Fix CVE-2014-3466, CVE-2014-3467, CVE-2014-3468, CVE-2014-3469 of 2.12 series

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0xBF20DC51
author: Alon Bar-Lev <alonbl@gentoo.org> 2014-06-07 18:18:54 +0000
committer: Alon Bar-Lev <alonbl@gentoo.org> 2014-06-07 18:18:54 +0000
commit: b284211da58d37a7ccc7689b4800bfa459a7c3b3 (patch)
tree: 3e484871d5ba8b58870f96e7c14cdaf5cea42bb1 /net-libs/gnutls
parent: Version bump. (diff)
download: historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.tar.gz
historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.tar.bz2
historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.zip
7 files changed, 664 insertions, 5 deletions
diff --git a/net-libs/gnutls/ChangeLog b/net-libs/gnutls/ChangeLog
index 82bcc2316c62..b4fcfe823e74 100644
--- a/net-libs/gnutls/ChangeLog
+++ b/net-libs/gnutls/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for net-libs/gnutls
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/ChangeLog,v 1.494 2014/06/07 17:48:35 alonbl Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/ChangeLog,v 1.495 2014/06/07 18:18:46 alonbl Exp $
+
+*gnutls-2.12.23-r6 (07 Jun 2014)
+
+  07 Jun 2014; Alon Bar-Lev <alonbl@gentoo.org>
+  +files/gnutls-2.12.23-CVE-2014-3466.patch,
+  +files/gnutls-2.12.23-CVE-2014-3467.patch,
+  +files/gnutls-2.12.23-CVE-2014-3468.patch,
+  +files/gnutls-2.12.23-CVE-2014-3469.patch, +gnutls-2.12.23-r6.ebuild:
+  Fix CVE-2014-3466, CVE-2014-3467, CVE-2014-3468, CVE-2014-3469 of 2.12 series
 
   07 Jun 2014; Alon Bar-Lev <alonbl@gentoo.org>
   -files/gnutls-2.12.20-glibc-2.16.patch, -files/gnutls-3.3.1-guile.patch,
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index 7c12f831c6b1..7267089344fe 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -7,6 +7,10 @@ AUX gnutls-2.12.20-libadd.patch 988 SHA256 b1f73ec17feb72817f39f109ec2e4dc69ea8d
 AUX gnutls-2.12.23-CVE-2013-2116.patch 855 SHA256 473663119e3c0c91677becc2982f6bddcbe44000f9530515ad2051982c8a7e57 SHA512 463add69c9db348e1e7b93ba2e7bff3ce62abc96731485955e36e6855e3e2a1fb53f082238cada537487285e15d94296cf3fd3d408a013c307ff195685896fc5 WHIRLPOOL 10576ef2591f8bf47148a37bc5690abca474691edab802cf46967b8695c838d1e477a5731f677c8951b0652981ba338c42e14479e33e8dfccfa7952ab56f04a9
 AUX gnutls-2.12.23-CVE-2014-0092.patch 2480 SHA256 c57b3a64541236028de71be567db27346c4fb0933f4fd71c8dc139ec88a96db5 SHA512 064abde218509e79ce4df03de1db1dbd4a1fd93fae0cf7c9efaa62cc6ca2dce4cb8576fcfcbc55b1e1712e4167a02567659a122b443b824e896e49237032e9b7 WHIRLPOOL 758a3378c0b53164e7d60416661f0530e33fc3344e77339f58d51e39dc721fa411a5bd80dbfe95be22f4389cf0779d75a27b9be5c4da577036c5f10702b874ed
 AUX gnutls-2.12.23-CVE-2014-1959.patch 584 SHA256 f1e6290cb19e517ba460ef359914c83afcbf5f884dd9556d0be52a6dde96f465 SHA512 827dd50c54a79e78c6d6f28856f548d9d7c766577a0613eadf95b0c8b5fc44545335f1dde5adfba7d019b842d16c2131bb780dc0228dd5b25ba45774b06f3188 WHIRLPOOL 86269f8d4e5dd5d7de3ad60cefe7df2227c6c49e474217f8e6d487e893db93d5447bef9261b74e388d461ff23d79068cdf512aa441f0aff19a256e2b6fbf9d4a
