[mingw-gnutls/f17] Update to 2.12.20.
mooninite
mooninite at fedoraproject.org
Fri Feb 8 02:40:37 UTC 2013
commit 9f14523a94aaa3f5578c3a0d7e110aac961ea247
Author: Michael Cronenworth <mike at cchtml.com>
Date: Thu Feb 7 20:40:19 2013 -0600
Update to 2.12.20.
.gitignore | 1 +
gnutls-2.12.14-leak.patch | 56 ----------
gnutls-2.12.20-build.patch | 24 ++++
gnutls-2.12.20-cli-debug-manpage.patch | 15 +++
gnutls-2.12.20-fips-algorithms.patch | 189 ++++++++++++++++++++++++++++++++
gnutls-CVE-2013-1619-patch1.patch | 163 +++++++++++++++++++++++++++
gnutls-CVE-2013-1619-patch2.patch | 98 ++++++++++++++++
mingw-gnutls.spec | 24 ++++-
sources | 2 +-
9 files changed, 512 insertions(+), 60 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 6fd753d..26fff5b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ gnutls-2.6.4-nosrp.tar.bz2
/gnutls-2.12.12-nosrp.tar.bz2
/gnutls-2.12.14-nosrp.tar.bz2
/gnutls-2.12.17-nosrp.tar.xz
+/gnutls-2.12.20-nosrp.tar.xz
diff --git a/gnutls-2.12.20-build.patch b/gnutls-2.12.20-build.patch
new file mode 100644
index 0000000..6c20588
--- /dev/null
+++ b/gnutls-2.12.20-build.patch
@@ -0,0 +1,24 @@
+diff -up gnutls-2.12.20/gl/stdio.in.h.build gnutls-2.12.20/gl/stdio.in.h
+--- gnutls-2.12.20/gl/stdio.in.h.build 2012-03-01 16:47:48.000000000 +0100
++++ gnutls-2.12.20/gl/stdio.in.h 2012-06-18 16:50:51.307755234 +0200
+@@ -698,7 +698,7 @@ _GL_WARN_ON_USE (getline, "getline is un
+ # endif
+ #endif
+
+-#if @GNULIB_GETS@
++#if 0
+ # if @REPLACE_STDIO_READ_FUNCS@ && @GNULIB_STDIO_H_NONBLOCKING@
+ # if !(defined __cplusplus && defined GNULIB_NAMESPACE)
+ # undef gets
+diff -up gnutls-2.12.20/lib/gl/stdio.in.h.build gnutls-2.12.20/lib/gl/stdio.in.h
+--- gnutls-2.12.20/lib/gl/stdio.in.h.build 2012-03-01 16:53:13.000000000 +0100
++++ gnutls-2.12.20/lib/gl/stdio.in.h 2012-06-18 16:50:22.846115787 +0200
+@@ -698,7 +698,7 @@ _GL_WARN_ON_USE (getline, "getline is un
+ # endif
+ #endif
+
+-#if @GNULIB_GETS@
++#if 0
+ # if @REPLACE_STDIO_READ_FUNCS@ && @GNULIB_STDIO_H_NONBLOCKING@
+ # if !(defined __cplusplus && defined GNULIB_NAMESPACE)
+ # undef gets
diff --git a/gnutls-2.12.20-cli-debug-manpage.patch b/gnutls-2.12.20-cli-debug-manpage.patch
new file mode 100644
index 0000000..3e40365
--- /dev/null
+++ b/gnutls-2.12.20-cli-debug-manpage.patch
@@ -0,0 +1,15 @@
+diff -up gnutls-2.12.20/doc/manpages/gnutls-cli-debug.1.cli-debug gnutls-2.12.20/doc/manpages/gnutls-cli-debug.1
+--- gnutls-2.12.20/doc/manpages/gnutls-cli-debug.1.cli-debug 2011-04-08 02:30:44.000000000 +0200
++++ gnutls-2.12.20/doc/manpages/gnutls-cli-debug.1 2012-08-08 14:23:24.397745283 +0200
+@@ -17,8 +17,10 @@ Enable debugging.
+ The port to connect to.
+ .IP "\-h, \-\-help"
+ Prints a short reminder of the command line options.
