[mingw32-gnutls/f15] Use system libtasn1, apply security patches from native package
mooninite
mooninite at fedoraproject.org
Thu Mar 29 22:18:07 UTC 2012
commit 1132ef105ff24cf9779ab421eac900bf02ad7394
Author: Michael Cronenworth <mike at cchtml.com>
Date: Thu Mar 29 17:17:39 2012 -0500
Use system libtasn1, apply security patches from native package
gnutls-2.10.4-rpath.patch | 102 ++++++++++++++++++++++++++++++++++++++
gnutls-2.8.5-cve-2011-4128.patch | 19 +++++++
gnutls-2.8.5-cve-2012-1573.patch | 23 +++++++++
mingw32-gnutls.spec | 21 ++++++--
4 files changed, 159 insertions(+), 6 deletions(-)
---
diff --git a/gnutls-2.10.4-rpath.patch b/gnutls-2.10.4-rpath.patch
new file mode 100644
index 0000000..beaa957
--- /dev/null
+++ b/gnutls-2.10.4-rpath.patch
@@ -0,0 +1,102 @@
+diff -up gnutls-2.10.4/build-aux/config.rpath gnutls-2.10.4/build-aux/config
+diff -up gnutls-2.10.4/configure.rpath gnutls-2.10.4/configure
+--- gnutls-2.10.4/configure.rpath 2010-12-06 14:53:28.000000000 +0100
++++ gnutls-2.10.4/configure 2010-12-08 21:29:22.000000000 +0100
+@@ -15112,7 +15112,7 @@ shlibpath_var=
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -15510,7 +15510,7 @@ fi
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+@@ -18777,7 +18777,7 @@ shlibpath_var=
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -19173,7 +19173,7 @@ fi
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+diff -up gnutls-2.10.4/lib/build-aux/config.rpath gnutls-2.10.4/lib/build-aux/config
+diff -up gnutls-2.10.4/lib/configure.rpath gnutls-2.10.4/lib/configure
+--- gnutls-2.10.4/lib/configure.rpath 2010-12-06 14:53:11.000000000 +0100
++++ gnutls-2.10.4/lib/configure 2010-12-08 21:30:09.000000000 +0100
+@@ -10839,7 +10839,7 @@ shlibpath_var=
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -11237,7 +11237,7 @@ fi
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+@@ -25790,7 +25790,7 @@ shlibpath_var=
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -26186,7 +26186,7 @@ fi
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+diff -up gnutls-2.10.4/libextra/build-aux/config.rpath gnutls-2.10.4/libextra/build-aux/config
+diff -up gnutls-2.10.4/libextra/configure.rpath gnutls-2.10.4/libextra/configure
+--- gnutls-2.10.4/libextra/configure.rpath 2010-12-06 14:53:20.000000000 +0100
++++ gnutls-2.10.4/libextra/configure 2010-12-08 21:30:27.000000000 +0100
+@@ -10013,7 +10013,7 @@ shlibpath_var=
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -10411,7 +10411,7 @@ fi
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/gnutls-2.8.5-cve-2011-4128.patch b/gnutls-2.8.5-cve-2011-4128.patch
new file mode 100644
index 0000000..10f6b9e
--- /dev/null
+++ b/gnutls-2.8.5-cve-2011-4128.patch
@@ -0,0 +1,19 @@
+diff -up gnutls-2.8.5/lib/gnutls_session.c.data-size gnutls-2.8.5/lib/gnutls_session.c
+--- gnutls-2.8.5/lib/gnutls_session.c.data-size 2009-06-02 20:59:32.000000000 +0200
++++ gnutls-2.8.5/lib/gnutls_session.c 2012-03-21 16:17:49.499603724 +0100
+@@ -64,13 +64,14 @@ gnutls_session_get_data (gnutls_session_
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
