Update to new version 1.2.8, fixing security issues (denial of service).

Fix fetching, by bypassing splash screen (adds files/fetchwrapper.sh).

Approved by:	jase (maintainer)
Security:	72bf9e21-03df-11e3-bd8d-080027ef73ec
Security:	CVE-2013-4623

4 files changed, 53 insertions, 4 deletions

diff --git a/security/polarssl/Makefile b/security/polarssl/Makefile
index a0e18879765a..5efdd2c715ab 100644
--- a/security/polarssl/Makefile
+++ b/security/polarssl/Makefile
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	polarssl
-PORTVERSION=	1.2.7
+PORTVERSION=	1.2.8
 DISTVERSIONSUFFIX=	-gpl
 CATEGORIES=	security devel
 MASTER_SITES=	http://polarssl.org/download/
@@ -12,7 +12,10 @@ COMMENT=	Open Source embedded SSL/TLS cryptographic library
 
 LICENSE=	GPLv2
 
-FETCH_ARGS=	-pRr
+# bypass the HTML "now downloading..." splash site, code below
+# .include <bsd.port.pre.mk>
+URL_SUFFIX=	?do=yes
+FETCH_ARGS=	-pRro ${DISTFILES}
 ALL_TARGET=	no_test
 
 USE_GMAKE=	yes
@@ -48,6 +51,9 @@ post-install:
 
 .include <bsd.port.pre.mk>
 
+FETCH_CMD:=	${SHELL} ${FILESDIR}/fetchwrapper.sh \
+			${URL_SUFFIX} ${FETCH_BINARY} ${FETCH_ARGS}
+
 .if ${ARCH} == "powerpc"
 BROKEN=		Does not compile on powerpc
 .endif
diff --git a/security/polarssl/distinfo b/security/polarssl/distinfo
index 79bb1fdad07e..7603965abf58 100644
--- a/security/polarssl/distinfo
+++ b/security/polarssl/distinfo
@@ -1,2 +1,2 @@
-SHA256 (polarssl-1.2.7-gpl.tgz) = d64c2d1247f93cdeb884bd3706dfddffc636634bbf81d3772af750d5b5191328
-SIZE (polarssl-1.2.7-gpl.tgz) = 977888
+SHA256 (polarssl-1.2.8-gpl.tgz) = 23cf931e322ab397d26c89b7e805cf2229df46c5196f4f67ebfc0e285848637b
+SIZE (polarssl-1.2.8-gpl.tgz) = 998609
diff --git a/security/polarssl/files/fetchwrapper.sh b/security/polarssl/files/fetchwrapper.sh
new file mode 100644
index 000000000000..dcbe42ced2b6
--- /dev/null
+++ b/security/polarssl/files/fetchwrapper.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# $FreeBSD$
+
+# This script tacks the first argument onto each URL found in the list,
+# discards and then executes the list.
+
+# URL matching is simplistic, a URL is what matches *tp://* (so file:///
+# is not matched).
+
+# For instance, calling:
+#   fetchwrapper.sh '?do=yes' /usr/bin/fetch -pPr http://example.org/file
+# will execute:
+#   /usr/bin/fetch -pPr http://example.org/file?do=yes
+
+# The intention is to work around download splash screens on web servers.
+
+# (C) Copyright 2013 by Matthias Andree.
+# Licensed under the 2-clause BSD license.
+
+if [ $# -lt 3 ] ; then
+    echo >&2 "Usage: $0 URLsuffix fetch-command [options] URL [post-options]"
+    exit 1
+fi
+
+patcharray() {
+    # based on Rich Felker's "Working with arrays",
+    # http://www.etalabs.net/sh_tricks.html
+    for i do
+	case "$i" in *tp://*) j=$suffix ;; *) j= ;; esac
+	printf %s%s\\n "$i" "$j" | sed -e "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/"
+    done
+    echo " "
+}
+
+suffix="$1" ; shift
+args=$(patcharray "$@")
+eval "set -- $args"
+
+set -x
+exec "$@"
diff --git a/security/polarssl/pkg-plist b/security/polarssl/pkg-plist
index 6e8e3589a5f4..bec721363449 100644
--- a/security/polarssl/pkg-plist
+++ b/security/polarssl/pkg-plist
@@ -50,6 +50,8 @@ include/polarssl/padlock.h
 include/polarssl/pem.h
 include/polarssl/pbkdf2.h
 include/polarssl/pkcs11.h
+include/polarssl/pkcs12.h
+include/polarssl/pkcs5.h
 include/polarssl/rsa.h
 include/polarssl/sha1.h
 include/polarssl/sha2.h