SF.net SVN: gar:[23142] csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959. patch

chninkel at users.sourceforge.net chninkel at users.sourceforge.net
Wed Mar 5 21:12:57 CET 2014 

Revision: 23142
          http://sourceforge.net/p/gar/code/23142
Author:   chninkel
Date:     2014-03-05 20:12:51 +0000 (Wed, 05 Mar 2014)
Log Message:
-----------
gnutls/trunk: updated 0006-CVE-2014-1959.patch to apply on 2.12.23 using debian one

Modified Paths:
--------------
    csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch

Modified: csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch
===================================================================
--- csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch	2014-03-05 20:12:26 UTC (rev 23141)
+++ csw/mgar/pkg/gnutls/trunk/files/0006-CVE-2014-1959.patch	2014-03-05 20:12:51 UTC (rev 23142)
@@ -1,3 +1,5 @@
+Backport of:
+
 From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001
 From: Nikos Mavrogiannopoulos <nmav at redhat.com>
 Date: Wed, 12 Feb 2014 16:11:58 +0100
@@ -8,30 +10,19 @@
  lib/x509/verify.c |    5 ++++-
  1 files changed, 4 insertions(+), 1 deletions(-)
 
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index 2b64ab6..b916ee5 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -193,6 +193,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 		result = 1;
- 		goto cleanup;
- 	}
-+
- 	/* Handle V1 CAs that do not have a basicConstraint, but accept
- 	   these certs only if the appropriate flags are set. */
- 	else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
-@@ -692,8 +693,10 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
- 		/* note that here we disable this V1 CA flag. So that no version 1
- 		 * certificates can exist in a supplied chain.
- 		 */
--		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
-+		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
- 			flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
-+			flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
-+		}
- 		if ((ret =
- 		     _gnutls_verify_certificate2(certificate_list[i - 1],
- 						 &certificate_list[i], 1,
--- 
-1.7.1
-
+Index: gnutls26-2.12.23/lib/x509/verify.c
+===================================================================
+--- gnutls26-2.12.23.orig/lib/x509/verify.c	2014-02-24 13:54:39.320147502 -0500
++++ gnutls26-2.12.23/lib/x509/verify.c	2014-02-24 13:56:11.532148997 -0500
+@@ -644,8 +644,10 @@
+       /* note that here we disable this V1 CA flag. So that no version 1
+        * certificates can exist in a supplied chain.
+        */
+-      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+         flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++        flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++      }
+       if ((ret =
+            _gnutls_verify_certificate2 (certificate_list[i - 1],
+                                         &certificate_list[i], 1, flags,

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the devel mailing list