Version in base suite: 7.15.5-1etch2
Version in overlay suite: (not present)

Base version: curl_7.15.5-1etch2
Target version: curl_7.15.5-1etch3
Base file: /org/ftp.debian.org/ftp/pool/main/c/curl/curl_7.15.5-1etch2.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/curl_7.15.5-1etch3.dsc

 curl-7.15.5/debian/changelog |    7 +++++++
 lib/ssluse.c                 |   40 +++++++++++++++++++++++++++-------------
 2 files changed, 34 insertions(+), 13 deletions(-)

diff -u curl-7.15.5/debian/changelog curl-7.15.5/debian/changelog
--- curl-7.15.5/debian/changelog
+++ curl-7.15.5/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.15.5-1etch3) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
+
+ -- Nico Golde <nion@debian.org>  Tue, 18 Aug 2009 00:55:12 +0000
+
 curl (7.15.5-1etch2) oldstable-security; urgency=high
 
   * Applied upstream patch to fix arbitrary file access (CVE-2009-0037).
only in patch2:
unchanged:
--- curl-7.15.5.orig/lib/ssluse.c
+++ curl-7.15.5/lib/ssluse.c
@@ -929,7 +929,7 @@
       if(check->type == target) {
         /* get data and length */
         const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
-        int altlen;
+        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
 
         switch(target) {
         case GEN_DNS: /* name/pattern comparison */
@@ -943,14 +943,16 @@
              "I checked the 0.9.6 and 0.9.8 sources before my patch and
              it always 0-terminates an IA5String."
           */
-          if (cert_hostcheck(altptr, conn->host.name))
+          if((altlen == strlen(altptr)) &&
+             /* if this isn't true, there was an embedded zero in the name
+                string and we cannot match it. */
+             cert_hostcheck(altptr, conn->host.name))
             matched = TRUE;
           break;
 
         case GEN_IPADD: /* IP address comparison */
           /* compare alternative IP address if the data chunk is the same size
              our server IP address is */
-          altlen = ASN1_STRING_length(check->d.ia5);
           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
             matched = TRUE;
           break;
@@ -990,18 +992,27 @@
          string manually to avoid the problem. This code can be made
          conditional in the future when OpenSSL has been fixed. Work-around
          brought by Alexis S. L. Carvalho. */
-      if (tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
-        j = ASN1_STRING_length(tmp);
-        if (j >= 0) {
-          peer_CN = OPENSSL_malloc(j+1);
-          if (peer_CN) {
-            memcpy(peer_CN, ASN1_STRING_data(tmp), j);
-            peer_CN[j] = '\0';
+      if(tmp) {
+        if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+          j = ASN1_STRING_length(tmp);
+          if(j >= 0) {
+            peer_CN = OPENSSL_malloc(j+1);
+            if(peer_CN) {
+              memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+              peer_CN[j] = '\0';
+            }
           }
         }
+        else /* not a UTF8 name */
+          j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+
+        if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
+          /* there was a terminating zero before the end of string, this
+             cannot match and we return failure! */
+          failf(data, "SSL: illegal cert name field");
+          res = CURLE_SSL_PEER_CERTIFICATE;
+        }
       }
-      else /* not a UTF8 name */
-        j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
     }
 
     if (peer_CN == nulstr)
@@ -1018,7 +1029,10 @@
     }
 #endif /* CURL_DOES_CONVERSIONS */
 
-    if (!peer_CN) {
+    if(res)
+      /* error already detected, pass through */
+      ;
+    else if(!peer_CN) {
       if(data->set.ssl.verifyhost > 1) {
         failf(data,
               "SSL: unable to obtain common name from peer certificate");