+AUX gnutls-2.12.23-CVE-2014-3466.patch 8508 SHA256 4ab0199e09ea9f4c8ab832a741a8015056beb9613eed51aba24118ab1dba253c SHA512 22cf2f302aabf3668b7b7df290b58b20a3e5ec33a72e49a1b5285297cb8ad7aae8706cdabcdea0f0a168944bbaecd1ce7a4bc6763dc670db8b18b6c4e68e9e09 WHIRLPOOL 41345df93de568a284abdb38df7128cf14ba7adad4efc6265d5e17977ceba7e7e3dffb8a9629b202bcd21ba96e02e42985dab1e07b7a808c614c76fb06a0c132
+AUX gnutls-2.12.23-CVE-2014-3467.patch 1479 SHA256 bff11a3580df0a20e4ec4a4793f629664c27a30f76db3e31a42f7dc51c9dab7c SHA512 366c8065fbb383e85e169e4c58d3053d95d4e90183e95150a746e50c9abcfc62c51141473dd2b2941abf49aec69fc1242ad7d0aef470fb52ad3d5a37870c5244 WHIRLPOOL a864389561e1bb2270734aa5014e4a7b5f9f27876d15ad55821be44807167e20252485adf13bd8c5ab2addd382fc83d0594081808a346187a47f9f5f59a23ea0
+AUX gnutls-2.12.23-CVE-2014-3468.patch 1252 SHA256 33d7d2037322a6d8e38eaaa45b844794455a0f3bb98f14d0138402d2355615a9 SHA512 16f94c430ff6e5b538ed5b88c732807de1cd11abd749cbaea16037cb8e6b0627c08507a13c758d96a609eec8bee6c01fdddd2366ed95348bbb35c4e23d89f5aa WHIRLPOOL 6963ad0bd48c3cb78f40f50fd38428e63718a89bb810387844686c539f70c22c426ffcd8ede37b6a8c9ab9aa85616a0f6cf0832dc326842dd703109dba05d40a
+AUX gnutls-2.12.23-CVE-2014-3469.patch 3461 SHA256 cc055dafc2bdfd1e0d0a6026fc0bfe32412a6fb2b5ddaba125f7688bebddba9a SHA512 8ff13f6b029f4a00428e993507924a0331e77f7f964cb96807193ac9a1064f785c79e881216e73b3a23c134298820f892f59177bed56aad29dfee7ac1fda84a8 WHIRLPOOL 8a3b1238d9633527f50775c6b254d3b3e5be984f043b6888db732d00000e095f61d3739e343481fada3d67b9cb6e7b8bccc7a900b890f2505408beaa2c7b0607
 AUX gnutls-2.12.23-gdoc-perl-5.18.patch 4878 SHA256 a55a56b8faead4e7c369945d356190b59f16e57429fa20221f201b88e92dbef6 SHA512 2480cb3e9625eb6518958c8f4caa208957fc5a9e7c3ef84fa6345640ca7e65cba2f8043f8b6a05aceb80750748502e66dd6f5c55ebcbc750c54955baaad4d31b WHIRLPOOL 5ff3a01efb80fc8dee9ed77436afa70aa39e33fcecb8a9742fa431047e66055cffc4a07657a28485d3e2c75a5ea9bd7ebd1f72b9bed1ad7caaa468997c600d54
 AUX gnutls-2.12.23-gl-tests-getaddrinfo-skip-if-no-network.patch 1146 SHA256 0644a00f75987f8a8906ec536b4b29967c24ae22ece8dfee074af3f85be566b5 SHA512 ea3062f90ace33a6229fe10f9a1fb492e84905dce0231309d2c105386c45a151d99c140c66158435ebe4781defc5a536775f4d68b3552208885636e5ed4b7223 WHIRLPOOL ee131aa7709e717cf5e893d5073dbc7eeec569e2a6e48094534dcf8f0d3d17b8a4f75da0a2c91ed2d70e37ef4429d7759dffce4948fd508dcbc0e081a8d98aa0
 AUX gnutls-2.12.23-hppa.patch 1165 SHA256 68958ca9d05f6ffe89064488847d5e2ca615344abf7c9060f73f525a593716f0 SHA512 040507b973788dc2ca4aab19d69f45011e6509354e38ec875ab6fdec3f1c3be40272ea99cd53a5adfc8b52b30e29d86af80891d57b50068a4b3f2cc20246ac70 WHIRLPOOL c4d17452c22e81fdcbd6e14aaaf8294a90a67438ebcadcaab096a6d2f115643c2ce36cc503d186d2d2483366b890add3e9101c26998878817f7baed8589a8514
@@ -15,14 +19,15 @@ DIST gnutls-3.2.15.tar.xz 5140200 SHA256 30bdc7b34b220258f714602cdf0afa1abf0883b
