# HG changeset patch # User Craig Mohrman # Date 1431366242 25200 # Node ID 279415c50b970ebc514ff40cf2513c7f885c0c73 # Parent 17ea514d2fe08d2f3ae19e673a9933d12af56339 20761309 problem in UTILITY/GIT diff -r 17ea514d2fe0 -r 279415c50b97 components/git/Makefile --- a/components/git/Makefile Mon May 11 05:48:43 2015 -0700 +++ b/components/git/Makefile Mon May 11 10:44:02 2015 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # include ../../make-rules/shared-macros.mk @@ -55,6 +55,10 @@ COMPONENT_INSTALL_ENV+= PERL_LIB=$(shell $(PERL) -MConfig -e 'print "$$Config{installvendorarch}"') COMPONENT_INSTALL_ARGS+= INSTALL="$(INSTALL)" +# get rid of terminal escape codes in test output +COMPONENT_TEST_ENV = TERM=dumb +# many failures; keep going; later versions of git are much cleaner +COMPONENT_TEST_ARGS += -k -i COMPONENT_TEST_TARGETS = test # This runs configure but configure doesn't generate a Makefile. @@ -65,6 +69,8 @@ COMPONENT_PRE_CONFIGURE_ACTION = \ ($(CLONEY) $(SOURCE_DIR) $(@D)) +ASLR_MODE = $(ASLR_ENABLE) + build: $(BUILD_32) install: $(INSTALL_32) $(BUILD_DIR)/.manpages diff -r 17ea514d2fe0 -r 279415c50b97 components/git/patches/imap-send.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/git/patches/imap-send.patch Mon May 11 10:44:02 2015 -0700 @@ -0,0 +1,120 @@ +This patch fixes CVE-2013-0308. +It was created from a diff between the version 1.8.1.4 of this file +from the community and the current one. The only changes to this file +are for addressing this CVE. +Here is the community diff: +https://github.com/gitster/git/commit/0ee7198f457c8ea031b09b528cfd88f0f0e630d8 + +--- git-1.7.9.2/imap-send.c_orig 2012-02-22 18:04:18.000000000 -0800 ++++ git-1.7.9.2/imap-send.c 2015-03-25 12:23:29.465800340 -0700 +@@ -31,6 +31,7 @@ + #else + #include + #include ++#include + #endif + + struct store_conf { +@@ -266,12 +267,64 @@ + } + } + ++#ifdef NO_OPENSSL + static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) + { +-#ifdef NO_OPENSSL + fprintf(stderr, "SSL requested but SSL support not compiled in\n"); + return -1; ++} ++ + #else ++ ++static int host_matches(const char *host, const char *pattern) ++{ ++ if (pattern[0] == '*' && pattern[1] == '.') { ++ pattern += 2; ++ if (!(host = strchr(host, '.'))) ++ return 0; ++ host++; ++ } ++ ++ return *host && *pattern && !strcasecmp(host, pattern); ++} ++ ++static int verify_hostname(X509 *cert, const char *hostname) ++{ ++ int len; ++ X509_NAME *subj; ++ char cname[1000]; ++ int i, found; ++ STACK_OF(GENERAL_NAME) *subj_alt_names; ++ ++ /* try the DNS subjectAltNames */ ++ found = 0; ++ if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) { ++ int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names); ++ for (i = 0; !found && i < num_subj_alt_names; i++) { ++ GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); ++ if (subj_alt_name->type == GEN_DNS && ++ strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length && ++ host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data))) ++ found = 1; ++ } ++ sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free); ++ } ++ if (found) ++ return 0; ++ ++ /* try the common name */ ++ if (!(subj = X509_get_subject_name(cert))) ++ return error("cannot get certificate subject"); ++ if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) ++ return error("cannot get certificate common name"); ++ if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) ++ return 0; ++ return error("certificate owner '%s' does not match hostname '%s'", ++ cname, hostname); ++} ++ ++static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) ++{ + #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) + const SSL_METHOD *meth; + #else +@@ -279,6 +332,7 @@ + #endif + SSL_CTX *ctx; + int ret; ++ X509 *cert; + + SSL_library_init(); + SSL_load_error_strings(); +@@ -322,9 +376,18 @@ + return -1; + } + ++ if (verify) { ++ /* make sure the hostname matches that of the certificate */ ++ cert = SSL_get_peer_certificate(sock->ssl); ++ if (!cert) ++ return error("unable to get peer certificate."); ++ if (verify_hostname(cert, server.host) < 0) ++ return -1; ++ } ++ + return 0; +-#endif + } ++#endif + + static int socket_read(struct imap_socket *sock, char *buf, int len) + { +@@ -1022,7 +1085,7 @@ + + ret = socket_write(&ctx->imap->buf.sock, response, strlen(response)); + if (ret != strlen(response)) +- return error("IMAP error: sending response failed\n"); ++ return error("IMAP error: sending response failed"); + + free(response); + diff -r 17ea514d2fe0 -r 279415c50b97 components/git/patches/t_Makefile.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/git/patches/t_Makefile.patch Mon May 11 10:44:02 2015 -0700 @@ -0,0 +1,14 @@ +The ordering to the tests was non-deterministic without sorting the list. +This will be fed back to the community. + +--- git-1.7.9.2/t/Makefile_orig 2015-03-26 14:29:33.733092028 -0700 ++++ git-1.7.9.2/t/Makefile 2015-03-26 14:29:53.247281197 -0700 +@@ -17,7 +17,7 @@ + # Shell quote; + SHELL_PATH_SQ = $(subst ','\'',$(SHELL_PATH)) + +-T = $(wildcard t[0-9][0-9][0-9][0-9]-*.sh) ++T = $(sort $(wildcard t[0-9][0-9][0-9][0-9]-*.sh)) + TSVN = $(wildcard t91[0-9][0-9]-*.sh) + TGITWEB = $(wildcard t95[0-9][0-9]-*.sh) +