From ee9a90bd7bc07dfc1b8de5ef86d5b0267898ab372b3100113b40c185ebf68fd6 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 28 Nov 2008 14:06:02 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=17 --- CVE-2008-4989.patch | 40 ++++++++++++++++++++++++++++++++++++++++ gnutls.changes | 6 ++++++ gnutls.spec | 9 +++++++-- 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 CVE-2008-4989.patch diff --git a/CVE-2008-4989.patch b/CVE-2008-4989.patch new file mode 100644 index 0000000..2f0d2b4 --- /dev/null +++ b/CVE-2008-4989.patch @@ -0,0 +1,40 @@ +Index: gnutls/lib/x509/verify.c +=================================================================== +--- gnutls/lib/x509/verify.c 2008-11-10 10:58:33.000000000 +0100 ++++ gnutls/lib/x509/verify.c 2008-11-10 10:58:41.000000000 +0100 +@@ -374,6 +374,17 @@ + int i = 0, ret; + unsigned int status = 0, output; + ++ /* Check if the last certificate in the path is self signed. ++ * In that case ignore it (a certificate is trusted only if it ++ * leads to a trusted party by us, not the server's). ++ */ ++ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], ++ certificate_list[clist_size - 1]) > 0 ++ && clist_size > 0) ++ { ++ clist_size--; ++ } ++ + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * +@@ -412,17 +423,6 @@ + } + #endif + +- /* Check if the last certificate in the path is self signed. +- * In that case ignore it (a certificate is trusted only if it +- * leads to a trusted party by us, not the server's). +- */ +- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], +- certificate_list[clist_size - 1]) > 0 +- && clist_size > 0) +- { +- clist_size--; +- } +- + /* Verify the certificate path (chain) + */ + for (i = clist_size - 1; i > 0; i--) diff --git a/gnutls.changes b/gnutls.changes index abb5beb..50a935d 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 28 06:53:37 CET 2008 - jshi@suse.de + +- fix security bug [bnc#441856] + CVE-2008-4989 + ------------------------------------------------------------------- Thu Oct 30 12:34:56 CET 2008 - olh@suse.de diff --git a/gnutls.spec b/gnutls.spec index 8c4ffdd..2efbc24 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -21,12 +21,13 @@ Name: gnutls BuildRequires: gcc-c++ libgcrypt-devel libopencdk-devel Version: 2.4.1 -Release: 22 +Release: 23 License: GPL v3 or later; LGPL v2.1 or later BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.gnutls.org/ Source0: %name-%version.tar.bz2 Patch1: gnutls-2.4.1-disable_cxx.patch +Patch2: CVE-2008-4989.patch Summary: The GNU Transport Layer Security Library Group: Productivity/Networking/Security AutoReqProv: on @@ -144,6 +145,7 @@ Authors: %prep %setup -q %patch1 -p1 +%patch2 -p1 %build autoreconf -fi @@ -230,6 +232,9 @@ rm -rf %buildroot %_libdir/pkgconfig/gnutls-extra.pc %changelog +* Fri Nov 28 2008 jshi@suse.de +- fix security bug [bnc#441856] + CVE-2008-4989 * Thu Oct 30 2008 olh@suse.de - obsolete old -XXbit packages (bnc#437293) * Sat Aug 02 2008 meissner@suse.de @@ -465,7 +470,7 @@ rm -rf %buildroot - Update to version 1.2.3 (fixes gnutls DOS Bug #83481) - Include defines.h before gnutls.h, to pull in config.h, to make sure memmem.h prototype memmem properly -* Sun Jan 30 2005 hvogel@suse.de +* Sat Jan 29 2005 hvogel@suse.de - Update to version 1.2.0 * Wed Jan 19 2005 hvogel@suse.de - update to version 1.1.23