+-.IP "\-v, \-\-verbose"
++.IP "\-V, \-\-verbose"
+ Even more verbose output.
++.IP "\-v, \-\-version"
++Prints the program's version number.
+ .SH "SEE ALSO"
+ .BR gnutls\-cli (1),
+ .BR gnutls\-serv (1)
diff --git a/gnutls-2.12.20-fips-algorithms.patch b/gnutls-2.12.20-fips-algorithms.patch
new file mode 100644
index 0000000..f714bd4
--- /dev/null
+++ b/gnutls-2.12.20-fips-algorithms.patch
@@ -0,0 +1,189 @@
+diff -up gnutls-2.12.20/lib/gcrypt/init.c.fips gnutls-2.12.20/lib/gcrypt/init.c
+--- gnutls-2.12.20/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100
++++ gnutls-2.12.20/lib/gcrypt/init.c 2012-11-01 11:00:34.954835974 +0100
+@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = {
+ .recvmsg = NULL,
+ };
+
++int gnutls_gcrypt_fips;
++
+ int
+ gnutls_crypto_init (void)
+ {
+@@ -72,6 +74,8 @@ gnutls_crypto_init (void)
+ return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
+ }
+
++ gnutls_gcrypt_fips = gcry_fips_mode_active();
++
+ /* for gcrypt in order to be able to allocate memory */
+ gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0);
+
+diff -up gnutls-2.12.20/lib/gnutls_priority.c.fips gnutls-2.12.20/lib/gnutls_priority.c
+--- gnutls-2.12.20/lib/gnutls_priority.c.fips 2012-01-06 20:06:23.000000000 +0100
++++ gnutls-2.12.20/lib/gnutls_priority.c 2012-11-01 11:02:52.505807199 +0100
+@@ -30,6 +30,7 @@
+ #include "gnutls_algorithms.h"
+ #include "gnutls_errors.h"
+ #include <gnutls_num.h>
++#include <gcrypt.h>
+
+ static void
+ break_comma_list (char *etag,
+@@ -223,6 +224,13 @@ static const int protocol_priority[] = {
+ 0
+ };
+
++static const int protocol_priority_fips[] = {
++ GNUTLS_TLS1_2,
++ GNUTLS_TLS1_1,
++ GNUTLS_TLS1_0,
++ 0
++};
++
+ static const int kx_priority_performance[] = {
+ GNUTLS_KX_RSA,
+ GNUTLS_KX_DHE_RSA,
+@@ -269,6 +277,13 @@ static const int cipher_priority_perform
+ 0
+ };
+
++static const int cipher_priority_performance_fips[] = {
++ GNUTLS_CIPHER_AES_128_CBC,
++ GNUTLS_CIPHER_3DES_CBC,
++ GNUTLS_CIPHER_AES_256_CBC,
++ 0
++};
++
+ static const int cipher_priority_normal[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+ #ifdef ENABLE_CAMELLIA
+@@ -284,6 +299,13 @@ static const int cipher_priority_normal[
+ 0
+ };
+
++static const int cipher_priority_normal_fips[] = {
++ GNUTLS_CIPHER_AES_128_CBC,
++ GNUTLS_CIPHER_AES_256_CBC,
++ GNUTLS_CIPHER_3DES_CBC,
++ 0
++};
++
+ static const int cipher_priority_secure128[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+ #ifdef ENABLE_CAMELLIA
+@@ -295,6 +317,11 @@ static const int cipher_priority_secure1
+ 0
+ };
+
++static const int cipher_priority_secure128_fips[] = {
++ GNUTLS_CIPHER_AES_128_CBC,
++ GNUTLS_CIPHER_3DES_CBC,
++ 0
++};
+
+ static const int cipher_priority_secure256[] = {
+ GNUTLS_CIPHER_AES_256_CBC,
+@@ -311,6 +338,13 @@ static const int cipher_priority_secure2
+ 0
+ };
+
++static const int cipher_priority_secure256_fips[] = {
++ GNUTLS_CIPHER_AES_256_CBC,
++ GNUTLS_CIPHER_AES_128_CBC,
++ GNUTLS_CIPHER_3DES_CBC,
++ 0
++};
++
+ /* The same as cipher_priority_security_normal + arcfour-40. */
+ static const int cipher_priority_export[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+@@ -362,6 +396,12 @@ static const int mac_priority_normal[] =
+ 0
+ };
+
++static const int mac_priority_normal_fips[] = {
++ GNUTLS_MAC_SHA1,
++ GNUTLS_MAC_SHA256,
++ 0
++};
++
+
+ static const int mac_priority_secure[] = {
+ GNUTLS_MAC_SHA256,
+@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se
+
+ #define MAX_ELEMENTS 48
+
++extern int gnutls_gcrypt_fips;
++
+ /**
+ * gnutls_priority_init:
+ * @priority_cache: is a #gnutls_prioritity_t structure.
