name (CN) field of
  an X.509 certificate, which allows man-in-the-middle attackers to
  spoof arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:46:38 UTC 
CVE-2010-1194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1194):
  The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and
  possibly other versions including 1.0.4, treats two strings as equal
  if one is a substring of the other, which allows remote attackers to
  spoof trusted certificates via a crafted subjectAltName.
Comment 2 Tim Harder gentoo-dev 2010-09-25 03:18:11 UTC 
I think these problems are fixed in libesmtp-1.0.6 which I just added to the tree.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2010-09-28 10:29:46 UTC 
Test & stabilize:

=net-libs/libesmtp-1.0.6
Comment 4 Andreas Schürch gentoo-dev 2010-09-29 06:31:50 UTC 
Tests passed successful here on x86.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2010-10-02 15:05:20 UTC 
Stable on alpha.
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-10-03 17:16:01 UTC 
amd64 done
Comment 7 Markus Meier gentoo-dev 2010-10-05 19:08:41 UTC 
x86 stable, thanks Andreas
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-10-09 16:34:46 UTC 
ia64/sparc stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-10-15 12:57:41 UTC 
ppc done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 16:53:27 UTC 
GLSA Vote: no.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:43:15 UTC 
Vote: NO. Barely used. Feel free to reopen, if you think otherwise.