The SWAMPID for this issue is 31749.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/31749)

What Ludwig found out for me is that this problem only happens with SSL in use. Upstream is no activity providing a patch. 

A simple fix would be to disable ssl for the package. Would that be a way to go?

Date: Tue, 09 Mar 2010 19:00:57 +0100
From: Jan Lieskovsky <jlieskov@redhat.com>
Reply-To: oss-security <oss-security@lists.openwall.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090825)
To: "Steven M. Christey" <coley@linus.mitre.org>,
        Kees Cook <kees@ubuntu.com>
Cc: Brian Stafford <brian@stafford.uklinux.net>,
        oss-security <oss-security@lists.openwall.com>,
        libesmtp@stafford.uklinux.net, security@ubuntu.com

Hi Steve,

Kees Cook wrote:
>Hello,
>
>I just noticed that libesmtp does not appear to handle NULL-byte CNs, as
>seen with the original browser-based issue:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
>
>Related to this are failures in wildcard handling:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
>and CN-specificity:
> https://bugzilla.redhat.com/show_bug.cgi?id=510202
>
>Though it may be a non-issue if TLS doesn't function at all:
> http://bugs.gentoo.org/213066

  any progress while assigning CVE ids for these issues?

  From what I can tell, two should be enough:
  a, libESMTP doesn't properly handle NULL character in Common Name

    References:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
      http://ioactive.com/pdfs/PKILayerCake.pdf (issue 2c)

  b, libESMTP's match_component() accepts two strings as equal
     if they start equal but don't have equal length => cert forgery

    References:
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

  Kees, please correct me, if I omitted something.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

I've created a patch and sent it to oss-sec for review

Created attachment 348908 [details]
patch

The patch after upstream review. Discussion is not fully finished yet though.

Date: Tue, 30 Mar 2010 16:34:35 -0400 (EDT)
From: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: [oss-security] CVE Request: libesmtp does not check NULL bytes
 in commonName


On Wed, 3 Mar 2010, Kees Cook wrote:

> I just noticed that libesmtp does not appear to handle NULL-byte CNs, as
> seen with the original browser-based issue:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

Use CVE-2010-1192

> Related to this are failures in wildcard handling:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

Use CVE-2010-1194

I'm guessing that upstream 1.0.4 and earlier are affected by both 
problems.

- Steve

AFAICT the patch is good enough, please go ahead

Klaas?

Submitted a patches package to GNOME:Factory, which is the devel repo for openSUSE:Factory. Submit-Request-ID is 38974

I meant I submitted a _patched_ package of course, sorry.

Submitted a patched package to openSUSE 11.0, openSUSE 11.1 and openSUSE 11.2 through the external BS, for SLE 11 in internal BS.

Anything else I have to provide?

nope, thanks

released

Update released for: libesmtp, libesmtp-debuginfo, libesmtp-debugsource, libesmtp-devel
Products:
openSUSE 11.0 (debug, i386, ppc, x86_64)
openSUSE 11.1 (debug, i586, ppc, x86_64)
openSUSE 11.2 (debug, i586, x86_64)

Update released for: libesmtp, libesmtp-debuginfo, libesmtp-debugsource, libesmtp-devel
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)

This is an autogenerated message for OBS integration:
This bug (585393) was mentioned in
https://build.opensuse.org/request/show/39315 Factory / libesmtp