aboutsummaryrefslogtreecommitdiffstats
path: root/security/gnutls
diff options
context:
space:
mode:
authorbdrewery <bdrewery@FreeBSD.org>2014-03-05 06:46:55 +0800
committerbdrewery <bdrewery@FreeBSD.org>2014-03-05 06:46:55 +0800
commit6b8d972658a94f3d4f20cb005d728ac55d789992 (patch)
tree158f1fd7dc5582a6c1bc59f1bfd77a168a21a1c7 /security/gnutls
parent259847f9df0d667aa92d036b1ad18aab80ce10d1 (diff)
downloadfreebsd-ports-gnome-6b8d972658a94f3d4f20cb005d728ac55d789992.tar.gz
freebsd-ports-gnome-6b8d972658a94f3d4f20cb005d728ac55d789992.tar.zst
freebsd-ports-gnome-6b8d972658a94f3d4f20cb005d728ac55d789992.zip
- Add fixes for:
CVE-2014-0092 - Certificate verification issue CVE-2014-1959 - Certificate verification issue All users are recommended to upgrade ASAP. Security: f645aa90-a3e8-11e3-a422-3c970e169bc2
Diffstat (limited to 'security/gnutls')
-rw-r--r--security/gnutls/Makefile2
-rw-r--r--security/gnutls/files/patch-lib__x509__verify.c103
2 files changed, 104 insertions, 1 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index 09dcb61e7f0c..df799a47ae57 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -3,7 +3,7 @@
PORTNAME= gnutls
PORTVERSION= 2.12.23
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= security net
MASTER_SITES= \
ftp://ftp.gnutls.org/gcrypt/gnutls/v${PORTVERSION:C/.[0-9]+$//}/ \
diff --git a/security/gnutls/files/patch-lib__x509__verify.c b/security/gnutls/files/patch-lib__x509__verify.c
new file mode 100644
index 000000000000..a092094cd9eb
--- /dev/null
+++ b/security/gnutls/files/patch-lib__x509__verify.c
@@ -0,0 +1,103 @@
+CVE-2014-0092
+CVE-2014-1959
+
+--- ./lib/x509/verify.c.orig 2012-05-24 11:19:05.000000000 -0500
++++ ./lib/x509/verify.c 2014-03-04 16:43:13.053087407 -0600
+@@ -141,7 +141,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -150,7 +150,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -158,7 +158,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -166,7 +166,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ /* If the subject certificate is the same as the issuer
+@@ -206,6 +206,7 @@
+ else
+ gnutls_assert ();
+
++fail:
+ result = 0;
+
+ cleanup:
+@@ -330,7 +331,7 @@
+ gnutls_datum_t cert_signed_data = { NULL, 0 };
+ gnutls_datum_t cert_signature = { NULL, 0 };
+ gnutls_x509_crt_t issuer = NULL;
+- int issuer_version, result;
++ int issuer_version, result = 0;
+
+ if (output)
+ *output = 0;
+@@ -363,7 +364,7 @@
+ if (issuer_version < 0)
+ {
+ gnutls_assert ();
+- return issuer_version;
++ return 0;
+ }
+
+ if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -385,6 +386,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -393,6 +395,7 @@
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -410,6 +413,7 @@
+ else if (result < 0)
+ {
+ gnutls_assert();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -644,8 +648,10 @@
+ /* note that here we disable this V1 CA flag. So that no version 1
+ * certificates can exist in a supplied chain.
+ */
+- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,