svn commit: r329009 - in head/security: polarssl vuxml

Jase Thew jase at FreeBSD.org
Tue Oct 1 23:47:14 UTC 2013 

Author: jase
Date: Tue Oct  1 23:47:13 2013
New Revision: 329009
URL: http://svnweb.freebsd.org/changeset/ports/329009

Log:
  - Update to 1.2.9
  - Add vuxml entry
  - Prevent install target from copying patch backup files
  
  Changes:	https://raw.github.com/polarssl/polarssl/60ad84f43f46b0d3673eaca8b9847d7e01b83c5e/ChangeLog
  Security:	ccefac3e-2aed-11e3-af10-000c29789cb5
  Security:	CVE-2013-5915

Modified:
  head/security/polarssl/Makefile
  head/security/polarssl/distinfo
  head/security/vuxml/vuln.xml

Modified: head/security/polarssl/Makefile
==============================================================================
--- head/security/polarssl/Makefile	Tue Oct  1 23:24:09 2013	(r329008)
+++ head/security/polarssl/Makefile	Tue Oct  1 23:47:13 2013	(r329009)
@@ -1,9 +1,8 @@
 # $FreeBSD$
 
 PORTNAME=	polarssl
-PORTVERSION=	1.2.8
+PORTVERSION=	1.2.9
 DISTVERSIONSUFFIX=	-gpl
-PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://polarssl.org/download/
 EXTRACT_SUFX=	.tgz
@@ -32,7 +31,7 @@ BINFILES=	aescrypt2 benchmark dh_client 
 
 # cmake install is broken, so we do it by hand
 do-install:
-	@${TAR} -C ${WRKSRC}/include -cf - polarssl | ${TAR} -C ${STAGEDIR}${PREFIX}/include -xf -
+	@cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include "! -name *.orig"
 	${INSTALL_DATA} ${WRKSRC}/library/libpolarssl.a ${STAGEDIR}${PREFIX}/lib/
 	${INSTALL_DATA} ${WRKSRC}/library/libpolarssl.so  ${STAGEDIR}${PREFIX}/lib/libpolarssl.so.0
 	cd ${STAGEDIR}${PREFIX}/lib/ && ${LN} -sf libpolarssl.so.0 libpolarssl.so

Modified: head/security/polarssl/distinfo
==============================================================================
--- head/security/polarssl/distinfo	Tue Oct  1 23:24:09 2013	(r329008)
+++ head/security/polarssl/distinfo	Tue Oct  1 23:47:13 2013	(r329009)
@@ -1,2 +1,2 @@
-SHA256 (polarssl-1.2.8-gpl.tgz) = 23cf931e322ab397d26c89b7e805cf2229df46c5196f4f67ebfc0e285848637b
-SIZE (polarssl-1.2.8-gpl.tgz) = 998609
+SHA256 (polarssl-1.2.9-gpl.tgz) = d125a6e7eb6eb3e5110035df1469099c5463837b1ef734e60771095dafc0ef56
+SIZE (polarssl-1.2.9-gpl.tgz) = 999668

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Oct  1 23:24:09 2013	(r329008)
+++ head/security/vuxml/vuln.xml	Tue Oct  1 23:47:13 2013	(r329009)
@@ -51,6 +51,46 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ccefac3e-2aed-11e3-af10-000c29789cb5">
+    <topic>polarssl -- Timing attack against protected RSA-CRT implementation</topic>
+    <affects>
+      <package>
+	<name>polarssl</name>
+	<range><lt>1.2.9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>PolarSSL Project reports:</p>
+	<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05">
+	  <p>The researchers Cyril Arnaud and Pierre-Alain Fouque
+	    investigated the PolarSSL RSA implementation and discovered
+	    a bias in the implementation of the Montgomery multiplication
+	    that we used. For which they then show that it can be used to
+	    mount an attack on the RSA key. Although their test attack is
+	    done on a local system, there seems to be enough indication
+	    that this can properly be performed from a remote system as
+	    well.</p>
+	  <p>All versions prior to PolarSSL 1.2.9 and 1.3.0 are affected
+	    if a third party can send arbitrary handshake messages to your
+	    server.</p>
+	  <p>If correctly executed, this attack reveals the entire private
+	    RSA key after a large number of attack messages (> 600.000 on
+	    a local machine) are sent to show the timing differences.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-5915</cvename>
+      <url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05</url>
+      <url>https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released</url>
+    </references>
+    <dates>
+      <discovery>2013-10-01</discovery>
+      <entry>2013-10-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e5414d0c-2ade-11e3-821d-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-all mailing list