[arch-commits] Commit in gnutls/trunk (GNUTLS-SA-2008-1.patch PKGBUILD)

Jan de Groot jgc at archlinux.org
Sun Aug 3 15:53:03 UTC 2008 

    Date: Sunday, August 3, 2008 @ 11:53:03
  Author: jgc
Revision: 7632

upgpkg: gnutls 2.4.1-1

Modified:
  gnutls/trunk/PKGBUILD
Deleted:
  gnutls/trunk/GNUTLS-SA-2008-1.patch

------------------------+
 GNUTLS-SA-2008-1.patch |  153 -----------------------------------------------
 PKGBUILD               |   17 ++---
 2 files changed, 8 insertions(+), 162 deletions(-)

Deleted: GNUTLS-SA-2008-1.patch
===================================================================
--- GNUTLS-SA-2008-1.patch	2008-08-03 15:52:39 UTC (rev 7631)
+++ GNUTLS-SA-2008-1.patch	2008-08-03 15:53:03 UTC (rev 7632)
@@ -1,153 +0,0 @@
-From: Simon Josefsson <simon at josefsson.org>
-Date: Mon, 19 May 2008 08:34:08 +0000 (+0200)
-Subject: Fix GNUTLS-SA-2008-1 security vulnerabilities.
-X-Git-Tag: gnutls_2_2_4~4
-X-Git-Url: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff_plain;h=a05a837a1c2225931c282ed9ba38d557ee8ad8b2
-
-Fix GNUTLS-SA-2008-1 security vulnerabilities.
-See http://www.gnu.org/software/gnutls/security.html for updates.
----
-
-diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c
-index 4e76515..bfcee9d 100644
---- a/lib/ext_server_name.c
-+++ b/lib/ext_server_name.c
-@@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
- 	  len = _gnutls_read_uint16 (p);
- 	  p += 2;
- 
--	  DECR_LENGTH_RET (data_size, len, 0);
--	  server_names++;
-+	  if (len > 0)
-+	    {
-+	      DECR_LENGTH_RET (data_size, len, 0);
-+	      server_names++;
-+	      p += len;
-+	    }
-+	  else
-+	    _gnutls_handshake_log
-+	      ("HSK[%x]: Received zero size server name (under attack?)\n",
-+	       session);
- 
--	  p += len;
-+	}
-+
-+      /* we cannot accept more server names.
-+       */
-+      if (server_names > MAX_SERVER_NAME_EXTENSIONS)
-+	{
-+	  _gnutls_handshake_log
-+	    ("HSK[%x]: Too many server names received (under attack?)\n",
-+	     session);
-+	  server_names = MAX_SERVER_NAME_EXTENSIONS;
- 	}
- 
-       session->security_parameters.extensions.server_names_size =
-@@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
-       if (server_names == 0)
- 	return 0;		/* no names found */
- 
--      /* we cannot accept more server names.
--       */
--      if (server_names > MAX_SERVER_NAME_EXTENSIONS)
--	server_names = MAX_SERVER_NAME_EXTENSIONS;
- 
-       p = data + 2;
-       for (i = 0; i < server_names; i++)
-diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
-index e930c1d..f071710 100644
---- a/lib/gnutls_cipher.c
-+++ b/lib/gnutls_cipher.c
-@@ -453,6 +453,14 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
-       return GNUTLS_E_INTERNAL_ERROR;
-     }
- 
-+  if (ciphertext.size < (unsigned) blocksize + hash_size)
-+    {
-+      _gnutls_record_log
-+	("REC[%x]: Short record length %d < %d + %d (under attack?)\n",
-+	 session, ciphertext.size, blocksize, hash_size);
-+      gnutls_assert ();
-+      return GNUTLS_E_DECRYPTION_FAILED;
-+    }
- 
-   /* actual decryption (inplace)
-    */
-@@ -504,9 +512,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
- 
-       pad = ciphertext.data[ciphertext.size - 1] + 1;	/* pad */
- 
--      length = ciphertext.size - hash_size - pad;
--
--      if (pad > ciphertext.size - hash_size)
-+      if ((int)pad > (int)ciphertext.size - hash_size)
- 	{
- 	  gnutls_assert ();
- 	  /* We do not fail here. We check below for the
-@@ -515,6 +521,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
- 	  pad_failed = GNUTLS_E_DECRYPTION_FAILED;
- 	}
- 
-+      length = ciphertext.size - hash_size - pad;
-+
-       /* Check the pading bytes (TLS 1.x)
-        */
-       if (ver >= GNUTLS_TLS1 && pad_failed == 0)
-diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
-index 2737edf..cec3283 100644
---- a/lib/gnutls_handshake.c
-+++ b/lib/gnutls_handshake.c
-@@ -1001,6 +1001,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
- 
-       *recv_type = session->internals.handshake_header_buffer.recv_type;
- 
-+      if (*recv_type != type)
-+	{
-+	  gnutls_assert ();
-+	  _gnutls_handshake_log
-+	    ("HSK[%x]: Handshake type mismatch (under attack?)\n", session);
-+	  return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
-+	}
-+
-       return session->internals.handshake_header_buffer.packet_length;
-     }
- 
-From: Simon Josefsson <simon at josefsson.org>
-Date: Mon, 19 May 2008 19:44:43 +0000 (+0200)
-Subject: Fix broken debug check for GNUTLS-SA-2008-1.
-X-Git-Tag: gnutls_2_2_5~4
-X-Git-Url: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff_plain;h=d1417aadd49dcb549b7ad503e6bb315a8cbc280a
-
-Fix broken debug check for GNUTLS-SA-2008-1.
----
-
-diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
-index f071710..e16ad1f 100644
---- a/lib/gnutls_cipher.c
-+++ b/lib/gnutls_cipher.c
-@@ -453,15 +453,6 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
-       return GNUTLS_E_INTERNAL_ERROR;
-     }
- 
--  if (ciphertext.size < (unsigned) blocksize + hash_size)
--    {
--      _gnutls_record_log
--	("REC[%x]: Short record length %d < %d + %d (under attack?)\n",
--	 session, ciphertext.size, blocksize, hash_size);
--      gnutls_assert ();
--      return GNUTLS_E_DECRYPTION_FAILED;
--    }
--
-   /* actual decryption (inplace)
-    */
-   switch (_gnutls_cipher_is_block
-@@ -515,6 +506,9 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
-       if ((int)pad > (int)ciphertext.size - hash_size)
- 	{
- 	  gnutls_assert ();
-+	  _gnutls_record_log
-+	    ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
-+	     session, pad, ciphertext.size, hash_size);
- 	  /* We do not fail here. We check below for the
- 	   * the pad_failed. If zero means success.
- 	   */

