commit:     821ac429221b9978e64463adad7cd03dbfff6965
Author:     Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 22 22:00:08 2016 +0000
Commit:     Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
CommitDate: Fri Sep 23 06:52:56 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=821ac429

net-libs/gnutls: fix CVE-2016-7444

Thanks:  behemothchess
Bug: 594738
Package-Manager: portage-2.2.28

 net-libs/gnutls/Manifest                           |   2 -
 .../gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch |  28 ++++
 net-libs/gnutls/gnutls-3.3.24-r1.ebuild            | 178 +++++++++++++++++++++
 3 files changed, 206 insertions(+), 2 deletions(-)

diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index 6c8ad16..2185e4e 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,7 +1,5 @@
 DIST gnutls-3.3.17.1.tar.xz 6339588 SHA256 
b40f158030a92f450a07b20300a3996710ca19800848d9f6fd62493170c5bbb4 SHA512 
9f2945abe1251db176fa227f2c90be46dba831af97647f04b960c71a50fc597776be31080733f9417f2242c4c6ae92fa897bf02d5f2ba40863e94df245c03319
 WHIRLPOOL 
8a04e56a5f47ddaad106081a613ead85a107b013d3e894074745e9439e0a7797b7f528aab5db7e3ac808f1c5c361c4717d7f0cb3abc943a6f912e5b6981db320
 DIST gnutls-3.3.23.tar.xz 6304332 SHA256 
f53453857e369d66d665c40389201c0b9dacb7ccda560fd21b20b798687a4239 SHA512 
5c2e93ddbff3ca2fc5f8fca8eeaef363bf8fe0f5dce2f4a9448e3235c930baa09d59a456a019283a451d19e0497d3ae645786080aa31febc7f1bcd71c6de1e09
 WHIRLPOOL 
fa082db1933eefc7e061dc7f7e6584d03920f40584865e2983250097db9acea0e6d0c075e8207a2e5b96e37ae77db2b91bcf21e97cc7dfdec0744904de4b5866
 DIST gnutls-3.3.24.tar.xz 6294532 SHA256 
5b65fe2a91c8dfa32bedc78acffcb152e5426cd3349e2afc43cccc9bdaf18aa5 SHA512 
1fbb2e15ade14db15d7acc9ff559ecfc39517fd99e6c784583a7a4f8786daf8053f35f41e39cde0eeb5a1dfd3193ad908b52f62f945fbd43c147dc87e55f192f
 WHIRLPOOL 
0725b35af9bbb4a7ee8f430af95e078066fb455328dd0ee71cca6633d093fe0433c7d869ebf0fabf8983679a32ff8451a2b631aec672810eb7bc55a3de28cc7d
-DIST gnutls-3.4.14.tar.xz 6673148 SHA256 
35deddf2779b76ac11057de38bf380b8066c05de21b94263ad5b6dfa75dfbb23 SHA512 
d75f6b4dea2dc742cd7f60ee0ee540d41b69991aaa937ca0138cfdf4a1e0dfaaa3863464303bfa5799e14ee02de252f71c59a7a9e57b96ff8af653e419edfd4e
 WHIRLPOOL 
1869b831521f4ef5dde5a6694fdf6239793b404478a9b7e97ec2b4af2f1a4326fa5b65521a74d664113a84d2ff1b660269fcf1f3ca1db361fddfab2af3c191dd
 DIST gnutls-3.4.15.tar.xz 6676480 SHA256 
eb2a013905f5f2a0cbf7bcc1d20c85a50065063ee87bd33b496c4e19815e3498 SHA512 
03157f2da22890ecd080ad58144a9aabe933382c0b7e969b7b194a0248bb5e6e25207078c0a92755650d0004970eb1c0cf0140dbdbf2e615808f9978e965a5e5
 WHIRLPOOL 
a5f866e44421b6ecb492587f9eee09373fbda0644cc71468995fd2756b620c254c2cd69c07e8db30df415810d1090daf5ea5d50b33f2fda02c0758a7d4ee04e8
-DIST gnutls-3.5.3.tar.xz 6895068 SHA256 
92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef SHA512 
d53d8067628ce49e5bb0dbbd76761a27f585b0a38356c0d8524db6cf96542f54a7f8a87c5772335c1ca1ceec1e111e11c54636bb24ca2ac014c367b96c9e3969
 WHIRLPOOL 
fc0b7a744c6c08a48c43a2e95781ec7139600b45b12f8352db01824468f301ab56f2adfec6f7a4806247fe33eadaa234ad541a27c75d8689c2817a0f5967aa05
 DIST gnutls-3.5.4.tar.xz 6930620 SHA256 
4e38014332e0f70c5d19b0eca8d85025ccd0d8be85894c0aaa498b42f6b9a8eb SHA512 
175aab43b6349a62530938333910feb26ea5d923e151a9942fd5a6989f87193b18862e69bbbdb6308f889585d428d689d8fd3a6e8149f9fd1ac2882802ea6a9f
 WHIRLPOOL 
6625adb815a69ba24e19b7966884f36577e8035272884d3d3b38c813ddd73e211ec3d2180c4e9160ad8459acab0ee72a36b328eae27357d6d1eb6476a06db75a

