Apply vendor fix for CVE-2013-6422, cURL libcurl cert name check ignore

with GnuTLS.  Document the vulnerability fix in vuxml while I'm here.

2 files changed, 33 insertions, 1 deletions

diff --git a/ftp/curl/Makefile b/ftp/curl/Makefile
index 856fc239faf6..05980d04bddb 100644
--- a/ftp/curl/Makefile
+++ b/ftp/curl/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	curl
 PORTVERSION=	7.33.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	ftp www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		LOCAL/sunpoet
diff --git a/ftp/curl/files/patch-CVE-2013-6422 b/ftp/curl/files/patch-CVE-2013-6422
new file mode 100644
index 000000000000..3c29829f945c
--- /dev/null
+++ b/ftp/curl/files/patch-CVE-2013-6422
@@ -0,0 +1,32 @@
+--- ./lib/gtls.c.orig	2013-10-12 15:05:06.000000000 -0700
++++ ./lib/gtls.c	2013-12-18 15:00:22.000000000 -0800
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -633,10 +633,8 @@
+     else
+       infof(data, "\t server certificate verification OK\n");
+   }
+-  else {
++  else
+     infof(data, "\t server certificate verification SKIPPED\n");
+-    goto after_server_cert_verification;
+-  }
+ 
+   /* initialize an X.509 certificate structure. */
+   gnutls_x509_crt_init(&x509_cert);
+@@ -766,8 +764,6 @@
+ 
+   gnutls_x509_crt_deinit(x509_cert);
+ 
+-after_server_cert_verification:
+-
+   /* compression algorithm (if any) */
+   ptr = gnutls_compression_get_name(gnutls_compression_get(session));
+   /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */