Date: Wed, 18 Dec 2013 23:04:24 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r336860 - in head: ftp/curl ftp/curl/files security/vuxml Message-ID: <201312182304.rBIN4ObQ015628@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Dec 18 23:04:24 2013 New Revision: 336860 URL: http://svnweb.freebsd.org/changeset/ports/336860 Log: Apply vendor fix for CVE-2013-6422, cURL libcurl cert name check ignore with GnuTLS. Document the vulnerability fix in vuxml while I'm here. Added: head/ftp/curl/files/patch-CVE-2013-6422 (contents, props changed) Modified: head/ftp/curl/Makefile head/security/vuxml/vuln.xml Modified: head/ftp/curl/Makefile ============================================================================== --- head/ftp/curl/Makefile Wed Dec 18 20:20:49 2013 (r336859) +++ head/ftp/curl/Makefile Wed Dec 18 23:04:24 2013 (r336860) @@ -3,7 +3,7 @@ PORTNAME= curl PORTVERSION= 7.33.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= ftp www MASTER_SITES= http://curl.haxx.se/download/ \ LOCAL/sunpoet Added: head/ftp/curl/files/patch-CVE-2013-6422 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/ftp/curl/files/patch-CVE-2013-6422 Wed Dec 18 23:04:24 2013 (r336860) @@ -0,0 +1,32 @@ +--- ./lib/gtls.c.orig 2013-10-12 15:05:06.000000000 -0700 ++++ ./lib/gtls.c 2013-12-18 15:00:22.000000000 -0800 +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -633,10 +633,8 @@ + else + infof(data, "\t server certificate verification OK\n"); + } +- else { ++ else + infof(data, "\t server certificate verification SKIPPED\n"); +- goto after_server_cert_verification; +- } + + /* initialize an X.509 certificate structure. */ + gnutls_x509_crt_init(&x509_cert); +@@ -766,8 +764,6 @@ + + gnutls_x509_crt_deinit(x509_cert); + +-after_server_cert_verification: +- + /* compression algorithm (if any) */ + ptr = gnutls_compression_get_name(gnutls_compression_get(session)); + /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */ Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Dec 18 20:20:49 2013 (r336859) +++ head/security/vuxml/vuln.xml Wed Dec 18 23:04:24 2013 (r336860) @@ -51,6 +51,49 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="4e1f4abc-6837-11e3-9cda-3c970e169bc2"> + <topic>cURL library -- cert name check ignore with GnuTLS</topic> + <affects> + <package> + <name>curl</name> + <range><ge>7.21.4</ge><lt>7.33.0_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cURL project reports:</p> + <blockquote cite="http://curl.haxx.se/docs/adv_20131217.html">; + <p>libcurl is vulnerable to a case of missing out the checking + of the certificate CN or SAN name field when the digital + signature verification is turned off.</p> + <p>libcurl offers two separate and independent options for + verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER + and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to + verify the trust chain using a CA cert bundle, while the + second tells libcurl to make sure that the name fields in + the server certificate meets the criteria. Both options are + enabled by default.</p> + <p>This flaw had the effect that when an application disabled + CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the + CURLOPT_SSL_VERIFYHOST check. Applications can disable + CURLOPT_SSL_VERIFYPEER and still achieve security by doing + the check on its own using other means.</p> + <p>The curl command line tool is not affected by this problem + as it either enables both options or disables both at the + same time.</p> + </blockquote> + </body> + </description> + <references> + <url>http://curl.haxx.se/docs/adv_20131217.html</url>; + <cvename>CVE-2013-6422</cvename> + </references> + <dates> + <discovery>2013-12-17</discovery> + <entry>2013-12-18</entry> + </dates> + </vuln> + <vuln vid="2e5715f8-67f7-11e3-9811-b499baab0cbe"> <topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312182304.rBIN4ObQ015628>