diff options
| author | Bryan Drewery <bdrewery@FreeBSD.org> | 2014-03-04 22:46:55 +0000 |
|---|---|---|
| committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2014-03-04 22:46:55 +0000 |
| commit | 6a52cb90442d78aaf4b180f4cdf1decd8dd92f06 (patch) | |
| tree | 158f1fd7dc5582a6c1bc59f1bfd77a168a21a1c7 /security/gnutls | |
| parent | d7a363f8347e399502f55c54293882845fa2e133 (diff) | |
| download | ports-6a52cb90442d78aaf4b180f4cdf1decd8dd92f06.tar.gz ports-6a52cb90442d78aaf4b180f4cdf1decd8dd92f06.zip | |
- Add fixes for:
CVE-2014-0092 - Certificate verification issue
CVE-2014-1959 - Certificate verification issue
All users are recommended to upgrade ASAP.
Security: f645aa90-a3e8-11e3-a422-3c970e169bc2
Notes
Notes:
svn path=/head/; revision=347078
Diffstat (limited to 'security/gnutls')
| -rw-r--r-- | security/gnutls/Makefile | 2 | ||||
| -rw-r--r-- | security/gnutls/files/patch-lib__x509__verify.c | 103 |
2 files changed, 104 insertions, 1 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 09dcb61e7f0c..df799a47ae57 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -3,7 +3,7 @@ PORTNAME= gnutls PORTVERSION= 2.12.23 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= \ ftp://ftp.gnutls.org/gcrypt/gnutls/v${PORTVERSION:C/.[0-9]+$//}/ \ diff --git a/security/gnutls/files/patch-lib__x509__verify.c b/security/gnutls/files/patch-lib__x509__verify.c new file mode 100644 index 000000000000..a092094cd9eb --- /dev/null +++ b/security/gnutls/files/patch-lib__x509__verify.c @@ -0,0 +1,103 @@ +CVE-2014-0092 +CVE-2014-1959 + +--- ./lib/x509/verify.c.orig 2012-05-24 11:19:05.000000000 -0500 ++++ ./lib/x509/verify.c 2014-03-04 16:43:13.053087407 -0600 +@@ -141,7 +141,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -150,7 +150,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -158,7 +158,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -166,7 +166,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -206,6 +206,7 @@ + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -330,7 +331,7 @@ + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int issuer_version, result; ++ int issuer_version, result = 0; + + if (output) + *output = 0; +@@ -363,7 +364,7 @@ + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -385,6 +386,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -393,6 +395,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -410,6 +413,7 @@ + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +@@ -644,8 +648,10 @@ + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, |