From 6b8d972658a94f3d4f20cb005d728ac55d789992 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Tue, 4 Mar 2014 22:46:55 +0000 Subject: - Add fixes for: CVE-2014-0092 - Certificate verification issue CVE-2014-1959 - Certificate verification issue All users are recommended to upgrade ASAP. Security: f645aa90-a3e8-11e3-a422-3c970e169bc2 --- security/gnutls/Makefile | 2 +- security/gnutls/files/patch-lib__x509__verify.c | 103 ++++++++++++++++++++++++ 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 security/gnutls/files/patch-lib__x509__verify.c (limited to 'security/gnutls') diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 09dcb61e7f0c..df799a47ae57 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -3,7 +3,7 @@ PORTNAME= gnutls PORTVERSION= 2.12.23 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= \ ftp://ftp.gnutls.org/gcrypt/gnutls/v${PORTVERSION:C/.[0-9]+$//}/ \ diff --git a/security/gnutls/files/patch-lib__x509__verify.c b/security/gnutls/files/patch-lib__x509__verify.c new file mode 100644 index 000000000000..a092094cd9eb --- /dev/null +++ b/security/gnutls/files/patch-lib__x509__verify.c @@ -0,0 +1,103 @@ +CVE-2014-0092 +CVE-2014-1959 + +--- ./lib/x509/verify.c.orig 2012-05-24 11:19:05.000000000 -0500 ++++ ./lib/x509/verify.c 2014-03-04 16:43:13.053087407 -0600 +@@ -141,7 +141,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -150,7 +150,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -158,7 +158,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -166,7 +166,7 @@ + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -206,6 +206,7 @@ + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -330,7 +331,7 @@ + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int issuer_version, result; ++ int issuer_version, result = 0; + + if (output) + *output = 0; +@@ -363,7 +364,7 @@ + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -385,6 +386,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -393,6 +395,7 @@ + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -410,6 +413,7 @@ + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +@@ -644,8 +648,10 @@ + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, -- cgit