aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 02:32:19 +0100
committerLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 02:32:19 +0100
commit1acfda2f949fe61631c7602c865964453ece85e0 (patch)
tree57f76d3d89adbc42a8c48a79bbf0cc9af2d72e96
parentbe31314638e2f42c706b4865274ffbb86d6aca87 (diff)
downloadguix-1acfda2f949fe61631c7602c865964453ece85e0.tar.gz
guix-1acfda2f949fe61631c7602c865964453ece85e0.zip
gnu: geary: Fix CVE-2020-24661.
* gnu/packages/patches/geary-CVE-2020-24661.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnome.scm (geary): Apply it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/gnome.scm3
-rw-r--r--gnu/packages/patches/geary-CVE-2020-24661.patch133
3 files changed, 136 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index eae602a01e..a68981e48d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1057,6 +1057,7 @@ dist_patch_DATA = \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-brect-bounds.patch \
%D%/packages/patches/gdm-default-session.patch \
+ %D%/packages/patches/geary-CVE-2020-24661.patch \
%D%/packages/patches/genimage-signedness.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 50edf9ebd9..d58aa9956b 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -11339,7 +11339,8 @@ these services on the Guix System.")
(file-name (git-file-name name version))
(sha256
(base32
- "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7"))))
+ "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7"))
+ (patches (search-patches "geary-CVE-2020-24661.patch"))))
(build-system meson-build-system)
(arguments
`(#:glib-or-gtk? #t
diff --git a/gnu/packages/patches/geary-CVE-2020-24661.patch b/gnu/packages/patches/geary-CVE-2020-24661.patch
new file mode 100644
index 0000000000..6cbc224786
--- /dev/null
+++ b/gnu/packages/patches/geary-CVE-2020-24661.patch
@@ -0,0 +1,133 @@
+From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001
+From: Michael Gratton <mike@vee.net>
+Date: Tue, 25 Aug 2020 03:54:09 +0000
+Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into
+ 'mainline'
+
+Fix invalid certificate pinning when GCR support is unavailable
+
+Closes #866
+
+See merge request GNOME/geary!529
+
+(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77)
+
+5088adfe Application.CertificateManager: Rename some methods for clarity
+0d957559 Application.CertificateManager: Check locally pinned certs for equality
+---
+ .../application-certificate-manager.vala | 44 +++++++++----------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/src/client/application/application-certificate-manager.vala b/src/client/application/application-certificate-manager.vala
+index 4881d73c0..65f6af4fa 100644
+--- a/src/client/application/application-certificate-manager.vala
++++ b/src/client/application/application-certificate-manager.vala
+@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ GLib.TlsCertificateFlags ret = this.parent.verify_chain(
+ chain, purpose, identity, interaction, flags, cancellable
+ );
+- if (should_verify(ret, purpose, identity) &&
+- verify(chain, identity, cancellable)) {
++ if (check_pinned(ret, purpose, identity) &&
++ is_pinned(chain, identity, cancellable)) {
+ ret = 0;
+ }
+ return ret;
+@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async(
+ chain, purpose, identity, interaction, flags, cancellable
+ );
+- if (should_verify(ret, purpose, identity) &&
+- yield verify_async(chain, identity, cancellable)) {
++ if (check_pinned(ret, purpose, identity) &&
++ yield is_pinned_async(chain, identity, cancellable)) {
+ ret = 0;
+ }
+ return ret;
+ }
+
+- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret,
+- string purpose,
+- GLib.SocketConnectable? identity) {
++ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret,
++ string purpose,
++ GLib.SocketConnectable? identity) {
+ // If the parent didn't verify, check for a locally pinned
+ // cert if it looks like we should, but always reject revoked
+ // certs
+@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ );
+ }
+
+- private bool verify(GLib.TlsCertificate chain,
+- GLib.SocketConnectable identity,
+- GLib.Cancellable? cancellable)
++ private bool is_pinned(GLib.TlsCertificate chain,
++ GLib.SocketConnectable identity,
++ GLib.Cancellable? cancellable)
+ throws GLib.Error {
+- bool is_verified = false;
++ bool is_pinned = false;
+ string id = to_name(identity);
+ TrustContext? context = null;
+ lock (this.pinned_certs) {
+ context = this.pinned_certs.get(id);
+ if (context != null) {
+- is_verified = true;
++ is_pinned = context.certificate.is_same(chain);
+ } else {
+ // Cert not found in memory, check with GCR if
+ // enabled.
+ if (this.use_gcr) {
+- is_verified = gcr_trust_is_certificate_pinned(
++ is_pinned = gcr_trust_is_certificate_pinned(
+ new Gcr.SimpleCertificate(chain.certificate.data),
+ GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER,
+ id,
+@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ );
+ }
+
+- if (!is_verified) {
++ if (!is_pinned) {
+ // Cert is not pinned in memory or in GCR, so look
+ // for it on disk. Do this even if GCR support is
+ // enabled, since if the cert was previously saved
+@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ this.store_dir, id, cancellable
+ );
+ this.pinned_certs.set(id, context);
+- is_verified = true;
++ is_pinned = context.certificate.is_same(chain);
+ } catch (GLib.IOError.NOT_FOUND err) {
+ // Cert was not found saved, so it not pinned
+ } catch (GLib.Error err) {
+@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase {
+ }
+ }
+ }
+- return is_verified;
++ return is_pinned;
+ }
+
+- private async bool verify_async(GLib.TlsCertificate chain,
+- GLib.SocketConnectable identity,
+- GLib.Cancellable? cancellable)
++ private async bool is_pinned_async(GLib.TlsCertificate chain,
++ GLib.SocketConnectable identity,
++ GLib.Cancellable? cancellable)
+ throws GLib.Error {
+- bool is_valid = false;
++ bool pinned = false;
+ yield Geary.Nonblocking.Concurrent.global.schedule_async(() => {
+- is_valid = verify(chain, identity, cancellable);
++ pinned = is_pinned(chain, identity, cancellable);
+ }, cancellable);
+- return is_valid;
++ return pinned;
+ }
+
+ private TrustContext? lookup_id(string id) {
+--
+GitLab
+