diff options
Diffstat (limited to 'meta/recipes-support/gnutls')
9 files changed, 331 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls.inc b/meta/recipes-support/gnutls/gnutls.inc new file mode 100644 index 0000000000..12b26cc97d --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls.inc | |||
@@ -0,0 +1,49 @@ | |||
1 | SUMMARY = "GNU Transport Layer Security Library" | ||
2 | HOMEPAGE = "http://www.gnu.org/software/gnutls/" | ||
3 | BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" | ||
4 | DEPENDS = "zlib nettle" | ||
5 | |||
6 | LICENSE = "GPLv3+ & LGPLv2.1+" | ||
7 | LICENSE_${PN} = "LGPLv2.1+" | ||
8 | LICENSE_${PN}-xx = "LGPLv2.1+" | ||
9 | LICENSE_${PN}-bin = "GPLv3+" | ||
10 | LICENSE_${PN}-openssl = "GPLv3+" | ||
11 | |||
12 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ | ||
13 | file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" | ||
14 | |||
15 | |||
16 | SHRT_VER = "${@d.getVar('PV',1).split('.')[0]}.${@d.getVar('PV',1).split('.')[1]}" | ||
17 | |||
18 | SRC_URI = "ftp://ftp.gnutls.org/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz" | ||
19 | |||
20 | inherit autotools-brokensep texinfo binconfig pkgconfig gettext lib_package | ||
21 | |||
22 | EXTRA_OECONF="--disable-rpath \ | ||
23 | --with-included-libtasn1 \ | ||
24 | --enable-local-libopts \ | ||
25 | --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ | ||
26 | --with-libz-prefix=${STAGING_DIR_HOST}${prefix} \ | ||
27 | --disable-guile \ | ||
28 | --disable-crywrap \ | ||
29 | --without-p11-kit \ | ||
30 | " | ||
31 | |||
32 | do_configure_prepend() { | ||
33 | for dir in . lib; do | ||
34 | rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 | ||
35 | done | ||
36 | } | ||
37 | |||
38 | PACKAGECONFIG ??= "" | ||
39 | PACKAGECONFIG[tpm] = "--with-tpm, --without-tpm, trousers" | ||
40 | |||
41 | PACKAGES =+ "${PN}-openssl ${PN}-xx" | ||
42 | |||
43 | FILES_${PN}-dev += "${bindir}/gnutls-cli-debug" | ||
44 | FILES_${PN}-openssl = "${libdir}/libgnutls-openssl.so.*" | ||
45 | FILES_${PN}-xx = "${libdir}/libgnutlsxx.so.*" | ||
46 | |||
47 | LDFLAGS_append_libc-uclibc += " -pthread" | ||
48 | |||
49 | BBCLASSEXTEND = "native nativesdk" | ||
diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch new file mode 100644 index 0000000000..8824729d2f --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nikos Mavrogiannopoulos <nmav@gnutls.org> | ||
3 | Date: Sat, 28 Mar 2015 22:41:03 +0100 | ||
4 | Subject: [PATCH] Better fix for the double free in dist point parsing | ||
5 | |||
6 | Fixes CVE-2015-3308 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
10 | --- | ||
11 | lib/x509/x509_ext.c | 10 ++++++---- | ||
12 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c | ||
15 | index 2e69ed0..f974b02 100644 | ||
16 | --- a/lib/x509/x509_ext.c | ||
17 | +++ b/lib/x509/x509_ext.c | ||
18 | @@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
19 | int len, ret; | ||
20 | uint8_t reasons[2]; | ||
21 | unsigned i, type, rflags, j; | ||
22 | - gnutls_datum_t san; | ||
23 | + gnutls_datum_t san = {NULL, 0}; | ||
24 | |||
25 | result = asn1_create_element | ||
26 | (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); | ||
27 | @@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
28 | |||
29 | i = 0; | ||
30 | do { | ||
31 | - san.data = NULL; | ||
32 | - san.size = 0; | ||
33 | - | ||
34 | snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1); | ||
35 | |||
36 | len = sizeof(reasons); | ||
37 | @@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
38 | |||
39 | j = 0; | ||
40 | do { | ||
41 | + san.data = NULL; | ||
42 | + san.size = 0; | ||
43 | + | ||
44 | ret = | ||
45 | _gnutls_parse_general_name2(c2, name, j, &san, | ||
