- fix chain verification issue CVE-2008-4989 (#470079)

- separate out the MinGW-specific patch from the others

diff --git a/gnutls/gnutls-1.4.1-cve-2008-4989.patch b/gnutls/gnutls-1.4.1-cve-2008-4989.patch
new file mode 100644 (file)
index 0000000..c7f5bc7
--- /dev/null
+++ b/gnutls/gnutls-1.4.1-cve-2008-4989.patch
@@ -0,0 +1,39 @@
+diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
+--- gnutls-1.4.1/lib/x509/verify.c.chain-verify        2008-11-11 10:55:19.000000000 +0100
++++ gnutls-1.4.1/lib/x509/verify.c     2008-11-11 10:58:54.000000000 +0100
+@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
+   int i = 0, ret;
+   unsigned int status = 0, output;
+ 
++  /* Check if the last certificate in the path is self signed.
++   * In that case ignore it (a certificate is trusted only if it
++   * leads to a trusted party by us, not the server's).
++   */
++  if (clist_size > 1 &&
++      gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
++                                  certificate_list[clist_size - 1]) > 0)
++    {
++      clist_size--;
++    }
++
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
+     }
+ #endif
+ 
+-  /* Check if the last certificate in the path is self signed.
+-   * In that case ignore it (a certificate is trusted only if it
+-   * leads to a trusted party by us, not the server's).
+-   */
+-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+-                                  certificate_list[clist_size - 1]) > 0
+-      && clist_size > 0)
+-    {
+-      clist_size--;
+-    }
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)

diff --git a/gnutls/mingw32-gnutls.spec b/gnutls/mingw32-gnutls.spec
index caee05e..1d8d6a7 100644 (file)
--- a/gnutls/mingw32-gnutls.spec
+++ b/gnutls/mingw32-gnutls.spec
@@ -6,7 +6,7 @@
 
 Name:           mingw32-gnutls
 Version:        2.4.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        MinGW Windows GnuTLS TLS/SSL encryption library
 
 License:        GPLv3+ and LGPLv2+
@@ -19,8 +19,11 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
 
-Patch0:         gnutls-certtool-build.patch
 Patch1:         gnutls-2.4.0-nosrp.patch
+Patch5:         gnutls-1.4.1-cve-2008-4989.patch
+
+# MinGW-specific patches.
+Patch1000:      gnutls-certtool-build.patch
 
 BuildRequires:  mingw32-filesystem >= 25
 BuildRequires:  mingw32-gcc
@@ -38,8 +41,11 @@ MinGW Windows GnuTLS TLS/SSL encryption library.
 
 %prep
 %setup -q -n gnutls-%{version}
-%patch0 -p1
-%patch1 -p1
+
+%patch1 -p1 -b .nosrp
+%patch5 -p1 -b .chain-verify
+
+%patch1000 -p1 -b .mingw32
 
 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
     touch lib/$i
@@ -102,6 +108,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Nov 13 2008 Richard W.M. Jones <rjones@redhat.com> - 2.4.2-3
+- fix chain verification issue CVE-2008-4989 (#470079)
+- separate out the MinGW-specific patch from the others
+
 * Wed Sep 24 2008 Richard W.M. Jones <rjones@redhat.com> - 2.4.2-2
 - Rename mingw -> mingw32.