--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gnutls/patches/03-cve-2011-4128.patch Fri Mar 20 22:56:27 2015 -0700
@@ -0,0 +1,29 @@
+Source:
+http://www.gnutls.org/security.html
+Info:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128
+Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c
+in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client
+that performs nonstandard session resumption, allows remote TLS servers to
+cause a denial of service (application crash) via a large SessionTicket.
+Status:
+Need to determine if this patch has been sent upstream.
+
+--- gnutls-2.8.6/lib/gnutls_session.c.orig Fri Apr 6 11:19:30 2012
++++ gnutls-2.8.6/lib/gnutls_session.c Fri Apr 6 11:19:51 2012
+@@ -64,7 +64,6 @@
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
+@@ -71,6 +70,7 @@
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = psession.size;
+
+ if (session_data != NULL)
+ memcpy (session_data, psession.data, psession.size);