From owner-svn-ports-all@FreeBSD.ORG Thu Dec 19 13:48:56 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E14554C0; Thu, 19 Dec 2013 13:48:56 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C157E1235; Thu, 19 Dec 2013 13:48:56 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBJDmuZx040155; Thu, 19 Dec 2013 13:48:56 GMT (envelope-from bapt@svn.freebsd.org) Received: (from bapt@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBJDmu8l040152; Thu, 19 Dec 2013 13:48:56 GMT (envelope-from bapt@svn.freebsd.org) Message-Id: <201312191348.rBJDmu8l040152@svn.freebsd.org> From: Baptiste Daroussin Date: Thu, 19 Dec 2013 13:48:56 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r336905 - in branches/2014Q1: ftp/curl ftp/curl/files security/vuxml X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2013 13:48:57 -0000 Author: bapt Date: Thu Dec 19 13:48:55 2013 New Revision: 336905 URL: http://svnweb.freebsd.org/changeset/ports/336905 Log: MFH: r336860 Apply vendor fix for CVE-2013-6422, cURL libcurl cert name check ignore with GnuTLS. Document the vulnerability fix in vuxml while I'm here. Added: branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422 - copied unchanged from r336860, head/ftp/curl/files/patch-CVE-2013-6422 Modified: branches/2014Q1/ftp/curl/Makefile branches/2014Q1/security/vuxml/vuln.xml Directory Properties: branches/2014Q1/ (props changed) Modified: branches/2014Q1/ftp/curl/Makefile ============================================================================== --- branches/2014Q1/ftp/curl/Makefile Thu Dec 19 13:45:58 2013 (r336904) +++ branches/2014Q1/ftp/curl/Makefile Thu Dec 19 13:48:55 2013 (r336905) @@ -3,7 +3,7 @@ PORTNAME= curl PORTVERSION= 7.33.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= ftp www MASTER_SITES= http://curl.haxx.se/download/ \ LOCAL/sunpoet Copied: branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422 (from r336860, head/ftp/curl/files/patch-CVE-2013-6422) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422 Thu Dec 19 13:48:55 2013 (r336905, copy of r336860, head/ftp/curl/files/patch-CVE-2013-6422) @@ -0,0 +1,32 @@ +--- ./lib/gtls.c.orig 2013-10-12 15:05:06.000000000 -0700 ++++ ./lib/gtls.c 2013-12-18 15:00:22.000000000 -0800 +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -633,10 +633,8 @@ + else + infof(data, "\t server certificate verification OK\n"); + } +- else { ++ else + infof(data, "\t server certificate verification SKIPPED\n"); +- goto after_server_cert_verification; +- } + + /* initialize an X.509 certificate structure. */ + gnutls_x509_crt_init(&x509_cert); +@@ -766,8 +764,6 @@ + + gnutls_x509_crt_deinit(x509_cert); + +-after_server_cert_verification: +- + /* compression algorithm (if any) */ + ptr = gnutls_compression_get_name(gnutls_compression_get(session)); + /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */ Modified: branches/2014Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q1/security/vuxml/vuln.xml Thu Dec 19 13:45:58 2013 (r336904) +++ branches/2014Q1/security/vuxml/vuln.xml Thu Dec 19 13:48:55 2013 (r336905) @@ -51,6 +51,49 @@ Note: Please add new entries to the beg --> + + cURL library -- cert name check ignore with GnuTLS + + + curl + 7.21.47.33.0_2 + + + + +

cURL project reports:

+
+

libcurl is vulnerable to a case of missing out the checking + of the certificate CN or SAN name field when the digital + signature verification is turned off.

+

libcurl offers two separate and independent options for + verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER + and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to + verify the trust chain using a CA cert bundle, while the + second tells libcurl to make sure that the name fields in + the server certificate meets the criteria. Both options are + enabled by default.

+

This flaw had the effect that when an application disabled + CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the + CURLOPT_SSL_VERIFYHOST check. Applications can disable + CURLOPT_SSL_VERIFYPEER and still achieve security by doing + the check on its own using other means.

+

The curl command line tool is not affected by this problem + as it either enables both options or disables both at the + same time.

+
+ + + + http://curl.haxx.se/docs/adv_20131217.html + CVE-2013-6422 + + + 2013-12-17 + 2013-12-18 + + + gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack