diff options
Diffstat (limited to 'community/csync2/CVE-2019-15523.patch')
-rw-r--r-- | community/csync2/CVE-2019-15523.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/community/csync2/CVE-2019-15523.patch b/community/csync2/CVE-2019-15523.patch new file mode 100644 index 00000000000..575bee0dafa --- /dev/null +++ b/community/csync2/CVE-2019-15523.patch @@ -0,0 +1,101 @@ +From 92742544a56bcbcd9ec99ca15f898b31797e39e2 Mon Sep 17 00:00:00 2001 +From: Malte Kraus <malte.kraus@suse.com> +Date: Tue, 13 Aug 2019 13:36:26 +0200 +Subject: [PATCH] repeat gnutls_handshake() call in case of warnings + +that's what the semantics of this call require +--- + conn.c | 71 ++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +diff --git a/conn.c b/conn.c +index be26f72..c013860 100644 +--- a/conn.c ++++ b/conn.c +@@ -276,6 +276,7 @@ int conn_activate_ssl(int server_role) + char *ssl_keyfile; + char *ssl_certfile; + int err; ++ int handshake_repeat = 0; + + if (csync_conn_usessl) + return 0; +@@ -333,40 +334,46 @@ int conn_activate_ssl(int server_role) + (gnutls_transport_ptr_t)(long)conn_fd_out + ); + +- err = gnutls_handshake(conn_tls_session); +- switch(err) { +- case GNUTLS_E_SUCCESS: +- break; +- +- case GNUTLS_E_WARNING_ALERT_RECEIVED: +- alrt = gnutls_alert_get(conn_tls_session); +- fprintf( +- csync_debug_out, +- "SSL: warning alert received from peer: %d (%s).\n", +- alrt, gnutls_alert_get_name(alrt) +- ); +- break; +- +- case GNUTLS_E_FATAL_ALERT_RECEIVED: +- alrt = gnutls_alert_get(conn_tls_session); +- fprintf( +- csync_debug_out, +- "SSL: fatal alert received from peer: %d (%s).\n", +- alrt, gnutls_alert_get_name(alrt) +- ); + +- default: +- gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); +- gnutls_deinit(conn_tls_session); +- gnutls_certificate_free_credentials(conn_x509_cred); +- gnutls_global_deinit(); ++ do { ++ handshake_repeat = 0; ++ err = gnutls_handshake(conn_tls_session); ++ switch(err) { ++ case GNUTLS_E_SUCCESS: ++ break; + +- csync_fatal( +- "SSL: handshake failed: %s (%s)\n", +- gnutls_strerror(err), +- gnutls_strerror_name(err) +- ); +- } ++ case GNUTLS_E_WARNING_ALERT_RECEIVED: ++ alrt = gnutls_alert_get(conn_tls_session); ++ fprintf( ++ csync_debug_out, ++ "SSL: warning alert received from peer: %d (%s).\n", ++ alrt, gnutls_alert_get_name(alrt) ++ ); ++ handshake_repeat = 1; ++ break; ++ ++ case GNUTLS_E_FATAL_ALERT_RECEIVED: ++ alrt = gnutls_alert_get(conn_tls_session); ++ fprintf( ++ csync_debug_out, ++ "SSL: fatal alert received from peer: %d (%s).\n", ++ alrt, gnutls_alert_get_name(alrt) ++ ); ++ // fall-through! ++ ++ default: ++ gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); ++ gnutls_deinit(conn_tls_session); ++ gnutls_certificate_free_credentials(conn_x509_cred); ++ gnutls_global_deinit(); ++ ++ csync_fatal( ++ "SSL: handshake failed: %s (%s)\n", ++ gnutls_strerror(err), ++ gnutls_strerror_name(err) ++ ); ++ } ++ } while (handshake_repeat); + + csync_conn_usessl = 1; + |