Add a fix for SA36540 (SSL certificate spoofing vulnerability) taken

from the source repository.

3 files changed, 70 insertions, 2 deletions

diff --git a/net/wget/Makefile b/net/wget/Makefile
index 189f938a177..80fc054d478 100644
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@@ -1,12 +1,14 @@
-# $NetBSD: Makefile,v 1.99 2008/07/18 09:36:39 wiz Exp $
+# $NetBSD: Makefile,v 1.100 2009/09/14 12:06:12 tron Exp $
 
 DISTNAME=	wget-1.11.4
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_GNU:=wget/}
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.gnu.org/software/wget/wget.html
 COMMENT=	Retrieve files from the 'net via HTTP and FTP
+LICENSE=	gnu-gpl-v3
 
 PKG_DESTDIR_SUPPORT=	user-destdir
 
diff --git a/net/wget/distinfo b/net/wget/distinfo
index 105fed49c7a..1d405716bf9 100644
--- a/net/wget/distinfo
+++ b/net/wget/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.33 2008/07/18 09:36:39 wiz Exp $
+$NetBSD: distinfo,v 1.34 2009/09/14 12:06:12 tron Exp $
 
 SHA1 (wget-1.11.4.tar.gz) = a78a3b71fd59504df3ff3dbc0a2195a1410e9eac
 RMD160 (wget-1.11.4.tar.gz) = 1cec99b073fcf64dd362977b0b88a55f8f47bbb8
 Size (wget-1.11.4.tar.gz) = 1475149 bytes
+SHA1 (patch-aa) = eb8852e90ba61f2672fb2eea16f6148e27a6ee2b
diff --git a/net/wget/patches/patch-aa b/net/wget/patches/patch-aa
new file mode 100644
index 00000000000..b511b81d038
--- /dev/null
+++ b/net/wget/patches/patch-aa
@@ -0,0 +1,65 @@
+$NetBSD: patch-aa,v 1.9 2009/09/14 12:06:13 tron Exp $
+
+Fix for SA36540 (SSL certificate spoofing vulnerability) taken from here:
+
+http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d
+http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b
+
+--- src/openssl.c.orig	2008-04-27 05:48:23.000000000 +0100
++++ src/openssl.c	2009-09-14 13:03:13.000000000 +0100
+@@ -561,9 +561,11 @@
+      - Ensure that ASN1 strings from the certificate are encoded as
+        UTF-8 which can be meaningfully compared to HOST.  */
+ 
++  X509_NAME *xname = X509_get_subject_name(cert);
+   common_name[0] = '\0';
+-  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
+-                             NID_commonName, common_name, sizeof (common_name));
++  X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
++                             sizeof (common_name));
++
+   if (!pattern_match (common_name, host))
+     {
+       logprintf (LOG_NOTQUIET, _("\
+@@ -571,6 +573,41 @@
+                  severity, escnonprint (common_name), escnonprint (host));
+       success = false;
+     }
++  else
++    {
++      /* We now determine the length of the ASN1 string. If it differs from
++       * common_name's length, then there is a \0 before the string terminates.
++       * This can be an instance of a null-prefix attack.
++       *
++       * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
++       * */
++
++      int i = -1, j;
++      X509_NAME_ENTRY *xentry;
++      ASN1_STRING *sdata;
++
++      if (xname) {
++        for (;;)
++          {
++            j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
++            if (j == -1) break;
++            i = j;
++          }
++      }
++
++      xentry = X509_NAME_get_entry(xname,i);
++      sdata = X509_NAME_ENTRY_get_data(xentry);
++      if (strlen (common_name) != ASN1_STRING_length (sdata)) 
++        {
++          logprintf (LOG_NOTQUIET, _("\
++%s: certificate common name is invalid (contains a NUL character).\n\
++This may be an indication that the host is not who it claims to be\n\
++(that is, it is not the real %s).\n"),
++                     severity, escnonprint (host));
++          success = false;
++        }
++    }
++  
+ 
+   if (success)
+     DEBUGP (("X509 certificate successfully verified and matches host %s\n",