1 |
dragonheart 09/04/30 12:23:44 |
2 |
|
3 |
Added: CVE-2009-1417.patch CVE-2009-1416.patch |
4 |
CVE-2009-1415.patch |
5 |
Log: |
6 |
fix for security bug #267774 |
7 |
(Portage version: 2.2_rc31/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 net-libs/gnutls/files/CVE-2009-1417.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1417.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1417.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: CVE-2009-1417.patch |
16 |
=================================================================== |
17 |
Index: gnutls-2.6.5/includes/gnutls/gnutls.h.in |
18 |
=================================================================== |
19 |
--- gnutls-2.6.5.orig/includes/gnutls/gnutls.h.in |
20 |
+++ gnutls-2.6.5/includes/gnutls/gnutls.h.in |
21 |
@@ -251,7 +251,13 @@ extern "C" |
22 |
*/ |
23 |
GNUTLS_CERT_SIGNER_NOT_FOUND = 64, |
24 |
GNUTLS_CERT_SIGNER_NOT_CA = 128, |
25 |
- GNUTLS_CERT_INSECURE_ALGORITHM = 256 |
26 |
+ GNUTLS_CERT_INSECURE_ALGORITHM = 256, |
27 |
+ |
28 |
+ /* Time verification. |
29 |
+ */ |
30 |
+ GNUTLS_CERT_NOT_ACTIVATED = 512, |
31 |
+ GNUTLS_CERT_EXPIRED = 1024 |
32 |
+ |
33 |
} gnutls_certificate_status_t; |
34 |
|
35 |
typedef enum |
36 |
Index: gnutls-2.6.5/includes/gnutls/x509.h |
37 |
=================================================================== |
38 |
--- gnutls-2.6.5.orig/includes/gnutls/x509.h |
39 |
+++ gnutls-2.6.5/includes/gnutls/x509.h |
40 |
@@ -481,7 +481,13 @@ extern "C" |
41 |
|
42 |
/* Allow certificates to be signed using the broken MD5 algorithm. |
43 |
*/ |
44 |
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32 |
45 |
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, |
46 |
+ |
47 |
+ /* Disable checking of activation and expiration validity |
48 |
+ * periods of certificate chains. Don't set this unless you |
49 |
+ * understand the security implications. |
50 |
+ */ |
51 |
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64 |
52 |
} gnutls_certificate_verify_flags; |
53 |
|
54 |
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, |
55 |
Index: gnutls-2.6.5/lib/x509/verify.c |
56 |
=================================================================== |
57 |
--- gnutls-2.6.5.orig/lib/x509/verify.c |
58 |
+++ gnutls-2.6.5/lib/x509/verify.c |
59 |
@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g |
60 |
} |
61 |
#endif |
62 |
|
63 |
+ /* Check activation/expiration times |
64 |
+ */ |
65 |
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) |
66 |
+ { |
67 |
+ time_t t, now = time (0); |
68 |
+ |
69 |
+ for (i = 0; i < clist_size; i++) |
70 |
+ { |
71 |
+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]); |
72 |
+ if (t == (time_t) -1 || now < t) |
73 |
+ { |
74 |
+ status |= GNUTLS_CERT_NOT_ACTIVATED; |
75 |
+ status |= GNUTLS_CERT_INVALID; |
76 |
+ return status; |
77 |
+ } |
78 |
+ |
79 |
+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]); |
80 |
+ if (t == (time_t) -1 || now > t) |
81 |
+ { |
82 |
+ status |= GNUTLS_CERT_EXPIRED; |
83 |
+ status |= GNUTLS_CERT_INVALID; |
84 |
+ return status; |
85 |
+ } |
86 |
+ } |
87 |
+ } |
88 |
+ |
89 |
/* Verify the certificate path (chain) |
90 |
*/ |
91 |
for (i = clist_size - 1; i > 0; i--) |
92 |
Index: gnutls-2.6.5/src/common.c |
93 |
=================================================================== |
94 |
--- gnutls-2.6.5.orig/src/common.c |
95 |
+++ gnutls-2.6.5/src/common.c |
96 |
@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio |
97 |
{ |
98 |
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) |
99 |
printf ("- Peer's certificate issuer is unknown\n"); |
100 |
+ if (status & GNUTLS_CERT_NOT_ACTIVATED) |
101 |
+ printf ("- Peer's certificate chain uses not yet valid certificate\n"); |
102 |
+ if (status & GNUTLS_CERT_EXPIRED) |
103 |
+ printf ("- Peer's certificate chain uses expired certificate\n"); |
104 |
if (status & GNUTLS_CERT_INVALID) |
105 |
printf ("- Peer's certificate is NOT trusted\n"); |
106 |
else |
107 |
|
108 |
|
109 |
|
110 |
1.1 net-libs/gnutls/files/CVE-2009-1416.patch |
111 |
|
112 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1416.patch?rev=1.1&view=markup |
113 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1416.patch?rev=1.1&content-type=text/plain |
114 |
|
115 |
Index: CVE-2009-1416.patch |
116 |
=================================================================== |
117 |
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c |
118 |
index 1015c3a..a08349b 100644 |
119 |
--- a/lib/gnutls_pk.c |
120 |
+++ b/lib/gnutls_pk.c |
121 |
@@ -529,7 +529,7 @@ _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len, |
122 |
int ret; |
123 |
unsigned int i; |
124 |
|
125 |
- ret = _gnutls_pk_ops.generate (GNUTLS_PK_RSA, bits, ¶ms); |
126 |
+ ret = _gnutls_pk_ops.generate (algo, bits, ¶ms); |
127 |
|
128 |
if (ret < 0) |
129 |
{ |
130 |
|
131 |
|
132 |
|
133 |
1.1 net-libs/gnutls/files/CVE-2009-1415.patch |
134 |
|
135 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1415.patch?rev=1.1&view=markup |
136 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/files/CVE-2009-1415.patch?rev=1.1&content-type=text/plain |
137 |
|
138 |
Index: CVE-2009-1415.patch |
139 |
=================================================================== |
140 |
--- pk-libgcrypt.c- 2009-04-23 10:59:06.000000000 +0200 |
141 |
+++ pk-libgcrypt.c 2009-04-23 18:32:17.000000000 +0200 |
142 |
@@ -418,7 +418,7 @@ |
143 |
const gnutls_datum_t * signature, |
144 |
const gnutls_pk_params_st * pk_params) |
145 |
{ |
146 |
- gcry_sexp_t s_sig, s_hash, s_pkey; |
147 |
+ gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL; |
148 |
int rc = -1, ret; |
149 |
bigint_t hash; |
150 |
bigint_t tmp[2] = { NULL, NULL }; |
151 |
@@ -511,6 +511,7 @@ |
152 |
gcry_sexp_release (s_sig); |
153 |
gcry_sexp_release (s_hash); |
154 |
gcry_sexp_release (s_pkey); |
155 |
+ s_hash = s_pkey = s_sig = NULL; |
156 |
|
157 |
if (rc != 0) |
158 |
{ |