Skip to content

Commit

Permalink
Pullup ticket #4331 - requested by drochner
Browse files Browse the repository at this point in the history 
security/gnutls: security patch

Apply patch to fix security vulnerability reported in CVE-2014-1959.
  • Loading branch information
tron committed Feb 20, 2014
1 parent 85d2c35 commit 96a4915
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
3 changes: 2 additions & 1 deletion security/gnutls/Makefile
View file
@@ -1,6 +1,7 @@
# $NetBSD: Makefile,v 1.135 2013/11/29 22:55:29 wiz Exp $
# $NetBSD: Makefile,v 1.135.2.1 2014/02/20 12:31:26 tron Exp $

DISTNAME= gnutls-3.2.7
PKGREVISION= 1
CATEGORIES= security devel
MASTER_SITES= ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/
EXTRACT_SUFX= .tar.xz
Expand Down
3 changes: 2 additions & 1 deletion security/gnutls/distinfo
View file
@@ -1,8 +1,9 @@
$NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $
$NetBSD: distinfo,v 1.100.2.1 2014/02/20 12:31:26 tron Exp $

SHA1 (gnutls-3.2.7.tar.xz) = 8c86048e7c01abb25f9285188d629f1f0f2bc6be
RMD160 (gnutls-3.2.7.tar.xz) = 3a3135441555b1c67a06696d973895b68a11c68a
Size (gnutls-3.2.7.tar.xz) = 5098572 bytes
SHA1 (patch-CVE-2014-1959) = 8a2f985990e054b69f578cb5eb9faf7868342685
SHA1 (patch-ae) = 71fbbeb43ac1689fca6fec7f8348d8534c1dc38a
SHA1 (patch-configure) = 66927d81a0d22624d70181e73e6a2b856483118e
SHA1 (patch-gl_stdio.in.h) = b5802da2cccddd6fab73bd39c49f7d62bef58464
Expand Down
26 changes: 26 additions & 0 deletions security/gnutls/patches/patch-CVE-2014-1959
View file
@@ -0,0 +1,26 @@
$NetBSD: patch-CVE-2014-1959,v 1.1.2.1 2014/02/20 12:31:26 tron Exp $

https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c

--- lib/x509/verify.c.orig 2013-11-10 17:59:14.000000000 +0000
+++ lib/x509/verify.c
@@ -167,6 +167,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnut
result = 1;
goto cleanup;
}
+
/* Handle V1 CAs that do not have a basicConstraint, but accept
these certs only if the appropriate flags are set. */
else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
@@ -666,8 +667,10 @@ _gnutls_x509_verify_certificate(const gn
/* note that here we disable this V1 CA flag. So that no version 1
* certificates can exist in a supplied chain.
*/
- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+ }
if ((ret =
_gnutls_verify_certificate2(certificate_list[i - 1],
&certificate_list[i], 1,

0 comments on commit 96a4915

Please sign in to comment.