diff options
| author | Karl Hiramoto <karl@hiramoto.org> | 2014-03-05 11:25:24 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-05 15:50:22 +0000 |
| commit | f75c7fbf65d247f7e6065bf67553314a3812ae0d (patch) | |
| tree | 93cfa3cd62c61e11f838a74bae4a7657ddf913b3 /meta/recipes-support/gnutls/gnutls | |
| parent | 4988a8cda5e617579ac858232dd6749a11f6f28b (diff) | |
| download | poky-f75c7fbf65d247f7e6065bf67553314a3812ae0d.tar.gz | |
gnutls: Fixed bug that prevented the rejection of v1 intermediate CA certificates.
This patch is for the OE-Core master branch - it comes from upstream:
>From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 12 Feb 2014 16:41:33 +0100
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
(From OE-Core rev: ea623966b9c48a640cac5c5a5415decca2329249)
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/gnutls/gnutls')
| -rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch new file mode 100644 index 0000000000..6567257a83 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch | |||
| @@ -0,0 +1,33 @@ | |||
| 1 | From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
| 3 | Date: Wed, 12 Feb 2014 16:41:33 +0100 | ||
| 4 | Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate | ||
| 5 | CA certificates. | ||
| 6 | |||
| 7 | Upstream-Status: Backport | ||
| 8 | |||
| 9 | Signed-off-by: Karl Hiramoto <karl@hiramoto.org> | ||
| 10 | |||
| 11 | --- | ||
| 12 | lib/x509/verify.c | 5 ++++- | ||
| 13 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
| 14 | |||
| 15 | diff --git a/lib/x509/verify.c b/lib/x509/verify.c | ||
| 16 | index 2efcebf..c9a6b0d 100644 | ||
| 17 | --- a/lib/x509/verify.c | ||
| 18 | +++ b/lib/x509/verify.c | ||
| 19 | @@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, | ||
| 20 | * certificates can exist in a supplied chain. | ||
| 21 | */ | ||
| 22 | if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) | ||
| 23 | - flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); | ||
| 24 | + { | ||
| 25 | + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); | ||
| 26 | + flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; | ||
| 27 | + } | ||
| 28 | if ((ret = | ||
| 29 | _gnutls_verify_certificate2 (certificate_list[i - 1], | ||
| 30 | &certificate_list[i], 1, flags, | ||
| 31 | -- | ||
| 32 | 1.8.3.2 | ||
| 33 | |||