46 | &type, 0); | ||
47 | @@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
48 | ret = crl_dist_points_set(cdp, type, &san, rflags); | ||
49 | if (ret < 0) | ||
50 | break; | ||
51 | + san.data = NULL; /* it is now in cdp */ | ||
52 | |||
53 | j++; | ||
54 | } while (ret >= 0); | ||
55 | @@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
56 | |||
57 | if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { | ||
58 | gnutls_assert(); | ||
59 | + gnutls_free(san.data); | ||
60 | goto cleanup; | ||
61 | } | ||
62 | |||
63 | -- | ||
64 | 1.9.1 | ||
65 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/correct_rpl_gettimeofday_signature.patch b/meta/recipes-support/gnutls/gnutls/correct_rpl_gettimeofday_signature.patch new file mode 100644 index 0000000000..5e452c52e7 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/correct_rpl_gettimeofday_signature.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From ae3370788ed3447bba16969d9eb1bf1b9631e1b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Valentin Popa <valentin.popa@intel.com> | ||
3 | Date: Fri, 25 Apr 2014 13:58:55 +0300 | ||
4 | Subject: [PATCH] Correct rpl_gettimeofday signature | ||
5 | |||
6 | Currently we fail on uclibc like below | ||
7 | |||
8 | | In file included from /home/kraj/work/angstrom/sources/openembedded-core/build/tmp-uclibc/sysroots/qemuarm/usr/include/sys/procfs.h:32:0, | ||
9 | | from /home/kraj/work/angstrom/sources/openembedded-core/build/tmp-uclibc/sysroots/qemuarm/usr/include/sys/ucontext.h:26, | ||
10 | | from /home/kraj/work/angstrom/sources/openembedded-core/build/tmp-uclibc/sysroots/qemuarm/usr/include/signal.h:392, | ||
11 | | from ../../gl/signal.h:52, | ||
12 | | from ../../gl/sys/select.h:58, | ||
13 | | from /home/kraj/work/angstrom/sources/openembedded-core/build/tmp-uclibc/sysroots/qemuarm/usr/include/sys/types.h:220, | ||
14 | | from ../../gl/sys/types.h:28, | ||
15 | | from ../../lib/includes/gnutls/gnutls.h:46, | ||
16 | | from ex-cxx.cpp:3: | ||
17 | | ../../gl/sys/time.h:396:66: error: conflicting declaration 'void* restrict' | ||
18 | | ../../gl/sys/time.h:396:50: error: 'restrict' has a previous declaration as 'timeval* restrict' | ||
19 | | make[4]: *** [ex-cxx.o] Error 1 | ||
20 | | make[4]: *** Waiting for unfinished jobs.... | ||
21 | |||
22 | GCC detects that we call 'restrict' as param name in function | ||
23 | signatures and complains since both params are called 'restrict' | ||
24 | therefore we use __restrict to denote the C99 keywork | ||
25 | |||
26 | This only happens of uclibc since this code is not excercised with | ||
27 | eglibc otherwise we will have same issue there too | ||
28 | |||
29 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
30 | |||
31 | Upstream-Status: Pending | ||
32 | --- | ||
33 | gl/sys_time.in.h | 8 ++++---- | ||
34 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
35 | |||
36 | diff --git a/gl/sys_time.in.h b/gl/sys_time.in.h | ||
37 | index 84a17c9..6ceadc3 100644 | ||
38 | --- a/gl/sys_time.in.h | ||
39 | +++ b/gl/sys_time.in.h | ||
40 | @@ -93,20 +93,20 @@ struct timeval | ||
41 | # define gettimeofday rpl_gettimeofday | ||
42 | # endif | ||
43 | _GL_FUNCDECL_RPL (gettimeofday, int, | ||
44 | - (struct timeval *restrict, void *restrict) | ||
45 | + (struct timeval *__restrict, void *__restrict) | ||
46 | _GL_ARG_NONNULL ((1))); | ||
47 | _GL_CXXALIAS_RPL (gettimeofday, int, | ||
48 | - (struct timeval *restrict, void *restrict)); | ||
49 | + (struct timeval *__restrict, void *__restrict)); | ||
50 | # else | ||
51 | # if !@HAVE_GETTIMEOFDAY@ | ||
52 | _GL_FUNCDECL_SYS (gettimeofday, int, | ||
53 | - (struct timeval *restrict, void *restrict) | ||
54 | + (struct timeval *__restrict, void *__restrict) | ||
55 | _GL_ARG_NONNULL ((1))); | ||
56 | # endif | ||
57 | /* Need to cast, because on glibc systems, by default, the second argument is | ||
58 | struct timezone *. */ | ||
59 | _GL_CXXALIAS_SYS_CAST (gettimeofday, int, | ||
60 | - (struct timeval *restrict, void *restrict)); | ||
61 | + (struct timeval *__restrict, void *__restrict)); | ||
62 | # endif | ||
63 | _GL_CXXALIASWARN (gettimeofday); | ||
64 | #elif defined GNULIB_POSIXCHECK | ||
65 | -- | ||
66 | 1.9.1 | ||
67 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch new file mode 100644 index 0000000000..628103ff6b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nikos Mavrogiannopoulos <nmav@gnutls.org> | ||
3 | Date: Mon, 23 Mar 2015 22:55:29 +0100 | ||
4 | Subject: [PATCH] eliminated double-free in the parsing of dist points | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Reported by Robert Święcki. | ||
10 | |||
11 | Fixes CVE-2015-3308 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | lib/x509/x509_ext.c | 1 - | ||
17 | 1 file changed, 1 deletion(-) | ||
18 | |||
19 | diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c | ||
20 | index c8d5867..6f09438 100644 | ||
21 | --- a/lib/x509/x509_ext.c | ||
22 | +++ b/lib/x509/x509_ext.c | ||
23 | @@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, | ||
24 | |||
25 | if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { | ||
26 | gnutls_assert(); | ||
27 | - gnutls_free(san.data); | ||
28 | goto cleanup; | ||
29 | } | ||
30 | |||
31 | -- | ||
32 | 1.9.1 | ||
33 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb b/meta/recipes-support/gnutls/gnutls_3.3.5.bb new file mode 100644 index 0000000000..9f26470f41 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls_3.3.5.bb | |||
@@ -0,0 +1,9 @@ | |||
1 | require gnutls.inc | ||
2 | |||
3 | SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \ | ||
4 | file://eliminated-double-free-CVE-2015-3308.patch \ | ||
5 | file://better-fix-for-double-free-CVE-2015-3308.patch \ | ||
6 | " | ||
7 | |||
8 | SRC_URI[md5sum] = "1f396dcf3c14ea67de7243821006d1a2" | ||
9 | SRC_URI[sha256sum] = "48f34ae032692c498e782e9f1369506572be40ecf7f3f3604b0b00bad1b10477" | ||
diff --git a/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch b/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch new file mode 100644 index 0000000000..2ac89f3b32 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch | |||
@@ -0,0 +1,14 @@ | |||
1 | Upstream-Status: Inappropriate | ||
2 | |||
3 | Signed-off-by: Marko Lindqvist <cazfi74@gmail.com> | ||
4 | diff -Nurd libtasn1-2.14/doc/Makefile.am libtasn1-2.14/doc/Makefile.am | ||
5 | --- libtasn1-2.14/doc/Makefile.am 2012-09-24 15:08:42.000000000 +0300 | ||
6 | +++ libtasn1-2.14/doc/Makefile.am 2013-01-03 07:35:26.702763403 +0200 | ||
7 | @@ -31,7 +31,7 @@ | ||
8 | AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS) \ | ||
9 | --no-split --number-sections --css-include=texinfo.css | ||
10 | |||
11 | -dist_man_MANS = $(gdoc_MANS) asn1Parser.1 asn1Coding.1 asn1Decoding.1 | ||
12 | +dist_man_MANS = $(gdoc_MANS) | ||
13 | |||
14 | HELP2MAN_OPTS = --info-page libtasn1 | ||
diff --git a/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch new file mode 100644 index 0000000000..0989ef6a21 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From f979435823a02f842c41d49cd41cc81f25b5d677 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
3 | Date: Mon, 20 Apr 2015 14:56:27 +0200 | ||
4 | Subject: [PATCH] _asn1_extract_der_octet: prevent past of boundary access | ||
5 | |||
6 | Fixes CVE-2015-3622. | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Reported by Hanno Böck. | ||
10 | --- | ||
11 | lib/decoding.c | 3 ++- | ||
