[Gpg4win-commits] [git] Gpg4win - branch, master, updated. gpg4win-2.2.1-17-gb45aa3e
by Andre Heinecke
cvs at cvs.gnupg.org
Mon Aug 4 16:53:36 CEST 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG for Windows".
The branch, master has been updated
via b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92 (commit)
from 2752c0630ffea239eb898ae6ed440aaf0d740eb2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92
Author: Andre Heinecke <aheinecke at intevation.de>
Date: Mon Aug 4 16:51:28 2014 +0200
Update gnutls to 2.12.13 with patches
* packages/packages.current (gnutls) Switch download server
and update version.
* patches/gnutls-2.12.23/02-cve-2013-2116.patch,
patches/gnutls-2.12.23/03-cve-2014-1959.patch,
patches/gnutls-2.12.23/04-cve-2014-0092.patch,
patches/gnutls-2.12.23/05-cve-2014-3466.patch: New. Taken
from gnutls26_2.12.23-12ubuntu2.1
diff --git a/packages/packages.current b/packages/packages.current
index ad45f79..e9645a5 100644
--- a/packages/packages.current
+++ b/packages/packages.current
@@ -50,9 +50,12 @@ chk 08fd5dfdd3d88154cf06cb0759a732790c47b4f7
file libtasn1/libtasn1-2.14.tar.gz
chk 22f9e0b15f870c8e03ac9cc1ead969d4d84eb931
+
+server ftp://ftp.gnutls.org/gcrypt
# checked: 2014-06-20 ah
-file gnutls/gnutls-2.12.21.tar.bz2
-chk a02bef78c7e35217d84d36d9b3135de70b46be09
+# verified with key 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171
+file gnutls/v2.12/gnutls-2.12.23.tar.bz2
+chk 3c0ba2153560abfb08d88dcb016cd6b72e465db5
#
diff --git a/patches/gnutls-2.12.21/01-openssl-wincrypt.patch b/patches/gnutls-2.12.23/01-openssl-wincrypt.patch
similarity index 100%
rename from patches/gnutls-2.12.21/01-openssl-wincrypt.patch
rename to patches/gnutls-2.12.23/01-openssl-wincrypt.patch
diff --git a/patches/gnutls-2.12.23/02-cve-2013-2116.patch b/patches/gnutls-2.12.23/02-cve-2013-2116.patch
new file mode 100755
index 0000000..432f2ac
--- /dev/null
+++ b/patches/gnutls-2.12.23/02-cve-2013-2116.patch
@@ -0,0 +1,28 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From 5164d5a1d57cd0372a5dd074382ca960ca18b27d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 23 May 2013 09:54:37 +0200
+Subject: [PATCH 3/3] re-applied sanity check patch
+
+---
+ lib/gnutls_cipher.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index 2835121..71f5a98 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -561,6 +561,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+ pad = ciphertext.data[ciphertext.size - 1]; /* pad */
++ if (pad+1 > ciphertext.size-hash_size)
++ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+
+ /* Check the pading bytes (TLS 1.x).
+ * Note that we access all 256 bytes of ciphertext for padding check
+--
+1.7.10.4
diff --git a/patches/gnutls-2.12.23/03-cve-2014-1959.patch b/patches/gnutls-2.12.23/03-cve-2014-1959.patch
new file mode 100755
index 0000000..cb2e6e2
--- /dev/null
+++ b/patches/gnutls-2.12.23/03-cve-2014-1959.patch
@@ -0,0 +1,39 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 12 Feb 2014 16:11:58 +0100
+Subject: [PATCH] Fix bug that prevented the rejection of v1 intermediate CA
+ certificates.
+
+Reported by Suman Jana.
+
+
+Description: fix rejection of v1 intermediate CA
+ Fix bug that prevented the rejection of v1 intermediate CA
+ certificates.
+ Reported by Suman Jana.
+ This is b1abfe3d182d68539900092eb42fc62cf1bb7e7c from upstream git,
+ unfuzzed for 2.12.x by Andreas Metzler.
+Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Origin: upstream
+Bug: http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
+Forwarded: not-needed
+Last-Update: 2014-02-15
+
+--- gnutls26-2.12.23.orig/lib/x509/verify.c
++++ gnutls26-2.12.23/lib/x509/verify.c
+@@ -644,8 +644,10 @@ _gnutls_x509_verify_certificate (const g
+ /* note that here we disable this V1 CA flag. So that no version 1
+ * certificates can exist in a supplied chain.
+ */
+- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,
diff --git a/patches/gnutls-2.12.23/04-cve-2014-0092.patch b/patches/gnutls-2.12.23/04-cve-2014-0092.patch
new file mode 100755
index 0000000..e0bd8ee
--- /dev/null
+++ b/patches/gnutls-2.12.23/04-cve-2014-0092.patch
@@ -0,0 +1,105 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From 6aa26f78150ccbdf0aec1878a41c17c41d358a3b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 27 Feb 2014 19:42:26 +0100
+Subject: [PATCH] corrected return codes
+
+---
+ lib/x509/verify.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index c9a6b0d..eef85a8 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ /* If the subject certificate is the same as the issuer
+@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ else
+ gnutls_assert ();
+
++fail:
+ result = 0;
+
+ cleanup:
+@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ gnutls_datum_t cert_signed_data = { NULL, 0 };
+ gnutls_datum_t cert_signature = { NULL, 0 };
+ gnutls_x509_crt_t issuer = NULL;
+- int issuer_version, result;
++ int issuer_version, result = 0;
+
+ if (output)
+ *output = 0;
+@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (issuer_version < 0)
+ {
+ gnutls_assert ();
+- return issuer_version;
++ return 0;
+ }
+
+ if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ else if (result < 0)
+ {
+ gnutls_assert();
++ result = 0;
+ goto cleanup;
+ }
+
+--
+1.7.1
diff --git a/patches/gnutls-2.12.23/05-cve-2014-3466.patch b/patches/gnutls-2.12.23/05-cve-2014-3466.patch
new file mode 100755
index 0000000..58af165
--- /dev/null
+++ b/patches/gnutls-2.12.23/05-cve-2014-3466.patch
@@ -0,0 +1,29 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From 89238044ade02c4d80e334ab74056ef28599663d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Fri, 23 May 2014 19:53:03 +0200
+Subject: [PATCH] Prevent memory corruption due to server hello parsing.
+
+Issue discovered by Joonas Kuorilehto of Codenomicon.
+---
+ lib/gnutls_handshake.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
+index e4a63e4..e652528 100644
+--- a/lib/gnutls_handshake.c
++++ b/lib/gnutls_handshake.c
+@@ -1797,7 +1797,7 @@ _gnutls_read_server_hello (gnutls_session_t session,
+ DECR_LEN (len, 1);
+ session_id_len = data[pos++];
+
+- if (len < session_id_len)
++ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+--
+1.7.1
-----------------------------------------------------------------------
Summary of changes:
packages/packages.current | 7 +-
.../01-openssl-wincrypt.patch | 0
patches/gnutls-2.12.23/02-cve-2013-2116.patch | 28 ++++++
patches/gnutls-2.12.23/03-cve-2014-1959.patch | 39 ++++++++
patches/gnutls-2.12.23/04-cve-2014-0092.patch | 105 ++++++++++++++++++++
patches/gnutls-2.12.23/05-cve-2014-3466.patch | 29 ++++++
6 files changed, 206 insertions(+), 2 deletions(-)
rename patches/{gnutls-2.12.21 => gnutls-2.12.23}/01-openssl-wincrypt.patch (100%)
create mode 100755 patches/gnutls-2.12.23/02-cve-2013-2116.patch
create mode 100755 patches/gnutls-2.12.23/03-cve-2014-1959.patch
create mode 100755 patches/gnutls-2.12.23/04-cve-2014-0092.patch
create mode 100755 patches/gnutls-2.12.23/05-cve-2014-3466.patch
hooks/post-receive
--
GnuPG for Windows
http://git.gnupg.org
More information about the Gpg4win-commits
mailing list