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2008-08-03 15:52:39 UTC (rev 7631)
+++ PKGBUILD	2008-08-03 15:53:03 UTC (rev 7632)
@@ -1,23 +1,22 @@
 # $Id$
 # Maintainer: Jan de Groot <jgc at archlinux.org>
 
+# Notice:
+# When building a new major version, build, install, build again.
+#
 pkgname=gnutls
-pkgver=2.0.4
-pkgrel=2
+pkgver=2.4.1
+pkgrel=1
 pkgdesc="A library which provides a secure layer over a reliable transport layer"
 arch=(i686 x86_64)
-license=('GPL' 'LGPL')
+license=('GPL3' 'LGPL')
 url="http://www.gnu.org/software/gnutls/"
 options=('libtool')
-depends=('gcc-libs' 'opencdk>=0.6.6' 'libtasn1>=1.1' 'lzo2' 'readline')
-source=(ftp://ftp.gnutls.org/pub/gnutls/${pkgname}-${pkgver}.tar.bz2
-	GNUTLS-SA-2008-1.patch)
-md5sums=('0d3c959ff2b3b71f840038c3441ba1f9'
-	 '7b2dea9266c30f670e60730f776f5f68')
+depends=('gcc-libs' 'libtasn1>=1.4' 'readline' 'zlib' 'libgcrypt>=1.4')
+source=(ftp://ftp.gnutls.org/pub/gnutls/${pkgname}-${pkgver}.tar.bz2)
 
 build() {
   cd ${startdir}/src/${pkgname}-${pkgver}
-  patch -Np1 -i ${startdir}/src/GNUTLS-SA-2008-1.patch || return 1
   ./configure --prefix=/usr --with-zlib --disable-guile || return 1
   make || return 1
   make DESTDIR=${startdir}/pkg install || return 1

More information about the arch-commits mailing list