summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortron <tron>2014-02-20 12:31:26 +0000
committertron <tron>2014-02-20 12:31:26 +0000
commit96a4915883d746b1aa9f9a0c997353f5effe08b9 (patch)
tree8362e14ee241ed5fe57adab9c9c50bf3487f9414
parent85d2c357f7c45f3e7aa1f98d87e6931700a5c2a6 (diff)
downloadpkgsrc-96a4915883d746b1aa9f9a0c997353f5effe08b9.tar.gz
Pullup ticket #4331 - requested by drochner
security/gnutls: security patch Apply patch to fix security vulnerability reported in CVE-2014-1959.
-rw-r--r--security/gnutls/Makefile3
-rw-r--r--security/gnutls/distinfo3
-rw-r--r--security/gnutls/patches/patch-CVE-2014-195926
3 files changed, 30 insertions, 2 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index 652019e8971..d224e75470a 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.135 2013/11/29 22:55:29 wiz Exp $
+# $NetBSD: Makefile,v 1.135.2.1 2014/02/20 12:31:26 tron Exp $
DISTNAME= gnutls-3.2.7
+PKGREVISION= 1
CATEGORIES= security devel
MASTER_SITES= ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/
EXTRACT_SUFX= .tar.xz
diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo
index af6e9c7133d..9b8896891d0 100644
--- a/security/gnutls/distinfo
+++ b/security/gnutls/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $
+$NetBSD: distinfo,v 1.100.2.1 2014/02/20 12:31:26 tron Exp $
SHA1 (gnutls-3.2.7.tar.xz) = 8c86048e7c01abb25f9285188d629f1f0f2bc6be
RMD160 (gnutls-3.2.7.tar.xz) = 3a3135441555b1c67a06696d973895b68a11c68a
Size (gnutls-3.2.7.tar.xz) = 5098572 bytes
+SHA1 (patch-CVE-2014-1959) = 8a2f985990e054b69f578cb5eb9faf7868342685
SHA1 (patch-ae) = 71fbbeb43ac1689fca6fec7f8348d8534c1dc38a
SHA1 (patch-configure) = 66927d81a0d22624d70181e73e6a2b856483118e
SHA1 (patch-gl_stdio.in.h) = b5802da2cccddd6fab73bd39c49f7d62bef58464
diff --git a/security/gnutls/patches/patch-CVE-2014-1959 b/security/gnutls/patches/patch-CVE-2014-1959
new file mode 100644
index 00000000000..bb3018f82fd
--- /dev/null
+++ b/security/gnutls/patches/patch-CVE-2014-1959
@@ -0,0 +1,26 @@
+$NetBSD: patch-CVE-2014-1959,v 1.1.2.1 2014/02/20 12:31:26 tron Exp $
+
+https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c
+
+--- lib/x509/verify.c.orig 2013-11-10 17:59:14.000000000 +0000
++++ lib/x509/verify.c
+@@ -167,6 +167,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnut
+ result = 1;
+ goto cleanup;
+ }
++
+ /* Handle V1 CAs that do not have a basicConstraint, but accept
+ these certs only if the appropriate flags are set. */
+ else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
+@@ -666,8 +667,10 @@ _gnutls_x509_verify_certificate(const gn
+ /* note that here we disable this V1 CA flag. So that no version 1
+ * certificates can exist in a supplied chain.
+ */
+- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2(certificate_list[i - 1],
+ &certificate_list[i], 1,