 DIST gnutls-3.3.4.tar.xz 5326368 SHA256 04a53b2bbb936b02cdc62f68144f9706e256cc85cc530b81266a24d80b824357 SHA512 601ce227b5a529d60e19543347f78aaca81fb4051ab73d560a57d5b3f4f20fcbb52bbcecf3da2780f55c303c510b365a027b1758674e5d86fc2b9d2b06fac431 WHIRLPOOL 5dfaecaf6c5e769a8e6ac85d603c98b27b760b9c90dcb4ded0484b060d85e71c54ba31279b0d0fa185cf965e3baff315663ea81922f34b0557e70818d6bcaad1
 EBUILD gnutls-2.12.23-r4.ebuild 3368 SHA256 75eb7867b4de6c6714ee56a28a4e14fe35810b88d738a5b3c6742e283e90ef08 SHA512 8c88242faf9c6a5e6f2ff488717ee9e41451a99d06bfe1982aea2394a7c46de571f56ebc57b8a1228a2635102b0da9bc9931a6ce4557173fe21bc61cd0af873f WHIRLPOOL 26f423e8dd5fae2cb328363a6cf871e9a1feecef15ae33bb33da10c42cdac407b0406e37790f9c30f2f1035fd2cde78b439f390214254bb9b6f9b9259d728242
 EBUILD gnutls-2.12.23-r5.ebuild 3427 SHA256 e0f2f2342fad36c098229b66e2029bf16cdf2e38ab8c83ff48237d7c561c524f SHA512 f803599ea6c01a7afef1becb082865b13ae6662c32b82225b195102f9813df7f5f89edd5cf3571cfd89796bb3237570bb345bed79ecf940d21fd479b313f68d6 WHIRLPOOL fec1ffd875507bdf0d738ae2683e9d495b7e59078255dd9e19bf41fd47a6c813f2cdc2dd41b0b66a744113fd80c87067cb95391ac9efcd6c09e911f99ce8ab1e
+EBUILD gnutls-2.12.23-r6.ebuild 3579 SHA256 fed271ddff8c2f9743adc793b8fe7f4bbc7b566c51ddcf8e487d6802641ace59 SHA512 d11c5b9e7d36bc7247e1f8705e9b825df1cad2d2087cc45cda9da4bd657955afb2277e617d1f81a6fdbf714b236dbdd65e75eaf70cbd170a4de705606cc06726 WHIRLPOOL faf6ba6b0532c5b685763d66bc32ed961cf412e086a68cd7803c8829660405cba465c7721cf8a33798c2bcf8b1490246d763a4c13baf31d263d1d0fae2dc816b
 EBUILD gnutls-3.2.15.ebuild 3476 SHA256 6a2df9a17f4f3036ff7e87386994f784435201eb1ba46b28d4f11daa246cc1f3 SHA512 25716af0714f85f50a4d0b051303f9ddacb2f6c599c7aa78e5b648ec02637e39ba5cd44a49dd1f097585c01f2134ae983f3fd7486e2f9b7a6755af15baa8e86d WHIRLPOOL 3ca668518a4db0d12e4acb36af9da5885599e93200557f3fa3ebdbb31e4b0b8216e3ca71be03f90b19fb5c24238298e74b24e56d1a618195f4b7aa6128607dea
 EBUILD gnutls-3.3.4.ebuild 4363 SHA256 dad100b9922e53d0b56a1873164b5a731771a0ba90d6cc7ad57449786af23413 SHA512 d493cede7b1df50e75515a1231ac686a6173e5ddeec261a09204923711212766cb0a91a559c6174a4246425ef2984796b60fb8f72c96c9a4aa511fa7df311d78 WHIRLPOOL da7fa3e54f4e40fc7798ff1997b296e448c0caa3332187137d39703942d1e33a0d9f4b1cdc0d7a915f21f75d016749b910077c1cc2154364d9bf2716f8ebcc1a
-MISC ChangeLog 73643 SHA256 9d4c9830b4b264a8b01e2ecb046aa84518012d8d8a9186ca0d4db79a24ec1315 SHA512 56f4157cd69453f51cfab916d1645d75fee05af293a84c6ddd47c9bbd975a00911f51c15613ce850eb3994dd456907746f98518c756fecea081a0af06ca9f2aa WHIRLPOOL 8b17069077d3241243f32ab3ca2773263b2534d2ea7cc48663b26586a2c1e1a92172900e67a965dd71589acdac7f32c591f6e5f013dc63bd162d8d0302f6b7a6
+MISC ChangeLog 74013 SHA256 3e6b2ed56c78702c8c414a25608b8fc1e79f3dbde4175682a46e578f9b3f2ed7 SHA512 66a5c87b5433234c1a3e01a22d7b47b53bb49d7fcbebb8f4c9f80660ec8fc3d543fdf56ed12afdc1f9d8c8f4ae098828f7a79e5741d69514e3cdd95fffec1847 WHIRLPOOL 86a700b03163ea73b78c08be32d12e74cccde353558bb069fe5880f9e78d396135dd84e28336289b0aea72b5df7f62eea8f516cc06f9135825cee253c1d42179
