diff options
author | tron <tron> | 2014-02-20 12:31:26 +0000 |
---|---|---|
committer | tron <tron> | 2014-02-20 12:31:26 +0000 |
commit | 96d04cf9ade03e76cdef94289b8b55e2f6f42713 (patch) | |
tree | 8362e14ee241ed5fe57adab9c9c50bf3487f9414 | |
parent | 6e68f91e23cf1f6780bc5ff503599be5ddbef4d7 (diff) | |
download | pkgsrc-96d04cf9ade03e76cdef94289b8b55e2f6f42713.tar.gz |
Pullup ticket #4331 - requested by drochner
security/gnutls: security patch
Apply patch to fix security vulnerability reported in CVE-2014-1959.
-rw-r--r-- | security/gnutls/Makefile | 3 | ||||
-rw-r--r-- | security/gnutls/distinfo | 3 | ||||
-rw-r--r-- | security/gnutls/patches/patch-CVE-2014-1959 | 26 |
3 files changed, 30 insertions, 2 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 652019e8971..d224e75470a 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.135 2013/11/29 22:55:29 wiz Exp $ +# $NetBSD: Makefile,v 1.135.2.1 2014/02/20 12:31:26 tron Exp $ DISTNAME= gnutls-3.2.7 +PKGREVISION= 1 CATEGORIES= security devel MASTER_SITES= ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/ EXTRACT_SUFX= .tar.xz diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo index af6e9c7133d..9b8896891d0 100644 --- a/security/gnutls/distinfo +++ b/security/gnutls/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $ +$NetBSD: distinfo,v 1.100.2.1 2014/02/20 12:31:26 tron Exp $ SHA1 (gnutls-3.2.7.tar.xz) = 8c86048e7c01abb25f9285188d629f1f0f2bc6be RMD160 (gnutls-3.2.7.tar.xz) = 3a3135441555b1c67a06696d973895b68a11c68a Size (gnutls-3.2.7.tar.xz) = 5098572 bytes +SHA1 (patch-CVE-2014-1959) = 8a2f985990e054b69f578cb5eb9faf7868342685 SHA1 (patch-ae) = 71fbbeb43ac1689fca6fec7f8348d8534c1dc38a SHA1 (patch-configure) = 66927d81a0d22624d70181e73e6a2b856483118e SHA1 (patch-gl_stdio.in.h) = b5802da2cccddd6fab73bd39c49f7d62bef58464 diff --git a/security/gnutls/patches/patch-CVE-2014-1959 b/security/gnutls/patches/patch-CVE-2014-1959 new file mode 100644 index 00000000000..bb3018f82fd --- /dev/null +++ b/security/gnutls/patches/patch-CVE-2014-1959 @@ -0,0 +1,26 @@ +$NetBSD: patch-CVE-2014-1959,v 1.1.2.1 2014/02/20 12:31:26 tron Exp $ + +https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c + +--- lib/x509/verify.c.orig 2013-11-10 17:59:14.000000000 +0000 ++++ lib/x509/verify.c +@@ -167,6 +167,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnut + result = 1; + goto cleanup; + } ++ + /* Handle V1 CAs that do not have a basicConstraint, but accept + these certs only if the appropriate flags are set. */ + else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && +@@ -666,8 +667,10 @@ _gnutls_x509_verify_certificate(const gn + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2(certificate_list[i - 1], + &certificate_list[i], 1, |