svn commit: r336905 - in branches/2014Q1: ftp/curl ftp/curl/files security/vuxml

Baptiste Daroussin bapt at FreeBSD.org
Thu Dec 19 13:48:57 UTC 2013 

Author: bapt
Date: Thu Dec 19 13:48:55 2013
New Revision: 336905
URL: http://svnweb.freebsd.org/changeset/ports/336905

Log:
  MFH: r336860
  
  Apply vendor fix for CVE-2013-6422, cURL libcurl cert name check ignore
  with GnuTLS.  Document the vulnerability fix in vuxml while I'm here.

Added:
  branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422
     - copied unchanged from r336860, head/ftp/curl/files/patch-CVE-2013-6422
Modified:
  branches/2014Q1/ftp/curl/Makefile
  branches/2014Q1/security/vuxml/vuln.xml
Directory Properties:
  branches/2014Q1/   (props changed)

Modified: branches/2014Q1/ftp/curl/Makefile
==============================================================================
--- branches/2014Q1/ftp/curl/Makefile	Thu Dec 19 13:45:58 2013	(r336904)
+++ branches/2014Q1/ftp/curl/Makefile	Thu Dec 19 13:48:55 2013	(r336905)
@@ -3,7 +3,7 @@
 
 PORTNAME=	curl
 PORTVERSION=	7.33.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	ftp www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		LOCAL/sunpoet

Copied: branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422 (from r336860, head/ftp/curl/files/patch-CVE-2013-6422)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2014Q1/ftp/curl/files/patch-CVE-2013-6422	Thu Dec 19 13:48:55 2013	(r336905, copy of r336860, head/ftp/curl/files/patch-CVE-2013-6422)
@@ -0,0 +1,32 @@
+--- ./lib/gtls.c.orig	2013-10-12 15:05:06.000000000 -0700
++++ ./lib/gtls.c	2013-12-18 15:00:22.000000000 -0800
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel at haxx.se>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel at haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -633,10 +633,8 @@
+     else
+       infof(data, "\t server certificate verification OK\n");
+   }
+-  else {
++  else
+     infof(data, "\t server certificate verification SKIPPED\n");
+-    goto after_server_cert_verification;
+-  }
+ 
+   /* initialize an X.509 certificate structure. */
+   gnutls_x509_crt_init(&x509_cert);
+@@ -766,8 +764,6 @@
+ 
+   gnutls_x509_crt_deinit(x509_cert);
+ 
+-after_server_cert_verification:
+-
+   /* compression algorithm (if any) */
+   ptr = gnutls_compression_get_name(gnutls_compression_get(session));
+   /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */

Modified: branches/2014Q1/security/vuxml/vuln.xml
==============================================================================
--- branches/2014Q1/security/vuxml/vuln.xml	Thu Dec 19 13:45:58 2013	(r336904)
+++ branches/2014Q1/security/vuxml/vuln.xml	Thu Dec 19 13:48:55 2013	(r336905)
@@ -51,6 +51,49 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="4e1f4abc-6837-11e3-9cda-3c970e169bc2">
+    <topic>cURL library -- cert name check ignore with GnuTLS</topic>
+    <affects>
+      <package>
+	<name>curl</name>
+	<range><ge>7.21.4</ge><lt>7.33.0_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>cURL project reports:</p>
+	<blockquote cite="http://curl.haxx.se/docs/adv_20131217.html">
+	  <p>libcurl is vulnerable to a case of missing out the checking
+	    of the certificate CN or SAN name field when the digital
+	    signature verification is turned off.</p>
+	  <p>libcurl offers two separate and independent options for
+	    verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER
+	    and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to
+	    verify the trust chain using a CA cert bundle, while the
+	    second tells libcurl to make sure that the name fields in
+	    the server certificate meets the criteria. Both options are
+	    enabled by default.</p>
+	  <p>This flaw had the effect that when an application disabled
+	    CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the
+	    CURLOPT_SSL_VERIFYHOST check. Applications can disable
+	    CURLOPT_SSL_VERIFYPEER and still achieve security by doing
+	    the check on its own using other means.</p>
+	  <p>The curl command line tool is not affected by this problem
+	    as it either enables both options or disables both at the
+	    same time.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://curl.haxx.se/docs/adv_20131217.html</url>
+      <cvename>CVE-2013-6422</cvename>
+    </references>
+    <dates>
+      <discovery>2013-12-17</discovery>
+      <entry>2013-12-18</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2e5715f8-67f7-11e3-9811-b499baab0cbe">
     <topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack</topic>
     <affects>

More information about the svn-ports-branches mailing list