 MISC metadata.xml 875 SHA256 a0a8b100321cd3bfc4458cdd37570fafbe7270bce36b15ec8f17ece2232a5906 SHA512 1cd6b55fc3fe2460a6fad153190a95bb97a3baf7c2ae153a4548be9922f4775518acb9dd858f98191f3972dced8e8ccc1da9309871ffbf4ccdc7bc394d343bd2 WHIRLPOOL 4fd8f09f0f43c80ee037785de47b67bb9ae8a6e7928008290beec977a64ca8744c7d15b96eec0dbcc142e1dc753eab850b72f4182330ae25c6f29001ccb06637
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iF4EAREIAAYFAlOTUHcACgkQXYk9GL8g3FHKwAD+M/TOMCAWxmKWJTZHsCyhcFoT
-xxIi43gcXhFX05K9IIQA+wQ/xO53douRAwklG6t9ieplXVRPRVtYtF2uOHWCVl9y
-=2Dzt
+iF4EAREIAAYFAlOTV4kACgkQXYk9GL8g3FGE5gD/WvCJTjLnMmScQZVHX2niYvck
+rM6NeAC4Jsm3C+p5wxgA/0tz45LjH7gogRm/3OsLCrzhbswH06LxdheGKYQaIE51
+=MPHH
 -----END PGP SIGNATURE-----
diff --git a/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch
new file mode 100644
index 000000000000..9e32296e86de
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch
@@ -0,0 +1,311 @@
+From e47d30e272a0b3977db8dae09327acad45b931d8 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Sun, 1 Jun 2014
+Subject: CVE-2014-3466
+
+This is a backport adaptation for use with GnuTLS 2.12.23.
+
+Relevant upstream commit(s):
+-------------------------
+https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c
+https://gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf
+
+---
+ lib/gnutls_handshake.c  |    2 
+ tests/Makefile.am       |    2 
+ tests/long-session-id.c |  268 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 270 insertions(+), 2 deletions(-)
+
+--- a/lib/gnutls_handshake.c
++++ b/lib/gnutls_handshake.c
+@@ -1797,7 +1797,7 @@ _gnutls_read_server_hello (gnutls_sessio
+   DECR_LEN (len, 1);
+   session_id_len = data[pos++];
+ 
+-  if (len < session_id_len)
++  if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
+     {
+       gnutls_assert ();
+       return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -64,7 +64,7 @@ ctests = simple gc set_pkcs12_cred certd
+ 	crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416		\
+ 	crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain		\
+ 	nul-in-x509-names x509_altname pkcs12_encode mini-x509		\
+-	mini-x509-rehandshake rng-fork x509cert gendh
++	mini-x509-rehandshake rng-fork x509cert gendh long-session-id
+ 
+ if ENABLE_OPENSSL
+ ctests +=  openssl
+--- /dev/null
++++ b/tests/long-session-id.c
+@@ -0,0 +1,268 @@
++/*
++ * Copyright (C) 2012 Free Software Foundation, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main()
++{
++	exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <sys/types.h>
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <sys/wait.h>
++#include <arpa/inet.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++#include <signal.h>
++
++static int debug = 0;
++static void terminate(int);
++
++/* This program tests the robustness of record
++ * decoding.
++ */
++
++static void client_log_func(int level, const char *str)
++{
++	fprintf(stderr, "client|<%d>| %s", level, str);
++}
++
++static unsigned char server_cert_pem[] =
++    "-----BEGIN CERTIFICATE-----\n"
++    "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++    "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++    "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++    "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++    "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++    "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++    "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++    "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++    "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++    "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++    "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++    "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++    "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++	sizeof(server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++    "-----BEGIN RSA PRIVATE KEY-----\n"
++    "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++    "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++    "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++    "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++    "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++    "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++    "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++    "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++    "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++    "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++    "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++    "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++    "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++    "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++	sizeof(server_key_pem)
++};
++
++
++/* A very basic TLS client, with anonymous authentication.
++ */
++
++static void client(int fd, const char *prio)
++{
++	int ret;
++	gnutls_anon_client_credentials_t anoncred;
++	gnutls_certificate_credentials_t x509_cred;
++	gnutls_session_t session;
++	/* Need to enable anonymous KX specifically. */
++
++	gnutls_global_init();
++
++	if (debug) {
++		gnutls_global_set_log_function(client_log_func);
++		gnutls_global_set_log_level(7);
++	}
++
++	gnutls_anon_allocate_client_credentials(&anoncred);
++	gnutls_certificate_allocate_credentials(&x509_cred);
++
++	/* Initialize TLS session
++	 */
++	gnutls_init(&session, GNUTLS_CLIENT);
++
++	/* Use default priorities */
++	gnutls_priority_set_direct(session, prio, NULL);
++
++	/* put the anonymous credentials to the current session
++	 */
++	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
++	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
++
++	gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
++
++	/* Perform the TLS handshake
++	 */
++	do {
++		ret = gnutls_handshake(session);
++	}
++	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
++
++	if (ret < 0) {
++		fprintf(stderr, "client: Handshake failed (expected)\n");
++		gnutls_perror(ret);
++		exit(0);
++	} else {
++		if (debug)
++			fprintf(stderr, "client: Handshake was completed\n");
++	}
++
++	close(fd);
++
++	gnutls_deinit(session);
++
++	gnutls_anon_free_client_credentials(anoncred);
++	gnutls_certificate_free_credentials(x509_cred);
++
++	gnutls_global_deinit();
++}
++
++
++/* These are global */
++pid_t child;
++
++static void terminate(int ret)
++{
++	kill(child, SIGTERM);
++	exit(ret);
++}
++
++static void server(int fd, const char *prio)
++{
++	int ret;
++	uint8_t id[255];
++	uint8_t buffer[] = "\x16\x03\x00\x01\x25"
++		"\x02\x00\x01\x21"
++		"\x03\x00"/*Server Version */
++		/*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00"
++		/*SessionID*/"\xfe";
++
++	ret = read(fd, id, sizeof(id));
++	if (ret < 0) {
++		abort();
++	}
++
++	ret = write(fd, buffer, sizeof(buffer));
++	if (ret < 0) {
++		return;
++	}
++
++	memset(id, 0xff, sizeof(id));
++	ret = write(fd, id, sizeof(id));
