diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-19 08:51:59 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-19 08:55:11 +0000 |
commit | f1160ab71f617ea35209d64df0f4aa4d304dcc64 (patch) | |
tree | 9ce64d9ab6df5f70889df833580b84b127f9e30c | |
parent | ed53a1ae749810a4b9e824c133217ef97d65cdff (diff) |
main/gnutls: security fix (CVE-2016-7444). Fixes #6233
-rw-r--r-- | main/gnutls/APKBUILD | 17 | ||||
-rw-r--r-- | main/gnutls/CVE-2016-7444.patch | 28 |
2 files changed, 40 insertions, 5 deletions
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 72fb6459d39..4d2766694db 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gnutls pkgver=3.3.18 -pkgrel=0 +pkgrel=1 pkgdesc="A TLS protocol implementation" url="http://www.gnutls.org/" arch="all" @@ -13,10 +13,14 @@ makedepends="$depends_dev texinfo" install= subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-utils $pkgname-c++:xx" source="ftp://ftp.gnutls.org/gcrypt/gnutls/v${pkgver%.*}/$pkgname-$pkgver.tar.xz + CVE-2016-7444.patch " -_builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 3.3.18-r1: +# - CVE-2016-7444 +_builddir="$srcdir/$pkgname-$pkgver" prepare() { cd "$_builddir" for i in $source; do @@ -62,6 +66,9 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -md5sums="dbd5c7d3d925d42b821aab6a917113dd gnutls-3.3.18.tar.xz" -sha256sums="7a87e7f486d1ada10007356917a412cde6c6114dac018e3569e3aa09e9f29395 gnutls-3.3.18.tar.xz" -sha512sums="e7c972458ad0af401121c705ebe86aafa46c02743d963b1b67ca09192c746a9193c73d28501b6c046435259b40ac0f8d201860cd6cf6240a7783b6c01b64286c gnutls-3.3.18.tar.xz" +md5sums="dbd5c7d3d925d42b821aab6a917113dd gnutls-3.3.18.tar.xz +e411086bcb837aa76053a4684ceb5df3 CVE-2016-7444.patch" +sha256sums="7a87e7f486d1ada10007356917a412cde6c6114dac018e3569e3aa09e9f29395 gnutls-3.3.18.tar.xz +6c4f45bef3a07fa7e1796481412316c71551dca7b2894217f2849cc97f06571f CVE-2016-7444.patch" +sha512sums="e7c972458ad0af401121c705ebe86aafa46c02743d963b1b67ca09192c746a9193c73d28501b6c046435259b40ac0f8d201860cd6cf6240a7783b6c01b64286c gnutls-3.3.18.tar.xz +a8bab56c0b9b31bd29a3b4d4f1948cc58b090a6d10a468d906b16796645bf8dcec2112683c9f9b4c07a08b89342728a624dbd16bd95c041b91e450a2319f29e7 CVE-2016-7444.patch" diff --git a/main/gnutls/CVE-2016-7444.patch b/main/gnutls/CVE-2016-7444.patch new file mode 100644 index 00000000000..82ab36f6ada --- /dev/null +++ b/main/gnutls/CVE-2016-7444.patch @@ -0,0 +1,28 @@ +From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Sat, 27 Aug 2016 17:00:22 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+), 0 deletions(-) + +diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c +index 92db9b6..8181f2e 100644 +--- a/lib/x509/ocsp.c ++++ b/lib/x509/ocsp.c +@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp, + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { +-- +libgit2 0.24.0 + |