[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: geary: Fix CVE-2020-24661.
From: |
guix-commits |
Subject: |
branch master updated: gnu: geary: Fix CVE-2020-24661. |
Date: |
Wed, 10 Mar 2021 20:34:32 -0500 |
This is an automated email from the git hooks/post-receive script.
lle_bout pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 1acfda2 gnu: geary: Fix CVE-2020-24661.
1acfda2 is described below
commit 1acfda2f949fe61631c7602c865964453ece85e0
Author: Léo Le Bouter <lle-bout@zaclys.net>
AuthorDate: Thu Mar 11 02:32:19 2021 +0100
gnu: geary: Fix CVE-2020-24661.
* gnu/packages/patches/geary-CVE-2020-24661.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/gnome.scm (geary): Apply it.
---
gnu/local.mk | 1 +
gnu/packages/gnome.scm | 3 +-
gnu/packages/patches/geary-CVE-2020-24661.patch | 133 ++++++++++++++++++++++++
3 files changed, 136 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index eae602a..a68981e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1057,6 +1057,7 @@ dist_patch_DATA =
\
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-brect-bounds.patch \
%D%/packages/patches/gdm-default-session.patch \
+ %D%/packages/patches/geary-CVE-2020-24661.patch \
%D%/packages/patches/genimage-signedness.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 50edf9e..d58aa99 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -11339,7 +11339,8 @@ these services on the Guix System.")
(file-name (git-file-name name version))
(sha256
(base32
- "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7"))))
+ "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7"))
+ (patches (search-patches "geary-CVE-2020-24661.patch"))))
(build-system meson-build-system)
(arguments
`(#:glib-or-gtk? #t
diff --git a/gnu/packages/patches/geary-CVE-2020-24661.patch
b/gnu/packages/patches/geary-CVE-2020-24661.patch
new file mode 100644
index 0000000..6cbc224
--- /dev/null
+++ b/gnu/packages/patches/geary-CVE-2020-24661.patch
@@ -0,0 +1,133 @@
+From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001
+From: Michael Gratton <mike@vee.net>
+Date: Tue, 25 Aug 2020 03:54:09 +0000
+Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into
+ 'mainline'
+
+Fix invalid certificate pinning when GCR support is unavailable
+
+Closes #866
+
+See merge request GNOME/geary!529
+
+(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77)
+
+5088adfe Application.CertificateManager: Rename some methods for clarity
+0d957559 Application.CertificateManager: Check locally pinned certs for
equality
+---
+ .../application-certificate-manager.vala | 44 +++++++++----------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/src/client/application/application-certificate-manager.vala
b/src/client/application/application-certificate-manager.vala
+index 4881d73c0..65f6af4fa 100644
+--- a/src/client/application/application-certificate-manager.vala
++++ b/src/client/application/application-certificate-manager.vala
+@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ GLib.TlsCertificateFlags ret = this.parent.verify_chain(
+ chain, purpose, identity, interaction, flags, cancellable
+ );
+- if (should_verify(ret, purpose, identity) &&
+- verify(chain, identity, cancellable)) {
++ if (check_pinned(ret, purpose, identity) &&
++ is_pinned(chain, identity, cancellable)) {
+ ret = 0;
+ }
+ return ret;
+@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase
{
+ GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async(
+ chain, purpose, identity, interaction, flags, cancellable
+ );
+- if (should_verify(ret, purpose, identity) &&
+- yield verify_async(chain, identity, cancellable)) {
++ if (check_pinned(ret, purpose, identity) &&
++ yield is_pinned_async(chain, identity, cancellable)) {
+ ret = 0;
+ }
+ return ret;
+ }
+
+- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret,
+- string purpose,
+- GLib.SocketConnectable? identity) {
++ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret,
++ string purpose,
++ GLib.SocketConnectable? identity) {
+ // If the parent didn't verify, check for a locally pinned
+ // cert if it looks like we should, but always reject revoked
+ // certs
+@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase
{
+ );
+ }
+
+- private bool verify(GLib.TlsCertificate chain,
+- GLib.SocketConnectable identity,
+- GLib.Cancellable? cancellable)
++ private bool is_pinned(GLib.TlsCertificate chain,
++ GLib.SocketConnectable identity,
++ GLib.Cancellable? cancellable)
+ throws GLib.Error {
+- bool is_verified = false;
++ bool is_pinned = false;
+ string id = to_name(identity);
+ TrustContext? context = null;
+ lock (this.pinned_certs) {
+ context = this.pinned_certs.get(id);
+ if (context != null) {
+- is_verified = true;
++ is_pinned = context.certificate.is_same(chain);
+ } else {
+ // Cert not found in memory, check with GCR if
+ // enabled.
+ if (this.use_gcr) {
+- is_verified = gcr_trust_is_certificate_pinned(
++ is_pinned = gcr_trust_is_certificate_pinned(
+ new Gcr.SimpleCertificate(chain.certificate.data),
+ GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER,
+ id,
+@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ );
+ }
+
+- if (!is_verified) {
++ if (!is_pinned) {
+ // Cert is not pinned in memory or in GCR, so look
+ // for it on disk. Do this even if GCR support is
+ // enabled, since if the cert was previously saved
+@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ this.store_dir, id, cancellable
+ );
+ this.pinned_certs.set(id, context);
+- is_verified = true;
++ is_pinned = context.certificate.is_same(chain);
+ } catch (GLib.IOError.NOT_FOUND err) {
+ // Cert was not found saved, so it not pinned
+ } catch (GLib.Error err) {
+@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase
{
+ }
+ }
+ }
+- return is_verified;
++ return is_pinned;
+ }
+
+- private async bool verify_async(GLib.TlsCertificate chain,
+- GLib.SocketConnectable identity,
+- GLib.Cancellable? cancellable)
++ private async bool is_pinned_async(GLib.TlsCertificate chain,
++ GLib.SocketConnectable identity,
++ GLib.Cancellable? cancellable)
+ throws GLib.Error {
+- bool is_valid = false;
++ bool pinned = false;
+ yield Geary.Nonblocking.Concurrent.global.schedule_async(() => {
+- is_valid = verify(chain, identity, cancellable);
++ pinned = is_pinned(chain, identity, cancellable);
+ }, cancellable);
+- return is_valid;
++ return pinned;
+ }
+
+ private TrustContext? lookup_id(string id) {
+--
+GitLab
+
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: geary: Fix CVE-2020-24661.,
guix-commits <=