Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 189707 Details for
Bug 267774
<net-libs/gnutls-2.6.5-r1: Multiple vulnerabilities (CVE-2009-{1415,1416,1417})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
fixed CVE-2009-1417.patch patch
CVE-2009-1417.patch (text/plain), 2.91 KB, created by
Daniel Black (RETIRED)
on 2009-04-28 13:33:53 UTC
(
hide
)
Description:
fixed CVE-2009-1417.patch patch
Filename:
MIME Type:
Creator:
Daniel Black (RETIRED)
Created:
2009-04-28 13:33:53 UTC
Size:
2.91 KB
patch
obsolete
>Index: gnutls-2.6.5/includes/gnutls/gnutls.h.in >=================================================================== >--- gnutls-2.6.5.orig/includes/gnutls/gnutls.h.in >+++ gnutls-2.6.5/includes/gnutls/gnutls.h.in >@@ -251,7 +251,13 @@ extern "C" > */ > GNUTLS_CERT_SIGNER_NOT_FOUND = 64, > GNUTLS_CERT_SIGNER_NOT_CA = 128, >- GNUTLS_CERT_INSECURE_ALGORITHM = 256 >+ GNUTLS_CERT_INSECURE_ALGORITHM = 256, >+ >+ /* Time verification. >+ */ >+ GNUTLS_CERT_NOT_ACTIVATED = 512, >+ GNUTLS_CERT_EXPIRED = 1024 >+ > } gnutls_certificate_status_t; > > typedef enum >Index: gnutls-2.6.5/includes/gnutls/x509.h >=================================================================== >--- gnutls-2.6.5.orig/includes/gnutls/x509.h >+++ gnutls-2.6.5/includes/gnutls/x509.h >@@ -481,7 +481,13 @@ extern "C" > > /* Allow certificates to be signed using the broken MD5 algorithm. > */ >- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32 >+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, >+ >+ /* Disable checking of activation and expiration validity >+ * periods of certificate chains. Don't set this unless you >+ * understand the security implications. >+ */ >+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64 > } gnutls_certificate_verify_flags; > > int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, >Index: gnutls-2.6.5/lib/x509/verify.c >=================================================================== >--- gnutls-2.6.5.orig/lib/x509/verify.c >+++ gnutls-2.6.5/lib/x509/verify.c >@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g > } > #endif > >+ /* Check activation/expiration times >+ */ >+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) >+ { >+ time_t t, now = time (0); >+ >+ for (i = 0; i < clist_size; i++) >+ { >+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]); >+ if (t == (time_t) -1 || now < t) >+ { >+ status |= GNUTLS_CERT_NOT_ACTIVATED; >+ status |= GNUTLS_CERT_INVALID; >+ return status; >+ } >+ >+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]); >+ if (t == (time_t) -1 || now > t) >+ { >+ status |= GNUTLS_CERT_EXPIRED; >+ status |= GNUTLS_CERT_INVALID; >+ return status; >+ } >+ } >+ } >+ > /* Verify the certificate path (chain) > */ > for (i = clist_size - 1; i > 0; i--) >Index: gnutls-2.6.5/src/common.c >=================================================================== >--- gnutls-2.6.5.orig/src/common.c >+++ gnutls-2.6.5/src/common.c >@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio > { > if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) > printf ("- Peer's certificate issuer is unknown\n"); >+ if (status & GNUTLS_CERT_NOT_ACTIVATED) >+ printf ("- Peer's certificate chain uses not yet valid certificate\n"); >+ if (status & GNUTLS_CERT_EXPIRED) >+ printf ("- Peer's certificate chain uses expired certificate\n"); > if (status & GNUTLS_CERT_INVALID) > printf ("- Peer's certificate is NOT trusted\n"); > else
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=189707">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 267774
:
189700
|
189702
|
189704
| 189707 |
189720
|
189787
