OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=17

2008-11-28 14:06:02 +00:00 · 2008-11-28 14:06:02 +00:00 · ee9a90bd7b
commit ee9a90bd7b
parent d3034dc228
3 changed files with 53 additions and 2 deletions
--- a/CVE-2008-4989.patch
+++ b/CVE-2008-4989.patch
@ -0,0 +1,40 @@
+Index: gnutls/lib/x509/verify.c	
+===================================================================
+--- gnutls/lib/x509/verify.c	2008-11-10 10:58:33.000000000 +0100
+++ gnutls/lib/x509/verify.c	2008-11-10 10:58:41.000000000 +0100
+@@ -374,6 +374,17 @@
+   int i = 0, ret;
+   unsigned int status = 0, output;
+
+  /* Check if the last certificate in the path is self signed.
+   * In that case ignore it (a certificate is trusted only if it
+   * leads to a trusted party by us, not the server's).
+   */
+  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+				    certificate_list[clist_size - 1]) > 0
+      && clist_size > 0)
+    {
+      clist_size--;
+    }
+
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -412,17 +423,6 @@
+     }
+ #endif
+
+-  /* Check if the last certificate in the path is self signed.
+-   * In that case ignore it (a certificate is trusted only if it
+-   * leads to a trusted party by us, not the server's).
+-   */
+-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+-				    certificate_list[clist_size - 1]) > 0
+-      && clist_size > 0)
+-    {
+-      clist_size--;
+-    }
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Nov 28 06:53:37 CET 2008 - jshi@suse.de
+
+- fix security bug [bnc#441856]
+  CVE-2008-4989
+
 -------------------------------------------------------------------
 Thu Oct 30 12:34:56 CET 2008 - olh@suse.de

--- a/gnutls.spec
+++ b/gnutls.spec
@ -21,12 +21,13 @@
 Name:           gnutls
 BuildRequires:  gcc-c++ libgcrypt-devel libopencdk-devel
 Version:        2.4.1
-Release:        22
+Release:        23
 License:        GPL v3 or later; LGPL v2.1 or later
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://www.gnutls.org/
 Source0:        %name-%version.tar.bz2
 Patch1:         gnutls-2.4.1-disable_cxx.patch
+Patch2:         CVE-2008-4989.patch
 Summary:        The GNU Transport Layer Security Library
 Group:          Productivity/Networking/Security
 AutoReqProv:    on
@ -144,6 +145,7 @@ Authors:
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1

 %build
 autoreconf -fi
@ -230,6 +232,9 @@ rm -rf %buildroot
 %_libdir/pkgconfig/gnutls-extra.pc

 %changelog
+* Fri Nov 28 2008 jshi@suse.de
+- fix security bug [bnc#441856]
+  CVE-2008-4989
 * Thu Oct 30 2008 olh@suse.de
 - obsolete old -XXbit packages (bnc#437293)
 * Sat Aug 02 2008 meissner@suse.de
@ -465,7 +470,7 @@ rm -rf %buildroot
 - Update to version 1.2.3 (fixes gnutls DOS Bug #83481)
 - Include defines.h before gnutls.h, to pull in config.h, to make
  sure memmem.h prototype memmem properly
-* Sun Jan 30 2005 hvogel@suse.de
+* Sat Jan 29 2005 hvogel@suse.de
 - Update to version 1.2.0
 * Wed Jan 19 2005 hvogel@suse.de
 - update to version 1.1.23