Date: Tue, 13 Aug 2013 09:25:16 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: FreeBSD-gnats-submit@freebsd.org Cc: jase@FreeBSD.org, portmgr@FreeBSD.org Subject: ports/181252: [PATCH] security/polarssl: Security update to 1.2.8, to fix CVE-2013-4623 Message-ID: <E1V98yi-0001Ha-1o@apollo.emma.line.org> Resent-Message-ID: <201308130730.r7D7U0U3042218@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 181252 >Category: ports >Synopsis: [PATCH] security/polarssl: Security update to 1.2.8, to fix CVE-2013-4623 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Aug 13 07:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 9.1-RELEASE-p5 amd64 >Organization: >Environment: System: FreeBSD apollo.emma.line.org 9.1-RELEASE-p5 FreeBSD 9.1-RELEASE-p5 #0: Sat Jul 27 01:14:23 UTC 2013 >Description: Requesting portmgr@ authorization so that jase@ or I can merge this back onto the 9.2 ports branch. Update to new version 1.2.8, which includes a security fix for CVE-2013-4623, see https://polarssl.org/security - the vulnerability is already listed in portaudit. Announcement: https://polarssl.org/tech-updates/releases/polarssl-1.2.8-released Security advisory: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 Adds two include files to pkg-plist. Note that the fetchwrapper hack is also needed for previous versions, which are otherwise unfetchable these days due to a download splash screen. In the long term, we may need something similar to the script in bsd.port.mk. Port maintainer (jase@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.99_8 (mode: change, diff: ports) >How-To-Repeat: >Fix: --- polarssl-1.2.8.patch begins here --- diff -ruN /usr/ports/security/polarssl/Makefile ./Makefile --- /usr/ports/security/polarssl/Makefile 2013-05-11 18:55:07.000000000 +0200 +++ ./Makefile 2013-08-13 09:18:16.000000000 +0200 @@ -1,7 +1,7 @@ -# $FreeBSD: security/polarssl/Makefile 317893 2013-05-11 16:55:07Z jase $ +# $FreeBSD: head/security/polarssl/Makefile 317893 2013-05-11 16:55:07Z jase $ PORTNAME= polarssl -PORTVERSION= 1.2.7 +PORTVERSION= 1.2.8 DISTVERSIONSUFFIX= -gpl CATEGORIES= security devel MASTER_SITES= http://polarssl.org/download/ @@ -12,7 +12,10 @@ LICENSE= GPLv2 -FETCH_ARGS= -pRr +# bypass the HTML "now downloading..." splash site, code below +# .include <bsd.port.pre.mk> +URL_SUFFIX= ?do=yes +FETCH_ARGS= -pRro ${DISTFILES} ALL_TARGET= no_test USE_GMAKE= yes @@ -48,6 +51,9 @@ .include <bsd.port.pre.mk> +FETCH_CMD:= ${SHELL} ${FILESDIR}/fetchwrapper.sh \ + ${URL_SUFFIX} ${FETCH_BINARY} ${FETCH_ARGS} + .if ${ARCH} == "powerpc" BROKEN= Does not compile on powerpc .endif diff -ruN /usr/ports/security/polarssl/distinfo ./distinfo --- /usr/ports/security/polarssl/distinfo 2013-05-11 18:55:07.000000000 +0200 +++ ./distinfo 2013-08-13 09:17:34.000000000 +0200 @@ -1,2 +1,2 @@ -SHA256 (polarssl-1.2.7-gpl.tgz) = d64c2d1247f93cdeb884bd3706dfddffc636634bbf81d3772af750d5b5191328 -SIZE (polarssl-1.2.7-gpl.tgz) = 977888 +SHA256 (polarssl-1.2.8-gpl.tgz) = 23cf931e322ab397d26c89b7e805cf2229df46c5196f4f67ebfc0e285848637b +SIZE (polarssl-1.2.8-gpl.tgz) = 998609 diff -ruN /usr/ports/security/polarssl/files/fetchwrapper.sh ./files/fetchwrapper.sh --- /usr/ports/security/polarssl/files/fetchwrapper.sh 1970-01-01 01:00:00.000000000 +0100 +++ ./files/fetchwrapper.sh 2013-08-13 09:10:20.000000000 +0200 @@ -0,0 +1,41 @@ +#!/bin/sh + +# $FreeBSD$ + +# This script tacks the first argument onto each URL found in the list, +# discards and then executes the list. + +# URL matching is simplistic, a URL is what matches *tp://* (so file:/// +# is not matched). + +# For instance, calling: +# fetchwrapper.sh '?do=yes' /usr/bin/fetch -pPr http://example.org/file +# will execute: +# /usr/bin/fetch -pPr http://example.org/file?do=yes + +# The intention is to work around download splash screens on web servers. + +# (C) Copyright 2013 by Matthias Andree. +# Licensed under the 2-clause BSD license. + +if [ $# -lt 3 ] ; then + echo >&2 "Usage: $0 URLsuffix fetch-command [options] URL [post-options]" + exit 1 +fi + +patcharray() { + # based on Rich Felker's "Working with arrays", + # http://www.etalabs.net/sh_tricks.html + for i do + case "$i" in *tp://*) j=$suffix ;; *) j= ;; esac + printf %s%s\\n "$i" "$j" | sed -e "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" + done + echo " " +} + +suffix="$1" ; shift +args=$(patcharray "$@") +eval "set -- $args" + +set -x +exec "$@" diff -ruN /usr/ports/security/polarssl/pkg-plist ./pkg-plist --- /usr/ports/security/polarssl/pkg-plist 2012-11-26 20:49:22.000000000 +0100 +++ ./pkg-plist 2013-08-13 09:18:46.000000000 +0200 @@ -50,6 +50,8 @@ include/polarssl/pem.h include/polarssl/pbkdf2.h include/polarssl/pkcs11.h +include/polarssl/pkcs12.h +include/polarssl/pkcs5.h include/polarssl/rsa.h include/polarssl/sha1.h include/polarssl/sha2.h --- polarssl-1.2.8.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1V98yi-0001Ha-1o>