From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Aug 13 07:30:01 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 03C91661 for ; Tue, 13 Aug 2013 07:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D61882F95 for ; Tue, 13 Aug 2013 07:30:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7D7U0GF042219 for ; Tue, 13 Aug 2013 07:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7D7U0U3042218; Tue, 13 Aug 2013 07:30:00 GMT (envelope-from gnats) Resent-Date: Tue, 13 Aug 2013 07:30:00 GMT Resent-Message-Id: <201308130730.r7D7U0U3042218@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthias Andree Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0CBA55CE; Tue, 13 Aug 2013 07:25:21 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from mandree by apollo.emma.line.org with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1V98yi-0001Ha-1o; Tue, 13 Aug 2013 09:25:16 +0200 Message-Id: Date: Tue, 13 Aug 2013 09:25:16 +0200 From: Matthias Andree To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/181252: [PATCH] security/polarssl: Security update to 1.2.8, to fix CVE-2013-4623 Cc: jase@FreeBSD.org, portmgr@FreeBSD.org X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2013 07:30:01 -0000 >Number: 181252 >Category: ports >Synopsis: [PATCH] security/polarssl: Security update to 1.2.8, to fix CVE-2013-4623 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Aug 13 07:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 9.1-RELEASE-p5 amd64 >Organization: >Environment: System: FreeBSD apollo.emma.line.org 9.1-RELEASE-p5 FreeBSD 9.1-RELEASE-p5 #0: Sat Jul 27 01:14:23 UTC 2013 >Description: Requesting portmgr@ authorization so that jase@ or I can merge this back onto the 9.2 ports branch. Update to new version 1.2.8, which includes a security fix for CVE-2013-4623, see https://polarssl.org/security - the vulnerability is already listed in portaudit. Announcement: https://polarssl.org/tech-updates/releases/polarssl-1.2.8-released Security advisory: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 Adds two include files to pkg-plist. Note that the fetchwrapper hack is also needed for previous versions, which are otherwise unfetchable these days due to a download splash screen. In the long term, we may need something similar to the script in bsd.port.mk. Port maintainer (jase@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.99_8 (mode: change, diff: ports) >How-To-Repeat: >Fix: --- polarssl-1.2.8.patch begins here --- diff -ruN /usr/ports/security/polarssl/Makefile ./Makefile --- /usr/ports/security/polarssl/Makefile 2013-05-11 18:55:07.000000000 +0200 +++ ./Makefile 2013-08-13 09:18:16.000000000 +0200 @@ -1,7 +1,7 @@ -# $FreeBSD: security/polarssl/Makefile 317893 2013-05-11 16:55:07Z jase $ +# $FreeBSD: head/security/polarssl/Makefile 317893 2013-05-11 16:55:07Z jase $ PORTNAME= polarssl -PORTVERSION= 1.2.7 +PORTVERSION= 1.2.8 DISTVERSIONSUFFIX= -gpl CATEGORIES= security devel MASTER_SITES= http://polarssl.org/download/ @@ -12,7 +12,10 @@ LICENSE= GPLv2 -FETCH_ARGS= -pRr +# bypass the HTML "now downloading..." splash site, code below +# .include +URL_SUFFIX= ?do=yes +FETCH_ARGS= -pRro ${DISTFILES} ALL_TARGET= no_test USE_GMAKE= yes @@ -48,6 +51,9 @@ .include +FETCH_CMD:= ${SHELL} ${FILESDIR}/fetchwrapper.sh \ + ${URL_SUFFIX} ${FETCH_BINARY} ${FETCH_ARGS} + .if ${ARCH} == "powerpc" BROKEN= Does not compile on powerpc .endif diff -ruN /usr/ports/security/polarssl/distinfo ./distinfo --- /usr/ports/security/polarssl/distinfo 2013-05-11 18:55:07.000000000 +0200 +++ ./distinfo 2013-08-13 09:17:34.000000000 +0200 @@ -1,2 +1,2 @@ -SHA256 (polarssl-1.2.7-gpl.tgz) = d64c2d1247f93cdeb884bd3706dfddffc636634bbf81d3772af750d5b5191328 -SIZE (polarssl-1.2.7-gpl.tgz) = 977888 +SHA256 (polarssl-1.2.8-gpl.tgz) = 23cf931e322ab397d26c89b7e805cf2229df46c5196f4f67ebfc0e285848637b +SIZE (polarssl-1.2.8-gpl.tgz) = 998609 diff -ruN /usr/ports/security/polarssl/files/fetchwrapper.sh ./files/fetchwrapper.sh --- /usr/ports/security/polarssl/files/fetchwrapper.sh 1970-01-01 01:00:00.000000000 +0100 +++ ./files/fetchwrapper.sh 2013-08-13 09:10:20.000000000 +0200 @@ -0,0 +1,41 @@ +#!/bin/sh + +# $FreeBSD$ + +# This script tacks the first argument onto each URL found in the list, +# discards and then executes the list. + +# URL matching is simplistic, a URL is what matches *tp://* (so file:/// +# is not matched). + +# For instance, calling: +# fetchwrapper.sh '?do=yes' /usr/bin/fetch -pPr http://example.org/file +# will execute: +# /usr/bin/fetch -pPr http://example.org/file?do=yes + +# The intention is to work around download splash screens on web servers. + +# (C) Copyright 2013 by Matthias Andree. +# Licensed under the 2-clause BSD license. + +if [ $# -lt 3 ] ; then + echo >&2 "Usage: $0 URLsuffix fetch-command [options] URL [post-options]" + exit 1 +fi + +patcharray() { + # based on Rich Felker's "Working with arrays", + # http://www.etalabs.net/sh_tricks.html + for i do + case "$i" in *tp://*) j=$suffix ;; *) j= ;; esac + printf %s%s\\n "$i" "$j" | sed -e "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" + done + echo " " +} + +suffix="$1" ; shift +args=$(patcharray "$@") +eval "set -- $args" + +set -x +exec "$@" diff -ruN /usr/ports/security/polarssl/pkg-plist ./pkg-plist --- /usr/ports/security/polarssl/pkg-plist 2012-11-26 20:49:22.000000000 +0100 +++ ./pkg-plist 2013-08-13 09:18:46.000000000 +0200 @@ -50,6 +50,8 @@ include/polarssl/pem.h include/polarssl/pbkdf2.h include/polarssl/pkcs11.h +include/polarssl/pkcs12.h +include/polarssl/pkcs5.h include/polarssl/rsa.h include/polarssl/sha1.h include/polarssl/sha2.h --- polarssl-1.2.8.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: