[OE-core] [PATCH 2/3] gnutls: Fixed bug that prevented the rejection of v1 intermediate CA certificates.
Paul Eggleton
paul.eggleton at linux.intel.com
Wed Mar 5 11:25:24 UTC 2014
From: Karl Hiramoto <karl at hiramoto.org>
This patch is for the OE-Core master branch - it comes from upstream:
>From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Wed, 12 Feb 2014 16:41:33 +0100
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl at hiramoto.org>
Signed-off-by: Paul Eggleton <paul.eggleton at linux.intel.com>
---
...14-1959-rejection-of-v1-intermediate-cert.patch | 33 ++++++++++++++++++++++
meta/recipes-support/gnutls/gnutls_2.12.23.bb | 3 +-
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
new file mode 100644
index 0000000..6567257
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
@@ -0,0 +1,33 @@
+From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 12 Feb 2014 16:41:33 +0100
+Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate
+ CA certificates.
+
+Upstream-Status: Backport
+
+Signed-off-by: Karl Hiramoto <karl at hiramoto.org>
+
+---
+ lib/x509/verify.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 2efcebf..c9a6b0d 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ * certificates can exist in a supplied chain.
+ */
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ {
++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,
+--
+1.8.3.2
+
diff --git a/meta/recipes-support/gnutls/gnutls_2.12.23.bb b/meta/recipes-support/gnutls/gnutls_2.12.23.bb
index e26b154..04605dd 100644
--- a/meta/recipes-support/gnutls/gnutls_2.12.23.bb
+++ b/meta/recipes-support/gnutls/gnutls_2.12.23.bb
@@ -6,7 +6,8 @@ SRC_URI += "file://gnutls-openssl.patch \
file://correct_rpl_gettimeofday_signature.patch \
file://configure-fix.patch \
file://avoid_AM_PROG_MKDIR_P_warning_error_with_automake_1.12.patch \
- file://CVE-2014-0092-corrected-return-codes.patch \
+ file://CVE-2014-1959-rejection-of-v1-intermediate-cert.patch \
+ file://CVE-2014-0092-corrected-return-codes.patch \
${@['', 'file://fix-gettext-version.patch'][bb.data.inherits_class('native', d) or (not ((d.getVar("INCOMPATIBLE_LICENSE", True) or "").find("GPLv3") != -1))]} \
"
--
1.8.5.3
More information about the Openembedded-core
mailing list