Date: Tue, 4 Mar 2014 22:46:56 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r347078 - in head/security/gnutls: . files Message-ID: <201403042246.s24Mku54052731@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Tue Mar 4 22:46:55 2014 New Revision: 347078 URL: http://svnweb.freebsd.org/changeset/ports/347078 QAT: https://qat.redports.org/buildarchive/r347078/ Log: - Add fixes for: CVE-2014-0092 - Certificate verification issue CVE-2014-1959 - Certificate verification issue All users are recommended to upgrade ASAP. Security: f645aa90-a3e8-11e3-a422-3c970e169bc2 Added: head/security/gnutls/files/patch-lib__x509__verify.c (contents, props changed) Modified: head/security/gnutls/Makefile Modified: head/security/gnutls/Makefile ============================================================================== --- head/security/gnutls/Makefile Tue Mar 4 22:38:05 2014 (r347077) +++ head/security/gnutls/Makefile Tue Mar 4 22:46:55 2014 (r347078) @@ -3,7 +3,7 @@ PORTNAME= gnutls PORTVERSION= 2.12.23 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= \ ftp://ftp.gnutls.org/gcrypt/gnutls/v${PORTVERSION:C/.[0-9]+$//}/ \ Added: head/security/gnutls/files/patch-lib__x509__verify.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/gnutls/files/patch-lib__x509__verify.c Tue Mar 4 22:46:55 2014 (r347078) @@ -0,0 +1,103 @@ +CVE-2014-0092 +CVE-2014-1959 + +--- ./lib/x509/verify.c.orig 2012-05-24 11:19:05.000000000 -0500 ++++ ./lib/x509/verify.c 2014-03-04 16:43:13.053087407 -0600 +@@ -141,7 +141,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -150,7 +150,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -158,7 +158,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -166,7 +166,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -206,6 +206,7 @@ + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -330,7 +331,7 @@ + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int issuer_version, result; ++ int issuer_version, result = 0; + + if (output) + *output = 0; +@@ -363,7 +364,7 @@ + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -385,6 +386,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -393,6 +395,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -410,6 +413,7 @@ + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +@@ -644,8 +648,10 @@ + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403042246.s24Mku54052731>