2012-04-17 Jeff Cai <
[email protected]>
Fix bug 7159409 and 7159444
RTI 361795 Gnutls security fixes
* base-specs/gnutls.spec:
* patches/gnutls-02-cve-2012-1573.diff:
* patches/gnutls-03-cve-2011-4128.diff:
* specs/SUNWgnutls.spec:
--- a/ChangeLog Tue Apr 17 05:32:48 2012 +0000
+++ b/ChangeLog Tue Apr 17 05:40:52 2012 +0000
@@ -1,3 +1,13 @@
+2012-04-17 Jeff Cai <[email protected]>
+
+ Fix bug 7159409 and 7159444
+ RTI 361795 Gnutls security fixes
+
+ * base-specs/gnutls.spec:
+ * patches/gnutls-02-cve-2012-1573.diff:
+ * patches/gnutls-03-cve-2011-4128.diff:
+ * specs/SUNWgnutls.spec:
+
2012-04-17 Brian Cameron <[email protected]>
* specs/SUNWgnome-media.spec, base-specs/gst.spec,
--- a/base-specs/gnutls.spec Tue Apr 17 05:32:48 2012 +0000
+++ b/base-specs/gnutls.spec Tue Apr 17 05:40:52 2012 +0000
@@ -1,5 +1,5 @@
#
-# License 2009 Sun Microsystems Inc.
+#Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -27,6 +27,10 @@
# date:2009-05-31 owner:jefftsai type:branding
Patch1: gnutls-01-not-build-example.diff
+# date:2012-04-06 owner:jefftsai type:bug bugster:7159444
+Patch2: gnutls-02-cve-2012-1573.diff
+# date:2012-04-06 owner:jefftsai type:bug bugster:7159416
+Patch3: gnutls-03-cve-2011-4128.diff
%define glib2_version 2.0
%define libgcrypt_version 1.1.12
@@ -61,6 +65,8 @@
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
%ifos linux
@@ -117,6 +123,8 @@
%{_includedir}/*
%changelog
+* Fri Apr 06 2012 - [email protected]
+- Add patch -02-cve-2012-1573 and -03-cve-2011-4128
* Tue Mar 17 2010 - [email protected]
- Bump to 2.8.6
* Thu Nov 05 2009 - [email protected]
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/gnutls-02-cve-2012-1573.diff Tue Apr 17 05:40:52 2012 +0000
@@ -0,0 +1,20 @@
+--- gnutls-2.8.6/lib/gnutls_cipher.c.orig Mon Nov 2 18:30:39 2009
++++ gnutls-2.8.6/lib/gnutls_cipher.c Fri Apr 6 11:09:15 2012
+@@ -502,12 +502,12 @@
+ ciphertext.size -= blocksize;
+ ciphertext.data += blocksize;
+
+- if (ciphertext.size == 0)
+- {
+- gnutls_assert ();
+- return GNUTLS_E_DECRYPTION_FAILED;
+- }
+ }
++ if (ciphertext.size > hash_size)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_DECRYPTION_FAILED;
++ }
+
+ pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/gnutls-03-cve-2011-4128.diff Tue Apr 17 05:40:52 2012 +0000
@@ -0,0 +1,18 @@
+--- gnutls-2.8.6/lib/gnutls_session.c.orig Fri Apr 6 11:19:30 2012
++++ gnutls-2.8.6/lib/gnutls_session.c Fri Apr 6 11:19:51 2012
+@@ -64,7 +64,6 @@
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
+@@ -71,6 +70,7 @@
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = psession.size;
+
+ if (session_data != NULL)
+ memcpy (session_data, psession.data, psession.size);
--- a/specs/SUNWgnutls.spec Tue Apr 17 05:32:48 2012 +0000
+++ b/specs/SUNWgnutls.spec Tue Apr 17 05:40:52 2012 +0000
@@ -3,7 +3,7 @@
#
# includes module(s): gnutls
#
-# Copyright (c) 2004 Sun Microsystems, Inc.
+# Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -29,12 +29,10 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%include default-depend.inc
%include desktop-incorporation.inc
-Requires: SUNWzlibr
-Requires: SUNWlibgcrypt
-Requires: SUNWzlib
-Requires: SUNWlibC
-BuildRequires: SUNWlibtasn1
-BuildRequires: SUNWlibtasn1-devel
+Requires: library/zlib
+Requires: system/library/security/libgcrypt
+Requires: system/library/c++-runtime
+BuildRequires: library/libtasn1
Source1: %{name}-manpages-0.1.tar.gz
@@ -151,6 +149,8 @@
%attr (-, root, other) %{_datadir}/locale
%changelog
+* Fri Apr 06 2012 - [email protected]
+- Change SVR4 package name to IPS
* Set Sep 26 2009 - [email protected]
- Remove %{_data_dir}/man/man1 from %files section.
* Fir Aug 20 2009 - [email protected]