diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-03-05 08:30:59 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-03-05 08:31:57 +0000 |
commit | 18c70cf5207e857f2bd47b6ea814f3f080542b68 (patch) | |
tree | 4d076ebed5aea279a0366e8e010de1a4e29b4619 | |
parent | e760d56c82e3b69f4ee2bc3f3790a63f01cdae49 (diff) | |
download | aports-18c70cf5207e857f2bd47b6ea814f3f080542b68.tar.bz2 aports-18c70cf5207e857f2bd47b6ea814f3f080542b68.tar.xz |
main/gnutls: security fix for CVE-2014-0092 and CVE-2014-1959
fixes #2726
-rw-r--r-- | main/gnutls/APKBUILD | 27 | ||||
-rw-r--r-- | main/gnutls/CVE-2014-0092.patch | 107 | ||||
-rw-r--r-- | main/gnutls/CVE-2014-1959.patch | 30 |
3 files changed, 157 insertions, 7 deletions
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 2a17f1c89f..9e152cdf6f 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gnutls pkgver=3.0.29 -pkgrel=0 +pkgrel=1 pkgdesc="A TLS protocol implementation" url="http://www.gnu.org/software/gnutls/" arch="all" @@ -12,10 +12,23 @@ depends_dev="nettle-dev zlib-dev libtasn1-dev p11-kit-dev" makedepends="$depends_dev" install= subpackages="$pkgname-doc $pkgname-dev $pkgname-utils $pkgname-c++:xx" -source="ftp://ftp.gnutls.org/gcrypt/gnutls/v${pkgver%.*}/$pkgname-$pkgver.tar.xz" +source="ftp://ftp.gnutls.org/gcrypt/gnutls/v${pkgver%.*}/$pkgname-$pkgver.tar.xz + CVE-2014-0092.patch + CVE-2014-1959.patch + " + +_builddir="$srcdir"/$pkgname-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} build() { - cd "$srcdir/$pkgname-$pkgver" + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -28,7 +41,7 @@ build() { } package() { - cd "$srcdir/$pkgname-$pkgver" + cd "$_builddir" make -j1 DESTDIR="$pkgdir" install rm -f "$pkgdir"/usr/lib/*.la } @@ -45,6 +58,6 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -md5sums="2dfbef3444c22313ff90d571ba84968d gnutls-3.0.29.tar.xz" -sha256sums="2a2c1295e363cef86d20ca2c1691678ba465c4e83c7b387421283c3a67ba9d2c gnutls-3.0.29.tar.xz" -sha512sums="c1cc333ffbb89e666b8d9e9bad4c9e89c7a8690eec9b983e8127df39740e1088dd0d617bed65611abba98fb59383afd3862b1db361ec9dda2520f5cf3225b655 gnutls-3.0.29.tar.xz" +md5sums="2dfbef3444c22313ff90d571ba84968d gnutls-3.0.29.tar.xz +1bdc29cc5f7b6665309c0b3f2167f324 CVE-2014-0092.patch +a2821647f3bf574f3115da647068601a CVE-2014-1959.patch" diff --git a/main/gnutls/CVE-2014-0092.patch b/main/gnutls/CVE-2014-0092.patch new file mode 100644 index 0000000000..846fad0dd8 --- /dev/null +++ b/main/gnutls/CVE-2014-0092.patch @@ -0,0 +1,107 @@ +From 497cdc69db73fb91539f5a1d1d05da1b3a625849 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Thu, 27 Feb 2014 19:42:26 +0100 +Subject: [PATCH] corrected return codes + +(cherry picked from commit 6aa26f78150ccbdf0aec1878a41c17c41d358a3b) + +Conflicts: + + lib/x509/verify.c +--- + lib/x509/verify.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index 1ab1357..1f817d8 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -132,7 +132,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -149,7 +149,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -157,7 +157,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -197,6 +197,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -397,7 +398,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int issuer_version, result, hash_algo; ++ int issuer_version, result = 0, hash_algo; + unsigned int out = 0; + + if (output) +@@ -435,7 +436,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -459,6 +460,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -467,6 +469,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -494,6 +497,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +-- +1.7.10 + diff --git a/main/gnutls/CVE-2014-1959.patch b/main/gnutls/CVE-2014-1959.patch new file mode 100644 index 0000000000..71e44ef8d4 --- /dev/null +++ b/main/gnutls/CVE-2014-1959.patch @@ -0,0 +1,30 @@ +From 8885539a95fdef96c59b74ff4edb99bd193be2f8 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Wed, 12 Feb 2014 16:41:33 +0100 +Subject: [PATCH 1/2] Fixed bug that prevented the rejection of v1 + intermediate CA certificates. (cherry picked from + commit 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e) + +--- + lib/x509/verify.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index f336633..1ab1357 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -689,7 +689,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + * certificates can exist in a supplied chain. + */ + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) +- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ { ++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, +-- +1.7.10 + |