From 314fe2fcff2143c30d21c8a3d0170aeb2a562c5a Mon Sep 17 00:00:00 2001 From: spz Date: Sat, 29 Aug 2009 09:49:13 +0000 Subject: Pullup ticket 2874 - requested by tron security update Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.86 - pkgsrc/security/gnutls/PLIST 1.36 - pkgsrc/security/gnutls/distinfo 1.60 Files added: pkgsrc/security/gnutls/patches/patch-ak 1.2 pkgsrc/security/gnutls/patches/patch-al 1.2 Module Name: pkgsrc Committed By: wiz Date: Sat Jul 18 10:32:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 2.8.1: * Version 2.8.1 (released 2009-06-10) ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc= le. Forwarded by Martin von Gagern from . ** libgnutls: Fix PKCS#12 decryption from password. The encryption key derived from the password was incorrect for (on average) 1 in every 128 input for random inputs. Reported by "Kukosa, Tomas" in . ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Wed Jul 22 16:50:07 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Added Files: pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: disable the openssl compatibility library -- no pkg I know of needs it, and it only has a potential to conflict with the real openssl (bad things will happen if a program links or dlopen()s both) bump PKGREVISION (the bug fixed in the added patches is already fixed upstream, will be in the next release) To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: snj Date: Thu Aug 13 18:56:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: Update to 2.8.3. Changes: * Version 2.8.3 (released 2009-08-13) ** libgnutls: Fix patch for NUL in CN/SAN in last release. Code intended to be removed would lead to an read-out-bound error in some situations. Reported by Tomas Hoger . A CVE code have been allocated for the vulnerability: [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build error. ** tests: Made self-test mini-eagain take less time. ** doc: Typo fixes. ** API and ABI modifications: No changes since last version. * Version 2.8.2 (released 2009-08-10) ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4]. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta= tus. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v2.3. ** tests: Fix failure in "chainverify" because a certificate have expired. ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al --- security/gnutls/Makefile | 9 ++++++--- security/gnutls/PLIST | 4 +--- security/gnutls/distinfo | 10 ++++++---- security/gnutls/patches/patch-ak | 13 +++++++++++++ security/gnutls/patches/patch-al | 13 +++++++++++++ 5 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 security/gnutls/patches/patch-ak create mode 100644 security/gnutls/patches/patch-al diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 32d47024fa6..29e603a23ac 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.83 2009/06/09 18:56:37 wiz Exp $ +# $NetBSD: Makefile,v 1.83.2.1 2009/08/29 09:49:13 spz Exp $ -DISTNAME= gnutls-2.8.0 +DISTNAME= gnutls-2.8.3 CATEGORIES= security devel MASTER_SITES= ftp://ftp.gnutls.org/pub/gnutls/ \ ftp://ftp.gnupg.org/gcrypt/gnutls/ \ @@ -10,7 +10,7 @@ EXTRACT_SUFX= .tar.bz2 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.gnutls.org/ COMMENT= GNU Transport Layer Security library -#LICENSE= gnu-gpl-v3 AND gnu-lgpl-v2.1 +LICENSE= gnu-gpl-v3 AND gnu-lgpl-v2.1 PKG_INSTALLATION_TYPES= overwrite pkgviews PKG_DESTDIR_SUPPORT= user-destdir @@ -23,6 +23,9 @@ GNU_CONFIGURE= yes TEST_TARGET= check INFO_FILES= yes +# this library duplicates (and conflicts with) openssl +CONFIGURE_ARGS+= --disable-openssl-compatibility + PKGCONFIG_OVERRIDE= lib/gnutls.pc.in PKGCONFIG_OVERRIDE+= libextra/gnutls-extra.pc.in diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST index 743c41af0d2..b7aaa864cf6 100644 --- a/security/gnutls/PLIST +++ b/security/gnutls/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.35 2009/06/14 18:13:29 joerg Exp $ +@comment $NetBSD: PLIST,v 1.35.2.1 2009/08/29 09:49:14 spz Exp $ bin/certtool bin/gnutls-cli bin/gnutls-cli-debug @@ -11,7 +11,6 @@ include/gnutls/extra.h include/gnutls/gnutls.h include/gnutls/gnutlsxx.h include/gnutls/openpgp.h -include/gnutls/openssl.h include/gnutls/pkcs12.h include/gnutls/x509.h info/gnutls-certificate-user-use-case.png @@ -28,7 +27,6 @@ info/gnutls-pgp.png info/gnutls-x509.png info/gnutls.info lib/libgnutls-extra.la -lib/libgnutls-openssl.la lib/libgnutls.la lib/libgnutlsxx.la lib/pkgconfig/gnutls-extra.pc diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo index bdf52ef2ee1..f32aceab7be 100644 --- a/security/gnutls/distinfo +++ b/security/gnutls/distinfo @@ -1,10 +1,12 @@ -$NetBSD: distinfo,v 1.57 2009/06/18 10:19:47 drochner Exp $ +$NetBSD: distinfo,v 1.57.2.1 2009/08/29 09:49:14 spz Exp $ -SHA1 (gnutls-2.8.0.tar.bz2) = 7c102253bb4e817f393b9979a62c647010312eac -RMD160 (gnutls-2.8.0.tar.bz2) = ad9d356ab55567ffc65c7fa4f48d8594a1cd5981 -Size (gnutls-2.8.0.tar.bz2) = 6177498 bytes +SHA1 (gnutls-2.8.3.tar.bz2) = c25fb354258777f9ee34b79b08eb87c024cada75 +RMD160 (gnutls-2.8.3.tar.bz2) = 01763fad93e4b76e18dcfb1881c5f09011804dca +Size (gnutls-2.8.3.tar.bz2) = 6198273 bytes SHA1 (patch-ab) = 4b6801f6c8f00b8da8e78f7277450c6f53366fb4 SHA1 (patch-ae) = f505476ce0477dc547e8698d205d6ba26fe85f48 SHA1 (patch-af) = bd4701640dfef5bfdce87d620befd93098b0dff3 SHA1 (patch-ai) = 2c5c181ec6de9622cac66c2d5fe2cc8f3f89fbe8 SHA1 (patch-aj) = 55187c2a07d67f789678b1a404c6b119b311fc82 +SHA1 (patch-ak) = f2f4e6f1c6f937eca67235cb01aff1b32cbe4fd8 +SHA1 (patch-al) = f1c9def7d8150d93e14678b1acdbbc1534099452 diff --git a/security/gnutls/patches/patch-ak b/security/gnutls/patches/patch-ak new file mode 100644 index 00000000000..5c897618a40 --- /dev/null +++ b/security/gnutls/patches/patch-ak @@ -0,0 +1,13 @@ +$NetBSD: patch-ak,v 1.2.2.2 2009/08/29 09:49:14 spz Exp $ + +--- configure.orig 2009-08-13 02:54:16.000000000 -0700 ++++ configure 2009-08-13 10:50:08.000000000 -0700 +@@ -8651,7 +8651,7 @@ done + $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } + # Check whether --enable-openssl-compatibility was given. + if test "${enable_openssl_compatibility+set}" = set; then : +- enableval=$enable_openssl_compatibility; enable_openssl=$withval ++ enableval=$enable_openssl_compatibility; enable_openssl=$enableval + else + enable_openssl=yes + fi diff --git a/security/gnutls/patches/patch-al b/security/gnutls/patches/patch-al new file mode 100644 index 00000000000..1271c51c7f4 --- /dev/null +++ b/security/gnutls/patches/patch-al @@ -0,0 +1,13 @@ +$NetBSD: patch-al,v 1.2.2.2 2009/08/29 09:49:14 spz Exp $ + +--- libextra/configure.orig 2009-08-13 02:54:00.000000000 -0700 ++++ libextra/configure 2009-08-13 10:51:47.000000000 -0700 +@@ -13170,7 +13170,7 @@ done + $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } + # Check whether --enable-openssl-compatibility was given. + if test "${enable_openssl_compatibility+set}" = set; then : +- enableval=$enable_openssl_compatibility; enable_openssl=$withval ++ enableval=$enable_openssl_compatibility; enable_openssl=$enableval + else + enable_openssl=yes + fi -- cgit v1.2.3