[pkg-nagios-changes] [Git][nagios-team/icinga2][bookworm] Add upstream patch to fix CVE-2024-49369. (closes: #1087384)

Tue Nov 12 18:09:39 GMT 2024


Bas Couwenberg pushed to branch bookworm at Debian Nagios Maintainer Group / icinga2


Commits:
5c526afa by Bas Couwenberg at 2024-11-12T18:58:01+01:00
Add upstream patch to fix CVE-2024-49369. (closes: #1087384)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2024-49369.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+icinga2 (2.13.6-2+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add upstream patch to fix CVE-2024-49369.
+    (closes: #1087384)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 12 Nov 2024 18:57:26 +0100
+
 icinga2 (2.13.6-2+deb12u1) bookworm; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2024-49369.patch
=====================================
@@ -0,0 +1,122 @@
+Description: Security: fix TLS certificate validation bypass
+ .
+ The previous validation in set_verify_callback() could be bypassed, tricking
+ Icinga 2 into treating invalid certificates as valid. To fix this, the
+ validation checks were moved into the IsVerifyOK() function.
+ .
+ This is tracked as CVE-2024-49369, more details will be published at a later time.
+Author: Julian Brost <julian.brost at icinga.com>
+Origin: https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe
+Forwarded: not-needed
+
+--- a/lib/base/tlsstream.cpp
++++ b/lib/base/tlsstream.cpp
+@@ -18,14 +18,48 @@
+ 
+ using namespace icinga;
+ 
+-bool UnbufferedAsioTlsStream::IsVerifyOK() const
++/**
++ * Checks whether the TLS handshake was completed with a valid peer certificate.
++ *
++ * @return true if the peer presented a valid certificate, false otherwise
++ */
++bool UnbufferedAsioTlsStream::IsVerifyOK()
+ {
+-	return m_VerifyOK;
++	if (!SSL_is_init_finished(native_handle())) {
++		// handshake was not completed
++		return false;
++	}
++
++	if (GetPeerCertificate() == nullptr) {
++		// no peer certificate was sent
++		return false;
++	}
++
++	return SSL_get_verify_result(native_handle()) == X509_V_OK;
+ }
+ 
+-String UnbufferedAsioTlsStream::GetVerifyError() const
++/**
++ * Returns a human-readable error string for situations where IsVerifyOK() returns false.
++ *
++ * If the handshake was completed and a peer certificate was provided,
++ * the string additionally contains the OpenSSL verification error code.
++ *
++ * @return string containing the error message
++ */
++String UnbufferedAsioTlsStream::GetVerifyError()
+ {
+-	return m_VerifyError;
++	if (!SSL_is_init_finished(native_handle())) {
++		return "handshake not completed";
++	}
++
++	if (GetPeerCertificate() == nullptr) {
++		return "no peer certificate provided";
++	}
++
++	std::ostringstream buf;
++	long err = SSL_get_verify_result(native_handle());
++	buf << "code " << err << ": " << X509_verify_cert_error_string(err);
++	return buf.str();
+ }
+ 
+ std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
+@@ -43,17 +77,17 @@ void UnbufferedAsioTlsStream::BeforeHand
+ 
+ 	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
+ 
+-	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
+-		if (!preverified) {
+-			m_VerifyOK = false;
+-
+-			std::ostringstream msgbuf;
+-			int err = X509_STORE_CTX_get_error(ctx.native_handle());
+-
+-			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
+-			m_VerifyError = msgbuf.str();
+-		}
+-
++	set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
++		(void) preverified;
++		(void) ctx;
++
++		/* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be
++		 * checked using the IsVerifyOK() method.
++		 *
++		 * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to
++		 * send a certificate request and receive their valid certificate after approval (manually by the administrator
++		 * or using a certificate ticket).
++		 */
+ 		return true;
+ 	});
+ 
+--- a/lib/base/tlsstream.hpp
++++ b/lib/base/tlsstream.hpp
+@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public A
+ public:
+ 	inline
+ 	UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
+-		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname)
++		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname)
+ 	{
+ 	}
+ 
+-	bool IsVerifyOK() const;
+-	String GetVerifyError() const;
++	bool IsVerifyOK();
++	String GetVerifyError();
+ 	std::shared_ptr<X509> GetPeerCertificate();
+ 
+ 	template<class... Args>
+@@ -97,8 +97,6 @@ public:
+ 	}
+ 
+ private:
+-	bool m_VerifyOK;
+-	String m_VerifyError;
+ 	String m_Hostname;
+ 
+ 	void BeforeHandshake(handshake_type type);


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 21_config_changes
 postgres-checkcommand.patch
+CVE-2024-49369.patch



View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/commit/5c526afa467f6f22777198f6e4da721062447e70

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/commit/5c526afa467f6f22777198f6e4da721062447e70
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20241112/da4608c5/attachment-0001.htm>
