1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
new file mode 100644
index 0000000000..6567257a83
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
@@ -0,0 +1,33 @@
+From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 12 Feb 2014 16:41:33 +0100
+Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate
+ CA certificates.
+Upstream-Status: Backport
+Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
+---
+ lib/x509/verify.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 2efcebf..c9a6b0d 100644
+--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
+@@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+        * certificates can exist in a supplied chain.
+        */
+       if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+-        flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+        {
+          flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+          flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+        }
+       if ((ret =
+            _gnutls_verify_certificate2 (certificate_list[i - 1],
+                                         &certificate_list[i], 1, flags,
+-- 
+1.8.3.2

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch new file mode 100644 index 0000000000..6567257a83 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch
@@ -0,0 +1,33 @@
	1	From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001
	2	From: Nikos Mavrogiannopoulos <nmav@redhat.com>
	3	Date: Wed, 12 Feb 2014 16:41:33 +0100
	4	Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate
	5	CA certificates.
	6
	7	Upstream-Status: Backport
	8
	9	Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
	10
	11	---
	12	lib/x509/verify.c \| 5 ++++-
	13	1 file changed, 4 insertions(+), 1 deletion(-)
	14
	15	diff --git a/lib/x509/verify.c b/lib/x509/verify.c
	16	index 2efcebf..c9a6b0d 100644
	17	--- a/lib/x509/verify.c
	18	+++ b/lib/x509/verify.c
	19	@@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
	20	* certificates can exist in a supplied chain.
	21	*/
	22	if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
	23	- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
	24	+ {
	25	+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
	26	+ flags \|= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
	27	+ }
	28	if ((ret =
	29	_gnutls_verify_certificate2 (certificate_list[i - 1],
	30	&certificate_list[i], 1, flags,
	31	--
	32	1.8.3.2
	33