Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26

[Salvatore Bonaccorso]

tag 535946 + patch
thanks

Hi

On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
> Package: libio-socket-ssl-perl
> Version: 1.24-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious
> security issue:
> 
> v1.26 2009.07.03
> - SECURITY BUGFIX! 
>   fix Bug in verify_hostname_of_cert where it matched only the prefix for 
>   the hostname when no wildcard was given, e.g. www.example.org matched
>   against a certificate with name www.exam in it
>   Thanks to MLEHMANN for reporting

I "backported" the changes from 1.25 to 1.26 from unstable to the 1.16
in Lenny:

---(snip)---------------------------------------------------------------
diff -urN libio-socket-ssl-perl-1.16.orig/SSL.pm libio-socket-ssl-perl-1.16/SSL.pm
--- libio-socket-ssl-perl-1.16.orig/SSL.pm      2009-07-06 21:10:48.000000000 +0200
+++ libio-socket-ssl-perl-1.16/SSL.pm   2009-07-06 21:12:56.000000000 +0200
@@ -1036,7 +1036,7 @@
                        $ip4 = inet_aton( $identity ) or croak "'$identity' is not IPv4, but neither IPv6 nor hostname";
                } else {
                        # assume hostname
-                       if ( $identity !~m{^[a-zA-Z0-9-_\.]+$} ) {
+                       if ( $identity !~m{^[\w\-\.]+$} ) {
                                $identity = idn_to_ascii($identity) or
                                        croak "Warning: Given name '$identity' could not be converted to IDNA!";
                        }
@@ -1058,7 +1058,7 @@
                        } elsif ( $wtyp eq 'leftmost' and $name =~m{^\*(\..+)$} ) {
                                $pattern = qr{^[\w\-]*\Q$1\E$}i;
                        } else {
-                               $pattern = qr{^\Q$name}i;
+                               $pattern = qr{^\Q$name\E$}i;
                        }
                        return $identity =~ $pattern;
                };
diff -urN libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t libio-socket-ssl-perl-1.16/t/verify_hostname.t
--- libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t 2009-07-06 21:10:48.000000000 +0200
+++ libio-socket-ssl-perl-1.16/t/verify_hostname.t      2009-07-06 21:11:09.000000000 +0200
@@ -88,6 +88,7 @@
                'www-13.lala.other.local' => [],
                'smtp.mydomain.local' => [qw(smtp ldap www)],
                'xn--lwe-sna.idntest.local' => [qw(smtp ldap www)],
+               'smtp.mydomain.localizing.useless.local' => [],
        );
        if ( $can_idn ) {
                # check IDN handling
---(snap)---------------------------------------------------------------

This are the changes done by 1.25 to 1.26.

Kind regards
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20090706/0032d3a6/attachment.pgp>