20761309 problem in UTILITY/GIT s11-update
authorCraig Mohrman <craig.mohrman@oracle.com>
Mon, 04 May 2015 19:10:05 -0700
branchs11-update
changeset 4244 37525cfe930c
parent 4242 9f0a469595a0
child 4249 bb2990b48dfc
20761309 problem in UTILITY/GIT
components/git/Makefile
components/git/patches/imap-send.patch
components/git/patches/t_Makefile.patch
--- a/components/git/Makefile	Thu Jul 31 01:53:13 2014 -0700
+++ b/components/git/Makefile	Mon May 04 19:10:05 2015 -0700
@@ -57,10 +57,19 @@
 CONFIGURE_OPTIONS  +=	--with-python=$(PYTHON.$(PYTHON_VERSION))
 CONFIGURE_OPTIONS  +=	CFLAGS="$(CFLAGS)"
 
+# Build fails if environment variable PROFILE is set.
+COMPONENT_BUILD_ENV+=	PROFILE=
+COMPONENT_INSTALL_ENV+=	PROFILE=
+COMPONENT_TEST_ENV+=	PROFILE=
+
 COMPONENT_BUILD_ENV+=	NO_PERL_MAKEMAKER=1
 COMPONENT_INSTALL_ENV+=	PERL_LIB=$(shell $(PERL) -MConfig -e 'print "$$Config{installvendorarch}"')
 COMPONENT_INSTALL_ARGS+=	INSTALL="$(INSTALL)"
 
+# get rid of terminal escape codes in test output
+COMPONENT_TEST_ENV = TERM=dumb
+# many failures; keep going; later versions of git are much cleaner
+COMPONENT_TEST_ARGS += -k -i
 COMPONENT_TEST_TARGETS = test
 
 # This runs configure but configure doesn't generate a Makefile.
@@ -71,6 +80,8 @@
 COMPONENT_PRE_CONFIGURE_ACTION = \
 	($(CLONEY) $(SOURCE_DIR) $(@D))
 
+ASLR_MODE = $(ASLR_ENABLE)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32) $(BUILD_DIR)/.manpages
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/git/patches/imap-send.patch	Mon May 04 19:10:05 2015 -0700
@@ -0,0 +1,120 @@
+This patch fixes CVE-2013-0308.
+It was created from a diff between the version 1.8.1.4 of this file
+from the community and the current one.  The only changes to this file
+are for addressing this CVE.
+Here is the community diff:
+https://github.com/gitster/git/commit/0ee7198f457c8ea031b09b528cfd88f0f0e630d8
+
+--- git-1.7.9.2/imap-send.c_orig	2012-02-22 18:04:18.000000000 -0800
++++ git-1.7.9.2/imap-send.c	2015-03-25 12:23:29.465800340 -0700
[email protected]@ -31,6 +31,7 @@
+ #else
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/x509v3.h>
+ #endif
+ 
+ struct store_conf {
[email protected]@ -266,12 +267,64 @@
+ 	}
+ }
+ 
++#ifdef NO_OPENSSL
+ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
+ {
+-#ifdef NO_OPENSSL
+ 	fprintf(stderr, "SSL requested but SSL support not compiled in\n");
+ 	return -1;
++}
++
+ #else
++
++static int host_matches(const char *host, const char *pattern)
++{
++	if (pattern[0] == '*' && pattern[1] == '.') {
++		pattern += 2;
++		if (!(host = strchr(host, '.')))
++			return 0;
++		host++;
++	}
++
++	return *host && *pattern && !strcasecmp(host, pattern);
++}
++
++static int verify_hostname(X509 *cert, const char *hostname)
++{
++	int len;
++	X509_NAME *subj;
++	char cname[1000];
++	int i, found;
++	STACK_OF(GENERAL_NAME) *subj_alt_names;
++
++	/* try the DNS subjectAltNames */
++	found = 0;
++	if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
++		int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names);
++		for (i = 0; !found && i < num_subj_alt_names; i++) {
++			GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
++			if (subj_alt_name->type == GEN_DNS &&
++			    strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length &&
++			    host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data)))
++				found = 1;
++		}
++		sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free);
++	}
++	if (found)
++		return 0;
++
++	/* try the common name */
++	if (!(subj = X509_get_subject_name(cert)))
++		return error("cannot get certificate subject");
++	if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0)
++		return error("cannot get certificate common name");
++	if (strlen(cname) == (size_t)len && host_matches(hostname, cname))
++		return 0;
++	return error("certificate owner '%s' does not match hostname '%s'",
++		     cname, hostname);
++}
++
++static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
++{
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+ 	const SSL_METHOD *meth;
+ #else
[email protected]@ -279,6 +332,7 @@
+ #endif
+ 	SSL_CTX *ctx;
+ 	int ret;
++	X509 *cert;
+ 
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
[email protected]@ -322,9 +376,18 @@
+ 		return -1;
+ 	}
+ 
++	if (verify) {
++		/* make sure the hostname matches that of the certificate */
++		cert = SSL_get_peer_certificate(sock->ssl);
++		if (!cert)
++			return error("unable to get peer certificate.");
++		if (verify_hostname(cert, server.host) < 0)
++			return -1;
++	}
++
+ 	return 0;
+-#endif
+ }
++#endif
+ 
+ static int socket_read(struct imap_socket *sock, char *buf, int len)
+ {
[email protected]@ -1022,7 +1085,7 @@
+ 
+ 	ret = socket_write(&ctx->imap->buf.sock, response, strlen(response));
+ 	if (ret != strlen(response))
+-		return error("IMAP error: sending response failed\n");
++		return error("IMAP error: sending response failed");
+ 
+ 	free(response);
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/git/patches/t_Makefile.patch	Mon May 04 19:10:05 2015 -0700
@@ -0,0 +1,14 @@
+The ordering to the tests was non-deterministic without sorting the list.
+This will be fed back to the community.
+
+--- git-1.7.9.2/t/Makefile_orig	2015-03-26 14:29:33.733092028 -0700
++++ git-1.7.9.2/t/Makefile	2015-03-26 14:29:53.247281197 -0700
[email protected]@ -17,7 +17,7 @@
+ # Shell quote;
+ SHELL_PATH_SQ = $(subst ','\'',$(SHELL_PATH))
+ 
+-T = $(wildcard t[0-9][0-9][0-9][0-9]-*.sh)
++T = $(sort $(wildcard t[0-9][0-9][0-9][0-9]-*.sh))
+ TSVN = $(wildcard t91[0-9][0-9]-*.sh)
+ TGITWEB = $(wildcard t95[0-9][0-9]-*.sh)
+