++	if (ret < 0) {
++		return;
++	}
++
++	memset(id, 0xff, sizeof(id));
++	ret = write(fd, id, sizeof(id));
++	if (ret < 0) {
++		return;
++	}
++	sleep(3);
++
++	return;
++}
++
++static void start(const char *prio)
++{
++	int fd[2];
++	int ret;
++
++	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
++	if (ret < 0) {
++		perror("socketpair");
++		exit(1);
++	}
++
++	child = fork();
++	if (child < 0) {
++		perror("fork");
++		exit(1);
++	}
++
++	if (child) {
++		/* parent */
++		close(fd[1]);
++		server(fd[0], prio);
++		kill(child, SIGTERM);
++	} else {
++		close(fd[0]);
++		client(fd[1], prio);
++		exit(0);
++	}
++}
++
++static void ch_handler(int sig)
++{
++	int status, ret = 0;
++	wait(&status);
++	if (WEXITSTATUS(status) != 0 ||
++	    (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) {
++		if (WIFSIGNALED(status)) {
++			fprintf(stderr, "Child died with sigsegv\n");
++			ret = 1;
++		} else {
++			fprintf(stderr, "Child died with status %d\n",
++			     WEXITSTATUS(status));
++		}
++		terminate(ret);
++	}
++	return;
++}
++
++int main(int argc, char **argv)
++{
++	signal(SIGCHLD, ch_handler);
++
++	if (argc > 1)
++		debug = 1;
++
++	start("NORMAL");
++	return 0;
++}
++
++#endif				/* _WIN32 */
diff --git a/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch
new file mode 100644
index 000000000000..e52965e2b824
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch
@@ -0,0 +1,45 @@
+From d4ff19de527cd3eb444c560639324cda35bc838e Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Sun, 1 Jun 2014
+Subject: CVE-2014-3467
+
+This is a backport adaptation for use with GnuTLS 2.12.23.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=ff3b5c68cc32e3
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=51612fca32dda4
+
+---
+ lib/minitasn1/decoding.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *d
+       /* Long form */
+       punt = 1;
+       ris = 0;
+-      while (punt <= der_len && der[punt] & 128)
++      while (punt < der_len && der[punt] & 128)
+ 	{
+ 	  last = ris;
+ 
+@@ -259,7 +259,7 @@ _asn1_get_time_der (const unsigned char
+   if (der_len <= 0 || str == NULL)
+     return ASN1_DER_ERROR;
+   str_len = asn1_get_length_der (der, der_len, &len_len);
+-  if (str_len < 0 || str_size < str_len)
++  if (str_len <= 0 || str_size < str_len)
+     return ASN1_DER_ERROR;
+   memcpy (str, der + len_len, str_len);
+   str[str_len] = 0;
+@@ -285,7 +285,7 @@ _asn1_get_objectid_der (const unsigned c
+     return ASN1_GENERIC_ERROR;
+   len = asn1_get_length_der (der, der_len, &len_len);
+ 
+-  if (len < 0 || len > der_len || len_len > der_len)
++  if (len <= 0 || len > der_len || len_len > der_len)
+     return ASN1_DER_ERROR;
+ 
+   val1 = der[len_len] / 40;
diff --git a/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch
new file mode 100644
index 000000000000..bd324094c293
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch
@@ -0,0 +1,45 @@
+From 24ed1d41707f873f3b7a22159e4bb3942f319fac Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Sun, 1 Jun 2014
+Subject: CVE-2014-3468
+
+This is a backport adaptation for use with GnuTLS 2.12.23.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1
+
+---
+ lib/minitasn1/decoding.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -226,7 +226,7 @@ asn1_get_octet_der (const unsigned char
+ 		    int *ret_len, unsigned char *str, int str_size,
+ 		    int *str_len)
+ {
+-  int len_len;
++  int len_len = 0;
+ 
+   if (der_len <= 0)
+     return ASN1_GENERIC_ERROR;
+@@ -347,7 +347,7 @@ asn1_get_bit_der (const unsigned char *d
+ 		  int *ret_len, unsigned char *str, int str_size,
+ 		  int *bit_len)
+ {
+-  int len_len, len_byte;
++  int len_len = 0, len_byte;
+ 
+   if (der_len <= 0)
+     return ASN1_GENERIC_ERROR;
+@@ -358,6 +358,9 @@ asn1_get_bit_der (const unsigned char *d
+   *ret_len = len_byte + len_len + 1;
+   *bit_len = len_byte * 8 - der[len_len];
+ 
++  if (*bit_len <= 0)
++    return ASN1_DER_ERROR;
++
+   if (str_size >= len_byte)
+     memcpy (str, der + len_len + 1, len_byte);
+   else
diff --git a/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch
new file mode 100644
index 000000000000..a99b433b3c92
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch
@@ -0,0 +1,122 @@
+From 7f5a6256231e278aa7d00b6851c22fb457537262 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Sun, 1 Jun 2014
+Subject: CVE-2014-3469
+
+This is a backport adaptation for use with GnuTLS 2.12.23.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c
+
+---
+ lib/minitasn1/decoding.c |   11 ++++++++---
+ lib/minitasn1/element.c  |   27 ++++++++++++++++++---------
+ 2 files changed, 26 insertions(+), 12 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -231,7 +231,6 @@ asn1_get_octet_der (const unsigned char
+   if (der_len <= 0)
+     return ASN1_GENERIC_ERROR;
+ 
+-  /* if(str==NULL) return ASN1_SUCCESS; */
+   *str_len = asn1_get_length_der (der, der_len, &len_len);
+ 
+   if (*str_len < 0)
+@@ -239,7 +238,10 @@ asn1_get_octet_der (const unsigned char
+ 
+   *ret_len = *str_len + len_len;
+   if (str_size >= *str_len)
+-    memcpy (str, der + len_len, *str_len);
++    {
++      if (*str_len > 0 && str != NULL)
++        memcpy (str, der + len_len, *str_len);
++    }
+   else
+     {
+       return ASN1_MEM_ERROR;
+@@ -362,7 +364,10 @@ asn1_get_bit_der (const unsigned char *d
+     return ASN1_DER_ERROR;
+ 
+   if (str_size >= len_byte)
+-    memcpy (str, der + len_len + 1, len_byte);
++    {
++      if (len_byte > 0 && str)
++        memcpy (str, der + len_len + 1, len_byte);
++    }
+   else
+     {
+       return ASN1_MEM_ERROR;
+--- a/lib/minitasn1/element.c
++++ b/lib/minitasn1/element.c
+@@ -112,8 +112,11 @@ _asn1_convert_integer (const unsigned ch
+     /* VALUE_OUT is too short to contain the value conversion */
+     return ASN1_MEM_ERROR;
+ 
+-  for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+-    value_out[k2 - k] = val[k2];
++  if (value_out != NULL) 
++    {
++      for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
++        value_out[k2 - k] = val[k2];
++    }
+ 
+ #if 0
+   printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
+@@ -611,7 +614,8 @@ asn1_write_value (asn1_node node_root, c
+ 	if (ptr_size < data_size) { \
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+-		memcpy( ptr, data, data_size); \
++		if (ptr && data_size > 0) \
++		  memcpy( ptr, data, data_size); \
+ 	}
+ 
+ #define PUT_STR_VALUE( ptr, ptr_size, data) \
+@@ -620,16 +624,19 @@ asn1_write_value (asn1_node node_root, c
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+ 		/* this strcpy is checked */ \
+-		_asn1_strcpy(ptr, data); \
++		if (ptr) { \
++		  _asn1_strcpy(ptr, data); \
++		} \
+ 	}
+ 
+ #define ADD_STR_VALUE( ptr, ptr_size, data) \
+-	*len = (int) _asn1_strlen(data) + 1; \
+-	if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \
++	*len += _asn1_strlen(data); \
++	if (ptr_size < (int) *len) { \
++		(*len)++; \
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+ 		/* this strcat is checked */ \
+-		_asn1_strcat(ptr, data); \
++		if (ptr) _asn1_strcat (ptr, data); \
+ 	}
+ 
+ /**
+@@ -786,7 +793,9 @@ asn1_read_value (asn1_node root, const c
+     case TYPE_OBJECT_ID:
+       if (node->type & CONST_ASSIGN)
+ 	{
+-	  value[0] = 0;
++	  *len = 0;
++	  if (value)
++	  	value[0] = 0;
+ 	  p = node->down;
+ 	  while (p)
+ 	    {
+@@ -800,7 +809,7 @@ asn1_read_value (asn1_node root, const c
+ 		}
+ 	      p = p->right;
+ 	    }
+-	  *len = _asn1_strlen (value) + 1;
++	  (*len)++;
+ 	}
+       else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
+ 	{
diff --git a/net-libs/gnutls/gnutls-2.12.23-r6.ebuild b/net-libs/gnutls/gnutls-2.12.23-r6.ebuild
new file mode 100644
index 000000000000..fed52aa5a14b
--- /dev/null
+++ b/net-libs/gnutls/gnutls-2.12.23-r6.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/gnutls-2.12.23-r6.ebuild,v 1.1 2014/06/07 18:18:46 alonbl Exp $
+
+EAPI=5
+
+inherit autotools libtool eutils versionator
+
+DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
+HOMEPAGE="http://www.gnutls.org/"
+SRC_URI="ftp://ftp.gnutls.org/gcrypt/gnutls/v$(get_version_component_range 1-2)/${P}.tar.bz2"
+
+# LGPL-2.1 for libgnutls library and GPL-3 for libgnutls-extra library.