+@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t
+ */
+ if (strcasecmp (broken_list[0], "NONE") != 0)
+ {
+- _set_priority (&(*priority_cache)->protocol, protocol_priority);
++ _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
+ _set_priority (&(*priority_cache)->compression, comp_priority);
+ _set_priority (&(*priority_cache)->cert_type, cert_type_priority_default);
+ _set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
+@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t
+ if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
+ {
+ _set_priority (&(*priority_cache)->cipher,
+- cipher_priority_performance);
++ gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance);
+ _set_priority (&(*priority_cache)->kx, kx_priority_performance);
+- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
+ _set_priority (&(*priority_cache)->sign_algo,
+ sign_priority_default);
+ }
+ else if (strcasecmp (broken_list[i], "NORMAL") == 0)
+ {
+- _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
++ _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
+ _set_priority (&(*priority_cache)->sign_algo,
+ sign_priority_default);
+ }
+@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t
+ || strcasecmp (broken_list[i], "SECURE") == 0)
+ {
+ _set_priority (&(*priority_cache)->cipher,
+- cipher_priority_secure256);
++ gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
+ _set_priority (&(*priority_cache)->sign_algo,
+@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t
+ else if (strcasecmp (broken_list[i], "SECURE128") == 0)
+ {
+ _set_priority (&(*priority_cache)->cipher,
+- cipher_priority_secure128);
++ gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
+ _set_priority (&(*priority_cache)->sign_algo,
+@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t
+ if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)
+ {
+ bulk_fn (&(*priority_cache)->protocol,
+- protocol_priority);
++ gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
+ }
+ else
+ {
+@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t
+ else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
+ {
+ bulk_fn (&(*priority_cache)->cipher,
+- cipher_priority_normal);
++ gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
+ }
+ else
+ goto error;
diff --git a/gnutls-CVE-2013-1619-patch1.patch b/gnutls-CVE-2013-1619-patch1.patch
new file mode 100644
index 0000000..7e0c827
--- /dev/null
+++ b/gnutls-CVE-2013-1619-patch1.patch
@@ -0,0 +1,163 @@
+From 458c67cf98740e7b12404f6c30e0d5317d56fd30 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Mon, 4 Feb 2013 03:08:04 +0100
+Subject: [PATCH] Fixes to avoid a timing attack in TLS CBC record parsing.
+
+---
+ lib/gnutls_cipher.c | 76 ++++++++++++++++++++++++++++++------------------
+ lib/gnutls_hash_int.h | 21 +++++++++++++
+ 2 files changed, 68 insertions(+), 29 deletions(-)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index 9a5d128..7ac815d 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -1,6 +1,6 @@
+ /*
+- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
+- * Free Software Foundation, Inc.
++ * Copyright (C) 2000-2013 Free Software Foundation, Inc.
++ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+@@ -448,6 +448,36 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
+ return length;
+ }
+
++static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
++ unsigned pad_failed, unsigned int pad, unsigned total)
++{
++ /* this hack is only needed on CBC ciphers */
++ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
++ {
++ unsigned len;
++
++ /* force an additional hash compression function evaluation to prevent timing
++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
++ */
++ if (pad_failed == 0 && pad > 0)
++ {
++ len = _gnutls_get_hash_block_len(params->mac_algorithm);
++ if (len > 0)
++ {
++ /* This is really specific to the current hash functions.
++ * It should be removed once a protocol fix is in place.
++ */
++ if ((pad+total) % len > len-9 && total % len <= len-9)
++ {
++ if (len < plaintext->size)
++ _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, len);
++ else
++ _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, plaintext->size);
++ }
++ }
++ }
++ }
++}
+
+ /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
+ * Returns the actual compressed packet size.
