From ce0b5eb9d9e9fbdbf8a62e1cb2f9a85699b86c8a Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] - fix chain verification issue CVE-2008-4989 (#470079) - separate out the MinGW-specific patch from the others --- gnutls/gnutls-1.4.1-cve-2008-4989.patch | 39 +++++++++++++++++++++++++++++++++ gnutls/mingw32-gnutls.spec | 18 +++++++++++---- 2 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 gnutls/gnutls-1.4.1-cve-2008-4989.patch diff --git a/gnutls/gnutls-1.4.1-cve-2008-4989.patch b/gnutls/gnutls-1.4.1-cve-2008-4989.patch new file mode 100644 index 0000000..c7f5bc7 --- /dev/null +++ b/gnutls/gnutls-1.4.1-cve-2008-4989.patch @@ -0,0 +1,39 @@ +diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c +--- gnutls-1.4.1/lib/x509/verify.c.chain-verify 2008-11-11 10:55:19.000000000 +0100 ++++ gnutls-1.4.1/lib/x509/verify.c 2008-11-11 10:58:54.000000000 +0100 +@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g + int i = 0, ret; + unsigned int status = 0, output; + ++ /* Check if the last certificate in the path is self signed. ++ * In that case ignore it (a certificate is trusted only if it ++ * leads to a trusted party by us, not the server's). ++ */ ++ if (clist_size > 1 && ++ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], ++ certificate_list[clist_size - 1]) > 0) ++ { ++ clist_size--; ++ } ++ + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * +@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g + } + #endif + +- /* Check if the last certificate in the path is self signed. +- * In that case ignore it (a certificate is trusted only if it +- * leads to a trusted party by us, not the server's). +- */ +- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], +- certificate_list[clist_size - 1]) > 0 +- && clist_size > 0) +- { +- clist_size--; +- } +- + /* Verify the certificate path (chain) + */ + for (i = clist_size - 1; i > 0; i--) diff --git a/gnutls/mingw32-gnutls.spec b/gnutls/mingw32-gnutls.spec index caee05e..1d8d6a7 100644 --- a/gnutls/mingw32-gnutls.spec +++ b/gnutls/mingw32-gnutls.spec @@ -6,7 +6,7 @@ Name: mingw32-gnutls Version: 2.4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: MinGW Windows GnuTLS TLS/SSL encryption library License: GPLv3+ and LGPLv2+ @@ -19,8 +19,11 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Patch0: gnutls-certtool-build.patch Patch1: gnutls-2.4.0-nosrp.patch +Patch5: gnutls-1.4.1-cve-2008-4989.patch + +# MinGW-specific patches. +Patch1000: gnutls-certtool-build.patch BuildRequires: mingw32-filesystem >= 25 BuildRequires: mingw32-gcc @@ -38,8 +41,11 @@ MinGW Windows GnuTLS TLS/SSL encryption library. %prep %setup -q -n gnutls-%{version} -%patch0 -p1 -%patch1 -p1 + +%patch1 -p1 -b .nosrp +%patch5 -p1 -b .chain-verify + +%patch1000 -p1 -b .mingw32 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do touch lib/$i @@ -102,6 +108,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Nov 13 2008 Richard W.M. Jones - 2.4.2-3 +- fix chain verification issue CVE-2008-4989 (#470079) +- separate out the MinGW-specific patch from the others + * Wed Sep 24 2008 Richard W.M. Jones - 2.4.2-2 - Rename mingw -> mingw32. -- 1.8.3.1