++ *session_data_size = psession.size;
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = psession.size;
+
+ if (session_data != NULL)
+ memcpy (session_data, psession.data, psession.size);
diff --git a/gnutls-2.8.5-cve-2012-1573.patch b/gnutls-2.8.5-cve-2012-1573.patch
new file mode 100644
index 0000000..c956f09
--- /dev/null
+++ b/gnutls-2.8.5-cve-2012-1573.patch
@@ -0,0 +1,23 @@
+diff -up gnutls-2.8.5/lib/gnutls_cipher.c.packet gnutls-2.8.5/lib/gnutls_cipher.c
+--- gnutls-2.8.5/lib/gnutls_cipher.c.packet 2009-11-02 11:30:39.000000000 +0100
++++ gnutls-2.8.5/lib/gnutls_cipher.c 2012-03-21 15:48:27.101189738 +0100
+@@ -501,14 +501,13 @@ _gnutls_ciphertext2compressed (gnutls_se
+ {
+ ciphertext.size -= blocksize;
+ ciphertext.data += blocksize;
+-
+- if (ciphertext.size == 0)
+- {
+- gnutls_assert ();
+- return GNUTLS_E_DECRYPTION_FAILED;
+- }
+ }
+
++ if (ciphertext.size < hash_size)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_DECRYPTION_FAILED;
++ }
+ pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+
+ if ((int) pad > (int) ciphertext.size - hash_size)
diff --git a/mingw32-gnutls.spec b/mingw32-gnutls.spec
index b0d9a33..7c8976f 100644
--- a/mingw32-gnutls.spec
+++ b/mingw32-gnutls.spec
@@ -7,7 +7,7 @@
Name: mingw32-gnutls
Version: 2.10.5
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: MinGW GnuTLS TLS/SSL encryption library
License: GPLv3+ and LGPLv2+
@@ -21,11 +21,14 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
-Patch2: gnutls-2.8.6-link-libgcrypt.patch
+Patch1: gnutls-2.10.4-rpath.patch
+Patch2: gnutls-2.8.6-link-libgcrypt.patch
# Remove nonexisting references from texinfo file
-Patch3: gnutls-2.10.1-nosrp.patch
+Patch3: gnutls-2.10.1-nosrp.patch
# Backport from upstream git
-Patch4: gnutls-2.10.1-handshake-errors.patch
+Patch4: gnutls-2.10.1-handshake-errors.patch
+Patch6: gnutls-2.8.5-cve-2012-1573.patch
+Patch7: gnutls-2.8.5-cve-2011-4128.patch
BuildRequires: mingw32-filesystem >= 40
BuildRequires: mingw32-gcc
@@ -34,6 +37,7 @@ BuildRequires: mingw32-binutils
BuildRequires: mingw32-dlfcn
BuildRequires: mingw32-libgpg-error
BuildRequires: mingw32-libgcrypt >= 1.2.2
+BuildRequires: mingw32-libtasn1
BuildRequires: mingw32-gettext
BuildRequires: mingw32-iconv
BuildRequires: mingw32-readline
@@ -62,10 +66,12 @@ for MinGW.
%prep
%setup -q -n gnutls-%{version}
-
+%patch1 -p1 -b .rpath
%patch2 -p1 -b .link
%patch3 -p1 -b .nosrp
%patch4 -p1 -b .errors
+%patch6 -p1 -b .packet
+%patch7 -p1 -b .data-size
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
@@ -81,7 +87,6 @@ autoreconf
%build
PATH="%{_mingw32_bindir}:$PATH" \
%{_mingw32_configure} \
- --with-included-libtasn1 \
--disable-srp-authentication \
--disable-static
# %{?_smp_mflags} doesn't build correctly.
@@ -135,6 +140,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Mar 29 2012 Michael Cronenworth <mike at cchtml.com> - 2.10.5-2
+- Use system libtasn1
+- Apply security patches from native package
+
* Thu Apr 28 2011 Kalev Lember <kalev at smartlink.ee> - 2.10.5-1
- Update to 2.10.5
More information about the scm-commits
mailing list