+@@ -518,23 +548,11 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+-
+- if ((int) pad > (int) ciphertext.size - hash_size)
+- {
+- gnutls_assert ();
+- _gnutls_record_log
+- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
+- session, pad, ciphertext.size, hash_size);
+- /* We do not fail here. We check below for the
+- * the pad_failed. If zero means success.
+- */
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+- }
+-
+- length = ciphertext.size - hash_size - pad;
++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */
+
+ /* Check the pading bytes (TLS 1.x)
++ * Note that we access all 256 bytes of ciphertext for padding check
++ * because there is a timing channel in that memory access (in certain CPUs).
+ */
+ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+ for (i = 2; i < pad; i++)
+@@ -543,6 +561,11 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ ciphertext.data[ciphertext.size - 1])
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
++
++ if (pad_failed)
++ pad = 0;
++ length = ciphertext.size - hash_size - pad;
++
+ break;
+ default:
+ gnutls_assert ();
+@@ -581,24 +604,19 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ mac_deinit (&td, MAC, ver);
+ }
+
+- /* This one was introduced to avoid a timing attack against the TLS
+- * 1.0 protocol.
+- */
+- if (pad_failed != 0)
+- {
+- gnutls_assert ();
+- return pad_failed;
+- }
+-
+ /* HMAC was not the same.
+ */
+- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0)
++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0)
+ {
++ gnutls_datum_t compressed = {compress_data, compress_size};
++ /* HMAC was not the same. */
++ dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size);
++
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+
+- /* copy the decrypted stuff to compress_data.
++ /* copy the decrypted stuff to compressed_data.
+ */
+ if (compress_size < length)
+ {
+diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h
+index ca6bba0..f4ebd03 100644
+--- a/lib/gnutls_hash_int.h
++++ b/lib/gnutls_hash_int.h
+@@ -97,4 +97,25 @@ void _gnutls_mac_deinit_ssl3_handshake (digest_hd_st * handle, void *digest,
+
+ int _gnutls_hash_copy (digest_hd_st * dst_handle, digest_hd_st * src_handle);
+
++/* We shouldn't need to know that, but a work-around in decoding
++ * TLS record padding requires that.
++ */
++inline static size_t
++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo)
++{
++ switch (algo)
++ {
++ case GNUTLS_DIG_MD5:
++ case GNUTLS_DIG_SHA1:
++ case GNUTLS_DIG_RMD160:
++ case GNUTLS_DIG_SHA256:
++ case GNUTLS_DIG_SHA384:
++ case GNUTLS_DIG_SHA512:
++ case GNUTLS_DIG_SHA224:
++ return 64;
++ default:
++ return 0;
++ }
++}
++
+ #endif /* GNUTLS_HASH_INT_H */
+--
+1.7.1
+
diff --git a/gnutls-CVE-2013-1619-patch2.patch b/gnutls-CVE-2013-1619-patch2.patch
new file mode 100644
index 0000000..1cf8daa
--- /dev/null
+++ b/gnutls-CVE-2013-1619-patch2.patch
@@ -0,0 +1,98 @@
+From 93b7fcfa3297a9123630704668b2946f602b910e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Mon, 4 Feb 2013 09:39:42 +0100
+Subject: [PATCH] corrected fix
+
+---
+ lib/gnutls_cipher.c | 29 ++++++++++++++++++++---------
+ 1 files changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index 7ac815d..2835121 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -449,12 +449,22 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
+ }
+
+ static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
+- unsigned pad_failed, unsigned int pad, unsigned total)
++ unsigned pad_failed, unsigned int pad, unsigned total, int ver)
+ {
+ /* this hack is only needed on CBC ciphers */
+ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
+ {
++ uint8_t MAC[MAX_HASH_SIZE];
+ unsigned len;
++ digest_hd_st td;
++ int ret;
++
++ ret = mac_init (&td, params->mac_algorithm,
++ params->read.mac_secret.data,
