Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Daniel Black (dragonheart)" <dragonheart@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in net-libs/gnutls/files: CVE-2009-1417.patch CVE-2009-1416.patch CVE-2009-1415.patch
Date: Thu, 30 Apr 2009 12:23:51
Message-Id: E1LzVIm-0002Bn-Rl@stork.gentoo.org
1 dragonheart 09/04/30 12:23:44
2
3 Added: CVE-2009-1417.patch CVE-2009-1416.patch
4 CVE-2009-1415.patch
5 Log:
6 fix for security bug #267774
7 (Portage version: 2.2_rc31/cvs/Linux x86_64)
8
9 Revision Changes Path
10 1.1 net-libs/gnutls/files/CVE-2009-1417.patch
11
12 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1417.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1417.patch?rev=1.1&content-type=text/plain
14
15 Index: CVE-2009-1417.patch
16 ===================================================================
17 Index: gnutls-2.6.5/includes/gnutls/gnutls.h.in
18 ===================================================================
19 --- gnutls-2.6.5.orig/includes/gnutls/gnutls.h.in
20 +++ gnutls-2.6.5/includes/gnutls/gnutls.h.in
21 @@ -251,7 +251,13 @@ extern "C"
22 */
23 GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
24 GNUTLS_CERT_SIGNER_NOT_CA = 128,
25 - GNUTLS_CERT_INSECURE_ALGORITHM = 256
26 + GNUTLS_CERT_INSECURE_ALGORITHM = 256,
27 +
28 + /* Time verification.
29 + */
30 + GNUTLS_CERT_NOT_ACTIVATED = 512,
31 + GNUTLS_CERT_EXPIRED = 1024
32 +
33 } gnutls_certificate_status_t;
34
35 typedef enum
36 Index: gnutls-2.6.5/includes/gnutls/x509.h
37 ===================================================================
38 --- gnutls-2.6.5.orig/includes/gnutls/x509.h
39 +++ gnutls-2.6.5/includes/gnutls/x509.h
40 @@ -481,7 +481,13 @@ extern "C"
41
42 /* Allow certificates to be signed using the broken MD5 algorithm.
43 */
44 - GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
45 + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
46 +
47 + /* Disable checking of activation and expiration validity
48 + * periods of certificate chains. Don't set this unless you
49 + * understand the security implications.
50 + */
51 + GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
52 } gnutls_certificate_verify_flags;
53
54 int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
55 Index: gnutls-2.6.5/lib/x509/verify.c
56 ===================================================================
57 --- gnutls-2.6.5.orig/lib/x509/verify.c
58 +++ gnutls-2.6.5/lib/x509/verify.c
59 @@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g
60 }
61 #endif
62
63 + /* Check activation/expiration times
64 + */
65 + if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
66 + {
67 + time_t t, now = time (0);
68 +
69 + for (i = 0; i < clist_size; i++)
70 + {
71 + t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
72 + if (t == (time_t) -1 || now < t)
73 + {
74 + status |= GNUTLS_CERT_NOT_ACTIVATED;
75 + status |= GNUTLS_CERT_INVALID;
76 + return status;
77 + }
78 +
79 + t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
80 + if (t == (time_t) -1 || now > t)
81 + {
82 + status |= GNUTLS_CERT_EXPIRED;
83 + status |= GNUTLS_CERT_INVALID;
84 + return status;
85 + }
86 + }
87 + }
88 +
89 /* Verify the certificate path (chain)
90 */
91 for (i = clist_size - 1; i > 0; i--)
92 Index: gnutls-2.6.5/src/common.c
93 ===================================================================
94 --- gnutls-2.6.5.orig/src/common.c
95 +++ gnutls-2.6.5/src/common.c
96 @@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio
97 {
98 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
99 printf ("- Peer's certificate issuer is unknown\n");
100 + if (status & GNUTLS_CERT_NOT_ACTIVATED)
101 + printf ("- Peer's certificate chain uses not yet valid certificate\n");
102 + if (status & GNUTLS_CERT_EXPIRED)
103 + printf ("- Peer's certificate chain uses expired certificate\n");
104 if (status & GNUTLS_CERT_INVALID)
105 printf ("- Peer's certificate is NOT trusted\n");
106 else
107
108
109
110 1.1 net-libs/gnutls/files/CVE-2009-1416.patch
111
112 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1416.patch?rev=1.1&view=markup
113 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1416.patch?rev=1.1&content-type=text/plain
114
115 Index: CVE-2009-1416.patch
116 ===================================================================
117 diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
118 index 1015c3a..a08349b 100644
119 --- a/lib/gnutls_pk.c
120 +++ b/lib/gnutls_pk.c
121 @@ -529,7 +529,7 @@ _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len,
122 int ret;
123 unsigned int i;
124
125 - ret = _gnutls_pk_ops.generate (GNUTLS_PK_RSA, bits, &params);
126 + ret = _gnutls_pk_ops.generate (algo, bits, &params);
127
128 if (ret < 0)
129 {
130
131
132
133 1.1 net-libs/gnutls/files/CVE-2009-1415.patch
134
135 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1415.patch?rev=1.1&view=markup
136 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1415.patch?rev=1.1&content-type=text/plain
137
138 Index: CVE-2009-1415.patch
139 ===================================================================
140 --- pk-libgcrypt.c- 2009-04-23 10:59:06.000000000 +0200
141 +++ pk-libgcrypt.c 2009-04-23 18:32:17.000000000 +0200
142 @@ -418,7 +418,7 @@
143 const gnutls_datum_t * signature,
144 const gnutls_pk_params_st * pk_params)
145 {
146 - gcry_sexp_t s_sig, s_hash, s_pkey;
147 + gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL;
148 int rc = -1, ret;
149 bigint_t hash;
150 bigint_t tmp[2] = { NULL, NULL };
151 @@ -511,6 +511,7 @@
152 gcry_sexp_release (s_sig);
153 gcry_sexp_release (s_hash);
154 gcry_sexp_release (s_pkey);
155 + s_hash = s_pkey = s_sig = NULL;
156
157 if (rc != 0)
158 {
Report Message
Find on MARC Find on Google Groups