+ 584138-mx_update_context-segfault.patch: fix a segfault due to holes in
IMAP headers, 537694-segv-imap-headers.patch is removed as part of this fix
(Closes: 584138)
+ + 619216-gnutls-CN-validation.patch: fix the validation of the
+ commonname in the gnutls code (Closes: 619216)
* debian/patches/compressed-folders: remove partially uncompressed folder if
the open fails (Closes: 578098)
* debian/extra/samples/sidebar.muttrc: documented the options that
upstream/624058-gnutls-deprecated-set-priority.patch
upstream/624085-gnutls-deprecated-verify-peers.patch
upstream/584138-mx_update_context-segfault.patch
+upstream/619216-gnutls-CN-validation.patch
upstream/path_max
mutt.org
--- /dev/null
+This patch addresses a security problem due to the fact that the validation of
+the SSL CN is not correctly done in the gnutls-related code of mutt.
+
+The patch has been provided by hhorak on http://bugs.mutt.org/3506, the original
+bug where the security problem was reported for Debian is
+http://bugs.debian.org/619216
+
+--- a/mutt_ssl_gnutls.c
++++ b/mutt_ssl_gnutls.c
+@@ -999,6 +999,7 @@
+ unsigned int cert_list_size = 0;
+ gnutls_certificate_status certstat;
+ int certerr, i, preauthrc, savedcert, rc = 0;
++ int rcpeer;
+
+ if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
+ {
+@@ -1024,6 +1025,9 @@
+ for (i = 0; i < cert_list_size; i++) {
+ rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
+ &certerr, &savedcert);
++ if (i ==0)
++ rcpeeer = rc;
++
+ preauthrc += rc;
+
+ if (savedcert)
+@@ -1049,7 +1053,7 @@
+ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
+
+ certstat = tls_verify_peers (state);
+- if (!certstat)
++ if (!certstat && !rcpeer)
+ return 1;
+ }
+ }
projects / software / mutt-debian.git / commitdiff