- Update to 1.2.9

- Add vuxml entry
- Prevent install target from copying patch backup files

Changes:	https://raw.github.com/polarssl/polarssl/60ad84f43f46b0d3673eaca8b9847d7e01b83c5e/ChangeLog
Security:	ccefac3e-2aed-11e3-af10-000c29789cb5
Security:	CVE-2013-5915

3 files changed, 44 insertions, 5 deletions

diff --git a/security/polarssl/Makefile b/security/polarssl/Makefile
index e552e8c6cf1b..6bce2820491b 100644
--- a/security/polarssl/Makefile
+++ b/security/polarssl/Makefile
@@ -1,9 +1,8 @@
 # $FreeBSD$
 
 PORTNAME=	polarssl
-PORTVERSION=	1.2.8
+PORTVERSION=	1.2.9
 DISTVERSIONSUFFIX=	-gpl
-PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://polarssl.org/download/
 EXTRACT_SUFX=	.tgz
@@ -32,7 +31,7 @@ BINFILES=	aescrypt2 benchmark dh_client dh_genprime dh_server hello \
 
 # cmake install is broken, so we do it by hand
 do-install:
-	@${TAR} -C ${WRKSRC}/include -cf - polarssl | ${TAR} -C ${STAGEDIR}${PREFIX}/include -xf -
+	@cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include "! -name *.orig"
 	${INSTALL_DATA} ${WRKSRC}/library/libpolarssl.a ${STAGEDIR}${PREFIX}/lib/
 	${INSTALL_DATA} ${WRKSRC}/library/libpolarssl.so  ${STAGEDIR}${PREFIX}/lib/libpolarssl.so.0
 	cd ${STAGEDIR}${PREFIX}/lib/ && ${LN} -sf libpolarssl.so.0 libpolarssl.so
diff --git a/security/polarssl/distinfo b/security/polarssl/distinfo
index 7603965abf58..37151da4148e 100644
--- a/security/polarssl/distinfo
+++ b/security/polarssl/distinfo
@@ -1,2 +1,2 @@
-SHA256 (polarssl-1.2.8-gpl.tgz) = 23cf931e322ab397d26c89b7e805cf2229df46c5196f4f67ebfc0e285848637b
-SIZE (polarssl-1.2.8-gpl.tgz) = 998609
+SHA256 (polarssl-1.2.9-gpl.tgz) = d125a6e7eb6eb3e5110035df1469099c5463837b1ef734e60771095dafc0ef56
+SIZE (polarssl-1.2.9-gpl.tgz) = 999668
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 4cdc07af35f3..868a759d9da5 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,46 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ccefac3e-2aed-11e3-af10-000c29789cb5">
+    <topic>polarssl -- Timing attack against protected RSA-CRT implementation</topic>
+    <affects>
+      <package>
+	<name>polarssl</name>
+	<range><lt>1.2.9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>PolarSSL Project reports:</p>
+	<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05">
+	  <p>The researchers Cyril Arnaud and Pierre-Alain Fouque
+	    investigated the PolarSSL RSA implementation and discovered
+	    a bias in the implementation of the Montgomery multiplication
+	    that we used. For which they then show that it can be used to
+	    mount an attack on the RSA key. Although their test attack is
+	    done on a local system, there seems to be enough indication
+	    that this can properly be performed from a remote system as
+	    well.</p>
+	  <p>All versions prior to PolarSSL 1.2.9 and 1.3.0 are affected
+	    if a third party can send arbitrary handshake messages to your
+	    server.</p>
+	  <p>If correctly executed, this attack reveals the entire private
+	    RSA key after a large number of attack messages (&gt; 600.000 on
+	    a local machine) are sent to show the timing differences.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-5915</cvename>
+      <url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05</url>
+      <url>https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released</url>
+    </references>
+    <dates>
+      <discovery>2013-10-01</discovery>
+      <entry>2013-10-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e5414d0c-2ade-11e3-821d-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>