diff --git a/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch 
b/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch
new file mode 100644
index 00000000..82ab36f
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch
@@ -0,0 +1,28 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP 
response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+), 0 deletions(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 92db9b6..8181f2e 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
+               gnutls_assert();
+               goto cleanup;
+       }
++      cserial.size = t;
+ 
+       if (rserial.size != cserial.size
+           || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
+--
+libgit2 0.24.0
+

diff --git a/net-libs/gnutls/gnutls-3.3.24-r1.ebuild 
b/net-libs/gnutls/gnutls-3.3.24-r1.ebuild
new file mode 100644
index 00000000..4b00e29
--- /dev/null
+++ b/net-libs/gnutls/gnutls-3.3.24-r1.ebuild
@@ -0,0 +1,178 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit autotools libtool eutils multilib-minimal versionator
+
+DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
+HOMEPAGE="http://www.gnutls.org/";
+SRC_URI="mirror://gnupg/gnutls/v$(get_version_component_range 1-2)/${P}.tar.xz"
+
+# LGPL-3 for libgnutls library and GPL-3 for libgnutls-extra library.
+# soon to be relicensed as LGPL-2.1 unless heartbeat extension enabled.
+LICENSE="GPL-3 LGPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux 
~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris 
~x86-solaris"
+IUSE_LINGUAS=" en cs de fi fr it ms nl pl sv uk vi zh_CN"
+IUSE="+cxx +crywrap dane doc examples guile nls +openssl pkcs11 static-libs 
test zlib ${IUSE_LINGUAS// / linguas_}"
+# heartbeat support is not disabled until re-licensing happens fullyf
+
+# NOTICE: sys-devel/autogen is required at runtime as we
+# use system libopts
+RDEPEND=">=dev-libs/libtasn1-4.3[${MULTILIB_USEDEP}]
+       >=dev-libs/nettle-2.7:=[gmp,${MULTILIB_USEDEP}]
+       >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}]
+       sys-devel/autogen
+       crywrap? ( net-dns/libidn )
+       dane? ( >=net-dns/unbound-1.4.20[${MULTILIB_USEDEP}] )
+       guile? ( >=dev-scheme/guile-1.8:*[networking] )
+       nls? ( >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] )
+       pkcs11? ( >=app-crypt/p11-kit-0.20.7[${MULTILIB_USEDEP}] )
+       zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+       abi_x86_32? (
+               !<=app-emulation/emul-linux-x86-baselibs-20140508
+               !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+       )"
+DEPEND="${RDEPEND}
+       >=sys-devel/automake-1.11.6
+       >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+       doc? (
+               sys-apps/texinfo
+               dev-util/gtk-doc
+       )
+       nls? ( sys-devel/gettext )
+       test? ( app-misc/datefudge )"
+
+DOCS=( AUTHORS ChangeLog NEWS README THANKS doc/TODO )
+
+PATCHES=(
+       
"${FILESDIR}/${PN}-3.3.19-build-allow-installing-man-1-even-with-disable-doc.patch"
+       "${FILESDIR}/${P}-CVE-2016-7444.patch"
+)
+
+pkg_setup() {
+       # bug#520818
+       export TZ=UTC
+}
+
+src_prepare() {
+       default
+
+       sed -i \
+               -e 's/imagesdir = $(infodir)/imagesdir = $(htmldir)/' \
+               doc/Makefile.am || die
+
+       # force regeneration of autogen-ed files
+       local file
+       for file in $(grep -l AutoGen-ed src/*.c) ; do
