From 1acfda2f949fe61631c7602c865964453ece85e0 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 02:32:19 +0100 Subject: gnu: geary: Fix CVE-2020-24661. * gnu/packages/patches/geary-CVE-2020-24661.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnome.scm (geary): Apply it. --- gnu/packages/patches/geary-CVE-2020-24661.patch | 133 ++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 gnu/packages/patches/geary-CVE-2020-24661.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/geary-CVE-2020-24661.patch b/gnu/packages/patches/geary-CVE-2020-24661.patch new file mode 100644 index 0000000000..6cbc224786 --- /dev/null +++ b/gnu/packages/patches/geary-CVE-2020-24661.patch @@ -0,0 +1,133 @@ +From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001 +From: Michael Gratton +Date: Tue, 25 Aug 2020 03:54:09 +0000 +Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into + 'mainline' + +Fix invalid certificate pinning when GCR support is unavailable + +Closes #866 + +See merge request GNOME/geary!529 + +(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77) + +5088adfe Application.CertificateManager: Rename some methods for clarity +0d957559 Application.CertificateManager: Check locally pinned certs for equality +--- + .../application-certificate-manager.vala | 44 +++++++++---------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/src/client/application/application-certificate-manager.vala b/src/client/application/application-certificate-manager.vala +index 4881d73c0..65f6af4fa 100644 +--- a/src/client/application/application-certificate-manager.vala ++++ b/src/client/application/application-certificate-manager.vala +@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + GLib.TlsCertificateFlags ret = this.parent.verify_chain( + chain, purpose, identity, interaction, flags, cancellable + ); +- if (should_verify(ret, purpose, identity) && +- verify(chain, identity, cancellable)) { ++ if (check_pinned(ret, purpose, identity) && ++ is_pinned(chain, identity, cancellable)) { + ret = 0; + } + return ret; +@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async( + chain, purpose, identity, interaction, flags, cancellable + ); +- if (should_verify(ret, purpose, identity) && +- yield verify_async(chain, identity, cancellable)) { ++ if (check_pinned(ret, purpose, identity) && ++ yield is_pinned_async(chain, identity, cancellable)) { + ret = 0; + } + return ret; + } + +- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret, +- string purpose, +- GLib.SocketConnectable? identity) { ++ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret, ++ string purpose, ++ GLib.SocketConnectable? identity) { + // If the parent didn't verify, check for a locally pinned + // cert if it looks like we should, but always reject revoked + // certs +@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + ); + } + +- private bool verify(GLib.TlsCertificate chain, +- GLib.SocketConnectable identity, +- GLib.Cancellable? cancellable) ++ private bool is_pinned(GLib.TlsCertificate chain, ++ GLib.SocketConnectable identity, ++ GLib.Cancellable? cancellable) + throws GLib.Error { +- bool is_verified = false; ++ bool is_pinned = false; + string id = to_name(identity); + TrustContext? context = null; + lock (this.pinned_certs) { + context = this.pinned_certs.get(id); + if (context != null) { +- is_verified = true; ++ is_pinned = context.certificate.is_same(chain); + } else { + // Cert not found in memory, check with GCR if + // enabled. + if (this.use_gcr) { +- is_verified = gcr_trust_is_certificate_pinned( ++ is_pinned = gcr_trust_is_certificate_pinned( + new Gcr.SimpleCertificate(chain.certificate.data), + GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER, + id, +@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + ); + } + +- if (!is_verified) { ++ if (!is_pinned) { + // Cert is not pinned in memory or in GCR, so look + // for it on disk. Do this even if GCR support is + // enabled, since if the cert was previously saved +@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + this.store_dir, id, cancellable + ); + this.pinned_certs.set(id, context); +- is_verified = true; ++ is_pinned = context.certificate.is_same(chain); + } catch (GLib.IOError.NOT_FOUND err) { + // Cert was not found saved, so it not pinned + } catch (GLib.Error err) { +@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + } + } + } +- return is_verified; ++ return is_pinned; + } + +- private async bool verify_async(GLib.TlsCertificate chain, +- GLib.SocketConnectable identity, +- GLib.Cancellable? cancellable) ++ private async bool is_pinned_async(GLib.TlsCertificate chain, ++ GLib.SocketConnectable identity, ++ GLib.Cancellable? cancellable) + throws GLib.Error { +- bool is_valid = false; ++ bool pinned = false; + yield Geary.Nonblocking.Concurrent.global.schedule_async(() => { +- is_valid = verify(chain, identity, cancellable); ++ pinned = is_pinned(chain, identity, cancellable); + }, cancellable); +- return is_valid; ++ return pinned; + } + + private TrustContext? lookup_id(string id) { +-- +GitLab + -- cgit v1.2.3