Index: trunk/server/common/patches/gnutls-2.12.x-cve-2014-0092.patch =================================================================== --- trunk/server/common/patches/gnutls-2.12.x-cve-2014-0092.patch (revision 2507) +++ trunk/server/common/patches/gnutls-2.12.x-cve-2014-0092.patch (revision 2507) @@ -0,0 +1,93 @@ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index 2efcebf..e9c704d 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int issuer_version, result; ++ int issuer_version, result = 0; + + if (output) + *output = 0; +@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +-- +1.7.11.7 + Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 2506) +++ trunk/server/fedora/Makefile (revision 2507) @@ -19,5 +19,5 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh rubygems +upstream_yum = krb5 krb5.i686 httpd openssh rubygems gnutls hackage = cgi-3001.1.8.2 unix-handle-0.0.0 upstream_hackage = ghc-cgi ghc-unix-handle Index: trunk/server/fedora/specs/gnutls.spec.patch =================================================================== --- trunk/server/fedora/specs/gnutls.spec.patch (revision 2507) +++ trunk/server/fedora/specs/gnutls.spec.patch (revision 2507) @@ -0,0 +1,28 @@ +--- gnutls.spec.orig 2014-03-08 16:13:24.922925743 -0500 ++++ gnutls.spec 2014-03-08 16:14:50.464231133 -0500 +@@ -1,7 +1,7 @@ + Summary: A TLS protocol implementation + Name: gnutls + Version: 2.12.23 +-Release: 2%{?dist} ++Release: 2%{?dist}.scripts.%{scriptsversion} + # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ + License: GPLv3+ and LGPLv2+ + Group: System Environment/Libraries +@@ -26,6 +26,8 @@ + # Use only FIPS approved ciphers in the FIPS mode + Patch7: gnutls-2.12.21-fips-algorithms.patch + Patch8: gnutls-2.12.23-cve-2013-2116.patch ++# Patch GNUTLS-SA-2014-2 ++Patch9: gnutls-2.12.x-cve-2014-0092.patch + + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + Requires: libgcrypt >= 1.2.2 +@@ -99,6 +101,7 @@ + %patch6 -p1 -b .cli-debug + %patch7 -p1 -b .fips + %patch8 -p1 -b .overread ++%patch9 -p1 -b .cve-2014-0092 + + for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do + touch lib/$i