12 | 1 files changed, 2 insertions(+), 1 deletions(-) | ||
13 | |||
14 | diff --git a/lib/decoding.c b/lib/decoding.c | ||
15 | index 7fbd931..42ddc6b 100644 | ||
16 | --- a/lib/decoding.c | ||
17 | +++ b/lib/decoding.c | ||
18 | @@ -732,6 +732,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, | ||
19 | return ASN1_DER_ERROR; | ||
20 | |||
21 | counter = len3 + 1; | ||
22 | + DECR_LEN(der_len, len3); | ||
23 | |||
24 | if (len2 == -1) | ||
25 | counter_end = der_len - 2; | ||
26 | @@ -740,6 +741,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, | ||
27 | |||
28 | while (counter < counter_end) | ||
29 | { | ||
30 | + DECR_LEN(der_len, 1); | ||
31 | len2 = asn1_get_length_der (der + counter, der_len, &len3); | ||
32 | |||
33 | if (IS_ERR(len2, flags)) | ||
34 | @@ -764,7 +766,6 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, | ||
35 | len2 = 0; | ||
36 | } | ||
37 | |||
38 | - DECR_LEN(der_len, 1); | ||
39 | counter += len2 + len3 + 1; | ||
40 | } | ||
41 | |||
42 | -- | ||
43 | 1.7.2.5 | ||
44 | |||
diff --git a/meta/recipes-support/gnutls/libtasn1/libtasn1_fix_for_automake_1.12.patch b/meta/recipes-support/gnutls/libtasn1/libtasn1_fix_for_automake_1.12.patch new file mode 100644 index 0000000000..5540bef940 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/libtasn1_fix_for_automake_1.12.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | This patch avoids following issues with automake 1.12: | ||
4 | |||
5 | | automake: warnings are treated as errors | ||
6 | | /srv/home/nitin/builds/build-gcc47/tmp/sysroots/x86_64-linux/usr/share/automake-1.12/am/ltlibrary.am: warning: 'libtasn1.la': linking libtool libraries using a non-POSIX | ||
7 | | /srv/home/nitin/builds/build-gcc47/tmp/sysroots/x86_64-linux/usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' | ||
8 | |||
9 | Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> | ||
10 | 2012/05/02 | ||
11 | |||
12 | |||
13 | Index: libtasn1-2.11/configure.ac | ||
14 | =================================================================== | ||
15 | --- libtasn1-2.11.orig/configure.ac | ||
16 | +++ libtasn1-2.11/configure.ac | ||
17 | @@ -38,6 +38,11 @@ lgl_EARLY | ||
18 | AC_PROG_YACC | ||
19 | AC_PROG_LN_S | ||
20 | |||
21 | +# automake 1.12 seems to require this, but automake 1.11 doesn't recognize it | ||
22 | +m4_pattern_allow([AM_PROG_AR]) | ||
23 | +AM_PROG_AR | ||
24 | + | ||
25 | + | ||
26 | dnl Checks for programs. | ||
27 | AC_PROG_INSTALL | ||
28 | AM_MISSING_PROG(HELP2MAN, help2man, $missing_dir) | ||
diff --git a/meta/recipes-support/gnutls/libtasn1_4.0.bb b/meta/recipes-support/gnutls/libtasn1_4.0.bb new file mode 100644 index 0000000000..16cf4d6812 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1_4.0.bb | |||
@@ -0,0 +1,22 @@ | |||
1 | SUMMARY = "Library for ASN.1 and DER manipulation" | ||
2 | HOMEPAGE = "http://www.gnu.org/software/libtasn1/" | ||
3 | |||
4 | LICENSE = "GPLv3+ & LGPLv2.1+" | ||
5 | LICENSE_${PN}-bin = "GPLv3+" | ||
6 | LICENSE_${PN} = "LGPLv2.1+" | ||
7 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ | ||
8 | file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c \ | ||
9 | file://README;endline=8;md5=c3803a3e8ca5ab5eb1e5912faa405351" | ||
10 | |||
11 | SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ | ||
12 | file://libtasn1_fix_for_automake_1.12.patch \ | ||
13 | file://dont-depend-on-help2man.patch \ | ||
14 | file://libtasn1-CVE-2015-3622.patch \ | ||
15 | " | ||
16 | |||
17 | SRC_URI[md5sum] = "d3d2d9bce3b6668b9827a9df52635be1" | ||
18 | SRC_URI[sha256sum] = "41d044f7644bdd1c4f8a5c15ac1885ca1fcbf32f5f6dd4760a19278b979857fe" | ||
19 | |||
20 | inherit autotools texinfo binconfig lib_package | ||
21 | |||
22 | BBCLASSEXTEND = "native" | ||