[gnutls/f20] Fixed certificate verification issue CVE-2014-1959 (#1065239)
Nikos Mavrogiannopoulos
nmav at fedoraproject.org
Fri Feb 14 07:48:03 UTC 2014
commit 04f2e8d7a13431d17b187678db0665b170aea0e3
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Fri Feb 14 08:46:37 2014 +0100
Fixed certificate verification issue CVE-2014-1959 (#1065239)
gnutls-3.1.20-v1-fix.patch | 16 ++++++++++++++++
gnutls.spec | 7 ++++++-
2 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/gnutls-3.1.20-v1-fix.patch b/gnutls-3.1.20-v1-fix.patch
new file mode 100644
index 0000000..5964af5
--- /dev/null
+++ b/gnutls-3.1.20-v1-fix.patch
@@ -0,0 +1,16 @@
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index cb8289e..86a901e 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ * certificates can exist in a supplied chain.
+ */
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ {
++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,
diff --git a/gnutls.spec b/gnutls.spec
index 2ad945e..c22d75b 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -3,7 +3,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 3.1.20
-Release: 1%{?dist}
+Release: 2%{?dist}
# The libraries are LGPLv2.1+, utilities are GPLv3+, however
# the bundled gnulib is LGPLv3+
License: GPLv3+ and LGPLv2+ and LGPLv3+
@@ -37,6 +37,7 @@ Patch8: gnutls-3.1.11-nosrp.patch
# Use random port in some tests to avoid conflicts during simultaneous builds on the same machine
Patch9: gnutls-3.1.10-tests-rndport.patch
Patch10: gnutls-3.1.18-suiteb.patch
+Patch11: gnutls-3.1.20-v1-fix.patch
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
@@ -146,6 +147,7 @@ This package contains Guile bindings for the library.
%patch8 -p1 -b .nosrp
%patch9 -p1 -b .rndport
%patch10 -p1 -b .suiteb
+%patch11 -p1 -b .v1-fix
%{SOURCE2} -e
@@ -279,6 +281,9 @@ fi
%endif
%changelog
+* Thu Feb 13 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.1.20-2
+- Fix CVE-2014-1959 (#1065239)
+
* Mon Feb 03 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.1.20-1
- new upstream release
- Fixed issue with gnutls.info not being available
More information about the scm-commits
mailing list