SF.net SVN: gar:[23140] csw/mgar/pkg/gnutls/trunk

chninkel at users.sourceforge.net chninkel at users.sourceforge.net
Wed Mar 5 21:11:56 CET 2014


Revision: 23140
          http://sourceforge.net/p/gar/code/23140
Author:   chninkel
Date:     2014-03-05 20:11:52 +0000 (Wed, 05 Mar 2014)
Log Message:
-----------
gnutls/trunk: applied security fixes for CVE-2014-1959 and CVE-2014-0092

Modified Paths:
--------------
    csw/mgar/pkg/gnutls/trunk/Makefile

Added Paths:
-----------
    csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch
    csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch

Modified: csw/mgar/pkg/gnutls/trunk/Makefile
===================================================================
--- csw/mgar/pkg/gnutls/trunk/Makefile	2014-03-05 18:23:22 UTC (rev 23139)
+++ csw/mgar/pkg/gnutls/trunk/Makefile	2014-03-05 20:11:52 UTC (rev 23140)
@@ -28,8 +28,11 @@
 # We workaround the problem by changing the test so it expects
 # the certificates to be expired (another solution is to use LD_PRELOAD).
 PATCHFILES += 0004-workaround-certificate-expiration-issue-in-the-test-.patch
-# Security fix for CVE-2013-2116
+
+# Security fixes
 PATCHFILES += 0005-CVE-2013-2116.patch
+PATCHFILES += 0006-CVE-2014-1959.patch
+PATCHFILES += 0007-CVE-2014-0092.patch
 
 UFILES_REGEX = $(NAME)-(\d+(?:\.\d+)*).tar.bz2
 

Added: csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch
===================================================================
--- csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch	                        (rev 0)
+++ csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch	2014-03-05 20:11:52 UTC (rev 23140)
@@ -0,0 +1,37 @@
+From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 12 Feb 2014 16:11:58 +0100
+Subject: [PATCH] Fix bug that prevented the rejection of v1 intermediate CA certificates.
+
+Reported by Suman Jana.
+---
+ lib/x509/verify.c |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 2b64ab6..b916ee5 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -193,6 +193,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ 		result = 1;
+ 		goto cleanup;
+ 	}
++
+ 	/* Handle V1 CAs that do not have a basicConstraint, but accept
+ 	   these certs only if the appropriate flags are set. */
+ 	else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
+@@ -692,8 +693,10 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
+ 		/* note that here we disable this V1 CA flag. So that no version 1
+ 		 * certificates can exist in a supplied chain.
+ 		 */
+-		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+ 			flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++			flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++		}
+ 		if ((ret =
+ 		     _gnutls_verify_certificate2(certificate_list[i - 1],
+ 						 &certificate_list[i], 1,
+-- 
+1.7.1
+

Added: csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch
===================================================================
--- csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch	                        (rev 0)
+++ csw/mgar/pkg/gnutls/trunk/files/0007-CVE-2014-0092.patch	2014-03-05 20:11:52 UTC (rev 23140)
@@ -0,0 +1,102 @@
+From 6aa26f78150ccbdf0aec1878a41c17c41d358a3b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 27 Feb 2014 19:42:26 +0100
+Subject: [PATCH] corrected return codes
+
+---
+ lib/x509/verify.c |   16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index c9a6b0d..eef85a8 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   /* If the subject certificate is the same as the issuer
+@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   else
+     gnutls_assert ();
+ 
++fail:
+   result = 0;
+ 
+ cleanup:
+@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   gnutls_datum_t cert_signed_data = { NULL, 0 };
+   gnutls_datum_t cert_signature = { NULL, 0 };
+   gnutls_x509_crt_t issuer = NULL;
+-  int issuer_version, result;
++  int issuer_version, result = 0;
+ 
+   if (output)
+     *output = 0;
+@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (issuer_version < 0)
+     {
+       gnutls_assert ();
+-      return issuer_version;
++      return 0;
+     }
+ 
+   if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (result < 0)
+     {
+       gnutls_assert ();
++      result = 0;
+       goto cleanup;
+     }
+ 
+@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (result < 0)
+     {
+       gnutls_assert ();
++      result = 0;
+       goto cleanup;
+     }
+ 
+@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   else if (result < 0)
+     {
+       gnutls_assert();
++      result = 0;
+       goto cleanup;
+     }
+ 
+-- 
+1.7.1
+

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



More information about the devel mailing list