[Git][debian-proftpd-team/proftpd][buster] Add patch for #946345 & #946346.
Hilmar Preuße
gitlab at salsa.debian.org
Sun Dec 8 15:29:47 GMT 2019
Hilmar Preuße pushed to branch buster at Debian ProFTPD Team / proftpd
Commits:
a746f642 by Hilmar Preuße at 2019-12-08T15:29:49Z
Add patch for #946345 & #946346.
- - - - -
3 changed files:
- debian/changelog
- debian/patches/series
- + debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+proftpd-dfsg (1.3.6-4+deb10u3) buster-security; urgency=medium
+
+ * Cherry pick patch from upstream:
+ - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+ - for upstream 859 (CVE-2019-19270) (Closes: #946346)
+ upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
+
+ -- Hilmar Preusse <hille42 at web.de> Sun, 08 Dec 2019 16:19:57 +0100
+
proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium
* Add patch from upstream to address CVE-2019-18217.
=====================================
debian/patches/series
=====================================
@@ -19,3 +19,4 @@ wrong-path-for-interpreter_perl.diff
github_pr_594
CVE-2019-12815.patch
bug_846_CVE-2019-18217.patch
+upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
=====================================
debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
=====================================
@@ -0,0 +1,35 @@
+From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sun, 24 Nov 2019 14:03:54 -0800
+Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
+ using issuer for lookups, and guarding against null pointers.
+
+---
+ contrib/mod_tls.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -8968,10 +8968,10 @@
+
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(HAVE_LIBRESSL)
+- crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ !defined(HAVE_LIBRESSL)
+- crls = X509_STORE_get1_crls(store_ctx, subject);
++ crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+ /* Your OpenSSL is before 1.0.0. You really need to upgrade. */
+ crls = NULL;
+@@ -8990,6 +8990,9 @@
+ ASN1_INTEGER *sn;
+
+ revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++ if (revoked == NULL) {
++ continue;
++ }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(HAVE_LIBRESSL)
+ sn = X509_REVOKED_get0_serialNumber(revoked);
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/a746f642bb8906642021cf75a4aeaf4a2308c7cb
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/a746f642bb8906642021cf75a4aeaf4a2308c7cb
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list