++ params->read.mac_secret.size, ver);
++
++ if (ret < 0)
++ return;
+
+ /* force an additional hash compression function evaluation to prevent timing
+ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
+@@ -470,12 +480,14 @@ static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
+ if ((pad+total) % len > len-9 && total % len <= len-9)
+ {
+ if (len < plaintext->size)
+- _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, len);
++ mac_hash (&td, plaintext->data, len, ver);
+ else
+- _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, plaintext->size);
++ mac_hash (&td, plaintext->data, plaintext->size, ver);
+ }
+ }
+ }
++
++ mac_deinit (&td, MAC, ver);
+ }
+ }
+
+@@ -491,12 +503,12 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ {
+ uint8_t MAC[MAX_HASH_SIZE];
+ uint16_t c_length;
+- uint8_t pad;
++ unsigned int pad = 0;
+ int length;
+ uint16_t blocksize;
+ int ret, i, pad_failed = 0;
+ opaque preamble[PREAMBLE_SIZE];
+- int preamble_size;
++ int preamble_size = 0;
+ int ver = gnutls_protocol_get_version (session);
+ int hash_size = _gnutls_hash_get_algo_len (params->mac_algorithm);
+
+@@ -558,14 +570,13 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+ for (i = 2; i < pad; i++)
+ {
+- if (ciphertext.data[ciphertext.size - i] !=
+- ciphertext.data[ciphertext.size - 1])
++ if (ciphertext.data[ciphertext.size - i] != pad)
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
+
+ if (pad_failed)
+ pad = 0;
+- length = ciphertext.size - hash_size - pad;
++ length = ciphertext.size - hash_size - pad - 1;
+
+ break;
+ default:
+@@ -610,7 +621,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ {
+ gnutls_datum_t compressed = {compress_data, compress_size};
+ /* HMAC was not the same. */
+- dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size);
++ dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size, ver);
+
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+--
+1.7.1
+
diff --git a/mingw-gnutls.spec b/mingw-gnutls.spec
index dddcc68..cfa0b65 100644
--- a/mingw-gnutls.spec
+++ b/mingw-gnutls.spec
@@ -4,7 +4,7 @@
%global mingw_build_win64 1
Name: mingw-gnutls
-Version: 2.12.17
+Version: 2.12.20
Release: 1%{?dist}
Summary: MinGW GnuTLS TLS/SSL encryption library
@@ -24,7 +24,16 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
Patch3: gnutls-2.12.2-nosrp.patch
# Skip tests that are expected to fail on libgcrypt build
Patch4: gnutls-2.12.7-dsa-skiptests.patch
-Patch5: gnutls-2.12.14-leak.patch
+# Make it build with recent glibc that removed gets
+Patch5: gnutls-2.12.20-build.patch
+# Fix the gnutls-cli-debug manpage
+Patch6: gnutls-2.12.20-cli-debug-manpage.patch
+# Use only FIPS approved ciphers in the FIPS mode
+Patch7: gnutls-2.12.20-fips-algorithms.patch
+
+# CVE patches
+Patch900: gnutls-CVE-2013-1619-patch1.patch
+Patch901: gnutls-CVE-2013-1619-patch2.patch
# MinGW-specific patches.
Patch1001: gnutls-mingw-compile-fix.patch
@@ -100,7 +109,12 @@ for MinGW.
%patch2 -p1 -b .link
%patch3 -p1 -b .nosrp
%patch4 -p1 -b .dsa-skiptests
-%patch5 -p1 -b .leak
+%patch5 -p1 -b .build
+%patch6 -p1 -b .cli-debug
+%patch7 -p1 -b .fips
+
+%patch900 -p1 -b .cve-2013-1619-1
+%patch901 -p1 -b .cve-2013-1619-2
%patch1001 -p0 -b .mingw_compile
@@ -189,6 +203,10 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
%changelog
+* Thu Feb 07 2013 Michael Cronenworth <mike at cchtml.com> - 2.12.20-1
+- Update to 2.12.20
+- Apply patches for CVE-2013-1619
+
* Thu Mar 29 2012 Michael Cronenworth <mike at cchtml.com> - 2.12.17-1
- New upstream version.
- Use system libtasn1.
diff --git a/sources b/sources
index a663029..bca8ce5 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-c4815ceca3e799fc16cbef3f743d3fed gnutls-2.12.17-nosrp.tar.xz
+5051728a2cf76d2335a9854f521db98b gnutls-2.12.20-nosrp.tar.xz
More information about the scm-commits
mailing list