fix for security bug #267774

(Portage version: 2.2_rc31/cvs/Linux x86_64)
author: Daniel Black <dragonheart@gentoo.org> 2009-04-30 12:23:45 +0000
committer: Daniel Black <dragonheart@gentoo.org> 2009-04-30 12:23:45 +0000
commit: b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe (patch)
tree: c68972f87278ec23e99e3a157d7816da697c73a1 /net-libs/gnutls
parent: Use thirdpartymirrors defined mirrors for repoman to stfu. (diff)
download: gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.tar.gz
gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.tar.bz2
gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.zip
5 files changed, 222 insertions, 1 deletions
diff --git a/net-libs/gnutls/ChangeLog b/net-libs/gnutls/ChangeLog
index db276390abb6..772d5e14b73c 100644
--- a/net-libs/gnutls/ChangeLog
+++ b/net-libs/gnutls/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-libs/gnutls
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/ChangeLog,v 1.187 2009/04/26 18:48:50 arfrever Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/ChangeLog,v 1.188 2009/04/30 12:23:45 dragonheart Exp $
+
+*gnutls-2.6.5-r1 (30 Apr 2009)
+
+  30 Apr 2009; Daniel Black <dragonheart@gentoo.org>
+  +files/CVE-2009-1415.patch, +files/CVE-2009-1416.patch,
+  +files/CVE-2009-1417.patch, +gnutls-2.6.5-r1.ebuild:
+  fix for security bug #267774
 
 *gnutls-2.7.7 (26 Apr 2009)
 
