diff options
Diffstat (limited to 'security/gnutls/patches/patch-CVE-2014-1959')
| -rw-r--r-- | security/gnutls/patches/patch-CVE-2014-1959 | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/security/gnutls/patches/patch-CVE-2014-1959 b/security/gnutls/patches/patch-CVE-2014-1959 new file mode 100644 index 00000000000..bb3018f82fd --- /dev/null +++ b/security/gnutls/patches/patch-CVE-2014-1959 @@ -0,0 +1,26 @@ +$NetBSD: patch-CVE-2014-1959,v 1.1.2.1 2014/02/20 12:31:26 tron Exp $ + +https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c + +--- lib/x509/verify.c.orig 2013-11-10 17:59:14.000000000 +0000 ++++ lib/x509/verify.c +@@ -167,6 +167,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnut + result = 1; + goto cleanup; + } ++ + /* Handle V1 CAs that do not have a basicConstraint, but accept + these certs only if the appropriate flags are set. */ + else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && +@@ -666,8 +667,10 @@ _gnutls_x509_verify_certificate(const gn + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2(certificate_list[i - 1], + &certificate_list[i], 1, |