SF.net SVN: gar:[23140] csw/mgar/pkg/gnutls/trunk
chninkel at users.sourceforge.net
chninkel at users.sourceforge.net
Wed Mar 5 21:11:56 CET 2014
Revision: 23140
http://sourceforge.net/p/gar/code/23140
Author: chninkel
Date: 2014-03-05 20:11:52 +0000 (Wed, 05 Mar 2014)
Log Message:
-----------
gnutls/trunk: applied security fixes for CVE-2014-1959 and CVE-2014-0092
Modified Paths:
--------------
csw/mgar/pkg/gnutls/trunk/Makefile
Added Paths:
-----------
csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch
csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch
Modified: csw/mgar/pkg/gnutls/trunk/Makefile
===================================================================
--- csw/mgar/pkg/gnutls/trunk/Makefile 2014-03-05 18:23:22 UTC (rev 23139)
+++ csw/mgar/pkg/gnutls/trunk/Makefile 2014-03-05 20:11:52 UTC (rev 23140)
@@ -28,8 +28,11 @@
# We workaround the problem by changing the test so it expects
# the certificates to be expired (another solution is to use LD_PRELOAD).
PATCHFILES += 0004-workaround-certificate-expiration-issue-in-the-test-.patch
-# Security fix for CVE-2013-2116
+
+# Security fixes
PATCHFILES += 0005-CVE-2013-2116.patch
+PATCHFILES += 0006-CVE-2014-1959.patch
+PATCHFILES += 0007-CVE-2014-0092.patch
UFILES_REGEX = $(NAME)-(\d+(?:\.\d+)*).tar.bz2
Added: csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch
===================================================================
--- csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch (rev 0)
+++ csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch 2014-03-05 20:11:52 UTC (rev 23140)
@@ -0,0 +1,37 @@
+From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 12 Feb 2014 16:11:58 +0100
+Subject: [PATCH] Fix bug that prevented the rejection of v1 intermediate CA certificates.
+
+Reported by Suman Jana.
+---
+ lib/x509/verify.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 2b64ab6..b916ee5 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -193,6 +193,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ result = 1;
+ goto cleanup;
+ }
++
+ /* Handle V1 CAs that do not have a basicConstraint, but accept
+ these certs only if the appropriate flags are set. */
+ else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
+@@ -692,8 +693,10 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
+ /* note that here we disable this V1 CA flag. So that no version 1
+ * certificates can exist in a supplied chain.
+ */
+- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2(certificate_list[i - 1],
+ &certificate_list[i], 1,
+--
+1.7.1
+
Added: csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch
===================================================================
--- csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch (rev 0)
+++ csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch 2014-03-05 20:11:52 UTC (rev 23140)
@@ -0,0 +1,102 @@
+From 6aa26f78150ccbdf0aec1878a41c17c41d358a3b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 27 Feb 2014 19:42:26 +0100
+Subject: [PATCH] corrected return codes
+
+---
+ lib/x509/verify.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index c9a6b0d..eef85a8 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ /* If the subject certificate is the same as the issuer
+@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ else
+ gnutls_assert ();
+
++fail:
+ result = 0;
+
+ cleanup:
+@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ gnutls_datum_t cert_signed_data = { NULL, 0 };
+ gnutls_datum_t cert_signature = { NULL, 0 };
+ gnutls_x509_crt_t issuer = NULL;
+- int issuer_version, result;
++ int issuer_version, result = 0;
+
+ if (output)
+ *output = 0;
+@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (issuer_version < 0)
+ {
+ gnutls_assert ();
+- return issuer_version;
++ return 0;
+ }
+
+ if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ else if (result < 0)
+ {
+ gnutls_assert();
++ result = 0;
+ goto cleanup;
+ }
+
+--
+1.7.1
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
More information about the devel
mailing list