diff --git a/net-libs/gnutls/files/CVE-2009-1415.patch b/net-libs/gnutls/files/CVE-2009-1415.patch
new file mode 100644
index 000000000000..552775c59bfe
--- /dev/null
+++ b/net-libs/gnutls/files/CVE-2009-1415.patch
@@ -0,0 +1,19 @@
+--- pk-libgcrypt.c-	2009-04-23 10:59:06.000000000 +0200
++++ pk-libgcrypt.c	2009-04-23 18:32:17.000000000 +0200
+@@ -418,7 +418,7 @@
+ 		      const gnutls_datum_t * signature,
+ 		      const gnutls_pk_params_st * pk_params)
+ {
+-  gcry_sexp_t s_sig, s_hash, s_pkey;
++  gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL;
+   int rc = -1, ret;
+   bigint_t hash;
+   bigint_t tmp[2] = { NULL, NULL };
+@@ -511,6 +511,7 @@
+   gcry_sexp_release (s_sig);
+   gcry_sexp_release (s_hash);
+   gcry_sexp_release (s_pkey);
++  s_hash = s_pkey = s_sig = NULL;
+ 
+   if (rc != 0)
+     {
diff --git a/net-libs/gnutls/files/CVE-2009-1416.patch b/net-libs/gnutls/files/CVE-2009-1416.patch
new file mode 100644
index 000000000000..ebc540592820
--- /dev/null
+++ b/net-libs/gnutls/files/CVE-2009-1416.patch
@@ -0,0 +1,13 @@
+diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
+index 1015c3a..a08349b 100644
+--- a/lib/gnutls_pk.c
++++ b/lib/gnutls_pk.c
+@@ -529,7 +529,7 @@ _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len,
+   int ret;
+   unsigned int i;
+ 
+-  ret = _gnutls_pk_ops.generate (GNUTLS_PK_RSA, bits, &params);
++  ret = _gnutls_pk_ops.generate (algo, bits, &params);
+ 
+   if (ret < 0)
+     {
diff --git a/net-libs/gnutls/files/CVE-2009-1417.patch b/net-libs/gnutls/files/CVE-2009-1417.patch
new file mode 100644
index 000000000000..859c4a632a5c
--- /dev/null
+++ b/net-libs/gnutls/files/CVE-2009-1417.patch
@@ -0,0 +1,90 @@
+Index: gnutls-2.6.5/includes/gnutls/gnutls.h.in
+===================================================================
+--- gnutls-2.6.5.orig/includes/gnutls/gnutls.h.in
++++ gnutls-2.6.5/includes/gnutls/gnutls.h.in
+@@ -251,7 +251,13 @@ extern "C"
+      */
+     GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
+     GNUTLS_CERT_SIGNER_NOT_CA = 128,
+-    GNUTLS_CERT_INSECURE_ALGORITHM = 256
++    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
++
++    /* Time verification.
++     */
++    GNUTLS_CERT_NOT_ACTIVATED = 512,
++    GNUTLS_CERT_EXPIRED = 1024
++
+   } gnutls_certificate_status_t;
+ 
+   typedef enum
+Index: gnutls-2.6.5/includes/gnutls/x509.h
+===================================================================
+--- gnutls-2.6.5.orig/includes/gnutls/x509.h
++++ gnutls-2.6.5/includes/gnutls/x509.h
+@@ -481,7 +481,13 @@ extern "C"
+ 
+     /* Allow certificates to be signed using the broken MD5 algorithm.
+      */
+-    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
++    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
++
++    /* Disable checking of activation and expiration validity
++     * periods of certificate chains. Don't set this unless you
++     * understand the security implications.
++     */
++    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
+   } gnutls_certificate_verify_flags;
+ 
+   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
+Index: gnutls-2.6.5/lib/x509/verify.c
+===================================================================
+--- gnutls-2.6.5.orig/lib/x509/verify.c
++++ gnutls-2.6.5/lib/x509/verify.c
+@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g
+     }
+ #endif
+ 
++  /* Check activation/expiration times
++   */
++  if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
++    {
++      time_t t, now = time (0);
++
++      for (i = 0; i < clist_size; i++)
++	{
++	  t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
++	  if (t == (time_t) -1 || now < t)
++	    {
++	      status |= GNUTLS_CERT_NOT_ACTIVATED;
++	      status |= GNUTLS_CERT_INVALID;
++	      return status;
++	    }
++
++	  t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
++	  if (t == (time_t) -1 || now > t)
++	    {
++	      status |= GNUTLS_CERT_EXPIRED;
++	      status |= GNUTLS_CERT_INVALID;
++	      return status;
++	    }
++	}
++    }
++
+   /* Verify the certificate path (chain)
+    */
+   for (i = clist_size - 1; i > 0; i--)
+Index: gnutls-2.6.5/src/common.c
+===================================================================
+--- gnutls-2.6.5.orig/src/common.c
++++ gnutls-2.6.5/src/common.c
+@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio
+     {
+       if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ 	printf ("- Peer's certificate issuer is unknown\n");
++      if (status & GNUTLS_CERT_NOT_ACTIVATED)
++    printf ("- Peer's certificate chain uses not yet valid certificate\n");
++      if (status & GNUTLS_CERT_EXPIRED)
++    printf ("- Peer's certificate chain uses expired certificate\n");
+       if (status & GNUTLS_CERT_INVALID)
+ 	printf ("- Peer's certificate is NOT trusted\n");
+       else
diff --git a/net-libs/gnutls/gnutls-2.6.5-r1.ebuild b/net-libs/gnutls/gnutls-2.6.5-r1.ebuild
new file mode 100644
index 000000000000..8f641d1a5b04
--- /dev/null
+++ b/net-libs/gnutls/gnutls-2.6.5-r1.ebuild
@@ -0,0 +1,92 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/gnutls-2.6.5-r1.ebuild,v 1.1 2009/04/30 12:23:45 dragonheart Exp $
+
+EAPI="2"
+inherit autotools eutils libtool
+
+DESCRIPTION="A TLS 1.0 and SSL 3.0 implementation for the GNU project"
+HOMEPAGE="http://www.gnutls.org/"
+
+MINOR_VERSION="${PV#*.}"
+MINOR_VERSION="${MINOR_VERSION%.*}"
+if [[ $((MINOR_VERSION % 2)) == 0 ]] ; then
+	#SRC_URI="ftp://ftp.gnu.org/pub/gnu/${PN}/${P}.tar.bz2"
+	SRC_URI="mirror://gnu/${PN}/${P}.tar.bz2"
+else
+	SRC_URI="ftp://alpha.gnu.org/gnu/${PN}/${P}.tar.bz2"
+fi
+unset MINOR_VERSION
+
+# GPL-3 for the gnutls-extras library and LGPL for the gnutls library.
+LICENSE="LGPL-2.1 GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="bindist +cxx doc guile lzo nls zlib"
+
+RDEPEND="dev-libs/libgpg-error
+	>=dev-libs/libgcrypt-1.4.0
+	>=dev-libs/libtasn1-0.3.4
+	nls? ( virtual/libintl )
+	guile? ( dev-scheme/guile[networking] )
+	zlib? ( >=sys-libs/zlib-1.1 )
+	!bindist? ( lzo? ( >=dev-libs/lzo-2 ) )"
+DEPEND="${RDEPEND}
+	sys-devel/libtool
+	doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )"
+
+pkg_setup() {
+	if use lzo && use bindist; then
+		ewarn "lzo support was disabled for binary distribution of gnutls"
+		ewarn "due to licensing issues. See Bug 202381 for details."
+		epause 5
+	fi
+}
+
+src_prepare() {
+	local dir
+	for dir in m4 lib/m4 libextra/m4 ; do
+		rm -f ${dir}/lt* ${dir}/libtool.m4
+	done
+	find . -name ltmain.sh -exec rm {} \;
+
+	# the below patch is in 2.7.* as per
+	# https://savannah.gnu.org/support/?106542
+	epatch "${FILESDIR}"/gnutls-2.6.0-cxx-configure.in.patch
+	epatch "${FILESDIR}"/gnutls-2.6.0-openpgp-selftest.patch
+
+	pushd lib
+	epatch "${FILESDIR}"/CVE-2009-1415.patch
+	epatch "${FILESDIR}"/CVE-2009-1416.patch
+	popd
+	epatch "${FILESDIR}"/CVE-2009-1417.patch
+
+	eautoreconf
+
+	elibtoolize # for sane .so versioning on FreeBSD
+}
+
+src_configure() {
+	local myconf
+	use bindist && myconf="--without-lzo" || myconf="$(use_with lzo)"
+	econf  \
+		$(use_enable cxx) \
+		$(use_enable doc gtk-doc) \
+		$(use_enable guile) \
+		$(use_enable nls) \
+		$(use_with zlib) \
+		${myconf}
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed"
+
+	dodoc AUTHORS ChangeLog NEWS README THANKS doc/TODO
+
+	if use doc ; then
+		dodoc doc/README.autoconf doc/tex/gnutls.ps
+		docinto examples
+		dodoc doc/examples/*.c
+	fi
+}
author	Daniel Black <dragonheart@gentoo.org>	2009-04-30 12:23:45 +0000
committer	Daniel Black <dragonheart@gentoo.org>	2009-04-30 12:23:45 +0000
commit	b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe (patch)
tree	c68972f87278ec23e99e3a157d7816da697c73a1 /net-libs/gnutls
parent	Use thirdpartymirrors defined mirrors for repoman to stfu. (diff)
download	gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.tar.gz gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.tar.bz2 gentoo-2-b3aabb27c018db0daa2a5ff54d0cc224cfe08bfe.zip