+LICENSE="GPL-3 LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
+IUSE="bindist +cxx doc examples guile lzo +nettle nls pkcs11 static-libs test zlib"
+
+RDEPEND=">=dev-libs/libtasn1-0.3.4
+	<dev-libs/libtasn1-3
+	guile? ( >=dev-scheme/guile-1.8[networking] )
+	nettle? ( >=dev-libs/nettle-2.1[gmp] )
+	!nettle? ( >=dev-libs/libgcrypt-1.4.0:0 )
+	nls? ( virtual/libintl )
+	pkcs11? ( >=app-crypt/p11-kit-0.11 )
+	zlib? ( >=sys-libs/zlib-1.2.3.1 )
+	!bindist? ( lzo? ( >=dev-libs/lzo-2 ) )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	sys-devel/libtool
+	doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+	test? ( app-misc/datefudge )"
+
+DOCS=( AUTHORS ChangeLog NEWS README THANKS doc/TODO )
+
+pkg_setup() {
+	if use lzo && use bindist; then
+		ewarn "lzo support is disabled for binary distribution of GnuTLS due to licensing issues."
+	fi
+}
+
+src_prepare() {
+	# tests/suite directory is not distributed
+	sed -i -e 's|AC_CONFIG_FILES(\[tests/suite/Makefile\])|:|' \
+		configure.ac || die
+
+	sed -i -e 's/imagesdir = $(infodir)/imagesdir = $(htmldir)/' \
+		doc/Makefile.am || die
+
+	for dir in . lib libextra; do
+		sed -i -e '/^AM_INIT_AUTOMAKE/s/-Werror//' "${dir}/configure.ac" || die
+	done
+
+	epatch "${FILESDIR}"/${PN}-2.12.20-AF_UNIX.patch
+	epatch "${FILESDIR}"/${PN}-2.12.20-libadd.patch
+	epatch "${FILESDIR}"/${PN}-2.12.20-guile-parallelmake.patch
+	epatch "${FILESDIR}"/${P}-hppa.patch
+	epatch "${FILESDIR}"/${P}-gl-tests-getaddrinfo-skip-if-no-network.patch
+	epatch "${FILESDIR}"/${P}-gdoc-perl-5.18.patch
+	epatch "${FILESDIR}"/${P}-CVE-2013-2116.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-0092.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-1959.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-3466.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-3467.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-3468.patch
+	epatch "${FILESDIR}"/${P}-CVE-2014-3469.patch
+
+	# support user patches
+	epatch_user
+
+	eautoreconf
+
+	# Use sane .so versioning on FreeBSD.
+	elibtoolize
+}
+
+src_configure() {
+	local myconf
+	use bindist && myconf="--without-lzo" || myconf="$(use_with lzo)"
+	[[ "${VALGRIND_TESTS}" != "1" ]] && myconf+=" --disable-valgrind-tests"
+
+	econf \
+		--htmldir="${EPREFIX}"/usr/share/doc/${PF}/html \
+		$(use_enable cxx) \
+		$(use_enable doc gtk-doc) \
+		$(use_enable doc gtk-doc-pdf) \
+		$(use_enable guile) \
+		$(use_with !nettle libgcrypt) \
+		$(use_enable nls) \
+		$(use_with pkcs11 p11-kit) \
+		$(use_enable static-libs static) \
+		$(use_with zlib) \
+		${myconf}
+}
+
+src_test() {
+	if has_version dev-util/valgrind && [[ ${VALGRIND_TESTS} != 1 ]]; then
+		elog
+		elog "You can set VALGRIND_TESTS=\"1\" to enable Valgrind tests."
+		elog
+	fi
+
+	# parallel testing often fails
+	emake -j1 check
+}
+
+src_install() {
+	default
+
+	prune_libtool_files
+
+	if use doc; then
+		dodoc doc/gnutls.{pdf,ps}
+		dohtml doc/gnutls.html
+	fi
+
+	if use examples; then
+		docinto examples
+		dodoc doc/examples/*.c
+	fi
+}
author	Alon Bar-Lev <alonbl@gentoo.org>	2014-06-07 18:18:54 +0000
committer	Alon Bar-Lev <alonbl@gentoo.org>	2014-06-07 18:18:54 +0000
commit	b284211da58d37a7ccc7689b4800bfa459a7c3b3 (patch)
tree	3e484871d5ba8b58870f96e7c14cdaf5cea42bb1 /net-libs/gnutls
parent	Version bump. (diff)
download	historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.tar.gz historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.tar.bz2 historical-b284211da58d37a7ccc7689b4800bfa459a7c3b3.zip