head	1.1;
access;
symbols
	pkgsrc-2013Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2014.02.20.12.31.26;	author tron;	state dead;
branches
	1.1.2.1;
next	;
commitid	m61fYLaZfEUNXPpx;

1.1.2.1
date	2014.02.20.12.31.26;	author tron;	state Exp;
branches;
next	;
commitid	m61fYLaZfEUNXPpx;


desc
@@


1.1
log
@file patch-CVE-2014-1959 was initially added on branch pkgsrc-2013Q4.
@
text
@@


1.1.2.1
log
@Pullup ticket #4331 - requested by drochner
security/gnutls: security patch

Apply patch to fix security vulnerability reported in CVE-2014-1959.
@
text
@a0 26
$NetBSD$

https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c

--- lib/x509/verify.c.orig	2013-11-10 17:59:14.000000000 +0000
+++ lib/x509/verify.c
@@@@ -167,6 +167,7 @@@@ check_if_ca(gnutls_x509_crt_t cert, gnut
 		result = 1;
 		goto cleanup;
 	}
+
 	/* Handle V1 CAs that do not have a basicConstraint, but accept
 	   these certs only if the appropriate flags are set. */
 	else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
@@@@ -666,8 +667,10 @@@@ _gnutls_x509_verify_certificate(const gn
 		/* note that here we disable this V1 CA flag. So that no version 1
 		 * certificates can exist in a supplied chain.
 		 */
-		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
 			flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+			flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+		}
 		if ((ret =
 		     _gnutls_verify_certificate2(certificate_list[i - 1],
 						 &certificate_list[i], 1,
@