+               rm src/$(basename ${file} .c).{c,h} || die
+       done
+
+       # force regeneration of makeinfo files
+       # have no idea why on some system these files are not
+       # accepted as-is, see bug#520818
+       for file in $(grep -l "produced by makeinfo" doc/*.info) ; do
+               rm "${file}" || die
+       done
+
+       eautoreconf
+
+       # Use sane .so versioning on FreeBSD.
+       elibtoolize
+
+       # bug 497472
+       use cxx || epunt_cxx
+}
+
+multilib_src_configure() {
+       LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
+
+       # TPM needs to be tested before being enabled
+       # hardware-accell is disabled on OSX because the asm files force
+       #   GNU-stack (as doesn't support that) and when that's removed ld
+       #   complains about duplicate symbols
+       ECONF_SOURCE=${S} \
+       econf \
+               --disable-valgrind-tests \
+               --without-included-libtasn1 \
+               --enable-heartbeat-support \
+               $(use_enable cxx) \
+               $(use_enable dane libdane) \
+               $(multilib_native_enable manpages) \
+               $(multilib_native_use_enable doc) \
+               $(multilib_native_use_enable doc gtk-doc) \
+               $(multilib_native_use_enable guile) \
+               $(multilib_native_use_enable crywrap) \
+               $(use_enable nls) \
+               $(use_enable openssl openssl-compatibility) \
+               $(use_enable static-libs static) \
+               $(use_with pkcs11 p11-kit) \
+               $(use_with zlib) \
+               --without-tpm \
+               --with-unbound-root-key-file=/etc/dnssec/root-anchors.txt \
+               $([[ ${CHOST} == *-darwin* ]] && echo 
--disable-hardware-acceleration)
+
+       if multilib_is_native_abi; then
+               ln -s "${S}"/doc/reference/html doc/reference/html || die
+       fi
+}
+
+multilib_src_compile() {
+       if multilib_is_native_abi; then
+               default
+
+               # symlink certtool for use in other ABIs
+               if use test; then
+                       ln -s "${BUILD_DIR}"/src "${T}"/native-tools || die
+               fi
+       else
+               emake -C gl
+               emake -C lib
+               emake -C extra
+               use dane && emake -C libdane
+       fi
+}
+
+multilib_src_test() {
+       if multilib_is_native_abi; then
+               # parallel testing often fails
+               emake -j1 check
+       else
+               # use native ABI tools
+               ln -s "${T}"/native-tools/{certtool,gnutls-{serv,cli}} \
+                       "${BUILD_DIR}"/src/ || die
+
+               emake -C gl -j1 check
+               emake -C tests -j1 check
+       fi
+}
+
+multilib_src_install() {
+       if multilib_is_native_abi; then
+               emake DESTDIR="${D}" install
+       else
+               emake -C lib DESTDIR="${D}" install
+               emake -C extra DESTDIR="${D}" install
+               use dane && emake -C libdane DESTDIR="${D}" install
+       fi
+}
+
+multilib_src_install_all() {
+       einstalldocs
+       prune_libtool_files --all
+
+       dodoc doc/certtool.cfg
+
+       if use doc; then
+               dohtml doc/gnutls.html
+       else
+               rm -fr "${ED}/usr/share/doc/${PF}/html"
+       fi
+
+       if use examples; then
+               docinto examples
+               dodoc doc/examples/*.c
+       fi
+}

Reply via email to