From 8d6fc2fa39331e8b856fd6d3c7e24b727636a8a8 Mon Sep 17 00:00:00 2001 From: Paweł Hajdan Date: Sun, 13 Oct 2013 19:58:24 +0000 Subject: Version bump for security bug #472302 . (Portage version: 2.2.1/cvs/Linux i686, signed Manifest commit with key 30427902) --- net-libs/libsrtp/ChangeLog | 8 ++- net-libs/libsrtp/files/libsrtp-CVE-2013-2139.diff | 46 +++++++++++++ net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild | 77 ++++++++++++++++++++++ 3 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 net-libs/libsrtp/files/libsrtp-CVE-2013-2139.diff create mode 100644 net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild diff --git a/net-libs/libsrtp/ChangeLog b/net-libs/libsrtp/ChangeLog index 63605afd3c7c..fea51ab75dc9 100644 --- a/net-libs/libsrtp/ChangeLog +++ b/net-libs/libsrtp/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-libs/libsrtp # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-libs/libsrtp/ChangeLog,v 1.29 2013/10/01 15:30:04 chithanh Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-libs/libsrtp/ChangeLog,v 1.30 2013/10/13 19:58:24 phajdan.jr Exp $ + +*libsrtp-1.4.4_p20121108-r1 (13 Oct 2013) + + 13 Oct 2013; Pawel Hajdan jr + +libsrtp-1.4.4_p20121108-r1.ebuild, +files/libsrtp-CVE-2013-2139.diff: + Version bump for security bug #472302 . 01 Oct 2013; Chí-Thanh Christopher Nguyễn metadata.xml: Add chainsaw to maintainers. diff --git a/net-libs/libsrtp/files/libsrtp-CVE-2013-2139.diff b/net-libs/libsrtp/files/libsrtp-CVE-2013-2139.diff new file mode 100644 index 000000000000..dcafe177638b --- /dev/null +++ b/net-libs/libsrtp/files/libsrtp-CVE-2013-2139.diff @@ -0,0 +1,46 @@ +diff --git a/srtp/srtp.c b/srtp/srtp.c +index 839c1ee..7fd19e6 100644 +--- a/srtp/srtp.c ++++ b/srtp/srtp.c +@@ -2063,23 +2063,18 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length) + switch(profile) { + case srtp_profile_aes128_cm_sha1_80: + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); +- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); +- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: + crypto_policy_set_null_cipher_hmac_sha1_80(policy); +- crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; + case srtp_profile_aes256_cm_sha1_80: + crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); +- crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); + break; + case srtp_profile_aes256_cm_sha1_32: + crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); +- crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); + break; + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: +@@ -2100,6 +2095,8 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length) + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: ++ /* We do not honor the 32-bit auth tag request since ++ * this is not compliant with RFC 3711 */ + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: +@@ -2109,6 +2106,8 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length) + crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); + break; + case srtp_profile_aes256_cm_sha1_32: ++ /* We do not honor the 32-bit auth tag request since ++ * this is not compliant with RFC 3711 */ + crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); + break; + /* the following profiles are not (yet) supported */ diff --git a/net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild b/net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild new file mode 100644 index 000000000000..e1555c957555 --- /dev/null +++ b/net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild @@ -0,0 +1,77 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-libs/libsrtp/libsrtp-1.4.4_p20121108-r1.ebuild,v 1.1 2013/10/13 19:58:24 phajdan.jr Exp $ + +EAPI="4" + +inherit base multilib + +MY_PN="srtp" +MY_P="${MY_PN}-${PV}" + +DESCRIPTION="Open-source implementation of the Secure Real-time Transport Protocol (SRTP)" +HOMEPAGE="http://srtp.sourceforge.net/srtp.html" +SRC_URI="http://dev.gentoo.org/~phajdan.jr/${MY_P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 -sparc ~x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos" +IUSE="aesicm console debug doc static-libs syslog" +PATCHES=( + "${FILESDIR}/${P}-shared.patch" + "${FILESDIR}/${PN}-CVE-2013-2139.diff" + ) + +S=${WORKDIR}/${MY_PN} + +src_configure() { + # stdout: default error output for messages in debug + # kernel-linux: breaks the build + # gdoi: disabled by upstream and breaks the build + econf \ + --enable-stdout \ + --disable-kernel-linux \ + --disable-gdoi \ + $(use_enable aesicm generic-aesicm) \ + $(use_enable console) \ + $(use_enable debug) \ + $(use_enable syslog) +} + +src_compile() { + if use static-libs; then + emake ${PN}.a || die "Failed to build static library" + fi + emake ${PN}$(get_libname) || die "Failed to build dynamic library" +} + +src_test() { + # getopt returns an int, not a char + sed -i -e "s/char q/int q/" \ + test/rdbx_driver.c test/srtp_driver.c test/dtls_srtp_driver.c \ + || die "fixing getopt errors failed" + + # test/rtpw_test.sh is assuming . is in $PATH + sed -i -e "s:\$RTPW :./\$RTPW :" test/rtpw_test.sh \ + || die "patching test/rtpw_test.sh failed" + + # test/rtpw.c is using /usr/share/dict/words assuming it exists + # using test/rtpw.c guaratees the file exists in any case + sed -i -e "s:/usr/share/dict/words:rtpw.c:" test/rtpw.c \ + || die "patching test/rtpw.c failed" + + emake test || die "building test failed" + emake -j1 runtest || die "tests failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed" + + dodoc CHANGES README TODO || die "dodoc failed" + + if use doc; then + # libsrtp.pdf can also be generated with doxygen + # but it would be a waste of time as an up-to-date version is built + dodoc doc/*.txt doc/${PN}.pdf || die "dodoc failed" + fi +} -- cgit v1.2.3-65-gdbad