summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/bash/PKGBUILD8
-rw-r--r--core/cronie/PKGBUILD3
-rw-r--r--core/libcap/PKGBUILD6
-rw-r--r--core/openssh/PKGBUILD8
-rw-r--r--core/wget/PKGBUILD27
-rw-r--r--core/wget/wget-1.12-subjectAltName.patch216
6 files changed, 250 insertions, 18 deletions
diff --git a/core/bash/PKGBUILD b/core/bash/PKGBUILD
index b02b49641..c8d6c0c36 100644
--- a/core/bash/PKGBUILD
+++ b/core/bash/PKGBUILD
@@ -1,10 +1,10 @@
-# $Id: PKGBUILD 114694 2011-03-15 13:55:01Z allan $
+# $Id: PKGBUILD 123077 2011-05-08 02:14:26Z allan $
# Maintainer: Aaron Griffin <aaron@archlinux.org>
# Maintainer: Allan McRae <allan@archlinux.org>
pkgname=bash
_basever=4.2
-_patchlevel=008 #prepare for some patches
+_patchlevel=010 #prepare for some patches
pkgver=$_basever.$_patchlevel
pkgrel=1
pkgdesc="The GNU Bourne Again shell"
@@ -82,4 +82,6 @@ md5sums=('3fb927c7c33022f1c327f14a81c0d4b0'
'e70e45de33426b38153b390be0dbbcd4'
'ce4e5c484993705b27daa151eca242c2'
'88d1f96db29461767602e2546803bda7'
- '24c574bf6d6a581e300823d9c1276af6')
+ '24c574bf6d6a581e300823d9c1276af6'
+ '4c5835f2fbab36c4292bb334977e5b6d'
+ '0a51602b535ef661ee707be6c8bdb373')
diff --git a/core/cronie/PKGBUILD b/core/cronie/PKGBUILD
index 15d70051a..428c837e3 100644
--- a/core/cronie/PKGBUILD
+++ b/core/cronie/PKGBUILD
@@ -3,12 +3,13 @@
pkgname='cronie'
pkgver=1.4.7
-pkgrel=7
+pkgrel=8
pkgdesc='Daemon that runs specified programs at scheduled times and related tools'
url='https://fedorahosted.org/cronie/'
license=('custom:BSD')
arch=('i686' 'x86_64')
depends=('pam' 'bash' 'run-parts')
+optdepends=('smtp-server: sending cron job output via email')
source=("https://fedorahosted.org/releases/c/r/${pkgname}/${pkgname}-${pkgver}.tar.gz"
'cron.deny'
diff --git a/core/libcap/PKGBUILD b/core/libcap/PKGBUILD
index 4a30e4009..2d91dbbf9 100644
--- a/core/libcap/PKGBUILD
+++ b/core/libcap/PKGBUILD
@@ -1,9 +1,9 @@
-#$Id: PKGBUILD 107283 2011-01-23 06:26:22Z allan $
+#$Id: PKGBUILD 122049 2011-05-02 01:47:02Z allan $
# Maintainer: Allan McRae <allan@archlinux.org>
# Contributor: Hugo Doria <hugo@archlinux.org>
pkgname=libcap
-pkgver=2.20
+pkgver=2.21
pkgrel=1
pkgdesc="POSIX 1003.1e capabilities"
arch=('i686' 'x86_64')
@@ -11,7 +11,7 @@ url="http://www.kernel.org/pub/linux/libs/security/linux-privs/"
license=('GPL')
depends=('glibc' 'attr')
source=(http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${pkgname}-${pkgver}.tar.gz)
-md5sums=('8ce6905851ffdde287d00d8269775ade')
+md5sums=('61966ef40f2dee8731b69db895e4548d')
build() {
cd ${srcdir}/${pkgname}-${pkgver}
diff --git a/core/openssh/PKGBUILD b/core/openssh/PKGBUILD
index 68fb3d417..756c5cd60 100644
--- a/core/openssh/PKGBUILD
+++ b/core/openssh/PKGBUILD
@@ -1,22 +1,22 @@
-# $Id: PKGBUILD 122202 2011-05-03 02:17:44Z bisson $
+# $Id: PKGBUILD 123287 2011-05-09 17:39:25Z bisson $
# Maintainer: Gaetan Bisson <bisson@archlinux.org>
# Contributor: Aaron Griffin <aaron@archlinux.org>
# Contributor: judd <jvinet@zeroflux.org>
pkgname=openssh
pkgver=5.8p2
-pkgrel=1
+pkgrel=5
pkgdesc='Free version of the SSH connectivity tools'
arch=('i686' 'x86_64')
license=('custom:BSD')
url='http://www.openssh.org/portable.html'
backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd')
-depends=('tcp_wrappers' 'heimdal' 'libedit')
+depends=('tcp_wrappers' 'heimdal' 'openssl' 'libedit')
source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"
'sshd.confd'
'sshd.pam'
'sshd')
-sha1sums=('e610270e0c5484fb291cd81bbcbefbeb5e391a62'
+sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
'ec102deb69cad7d14f406289d2fc11fee6eddbdd'
'660092c57bde28bed82078f74011f95fc51c2293'
'6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5')
diff --git a/core/wget/PKGBUILD b/core/wget/PKGBUILD
index ca9407c22..6712f4491 100644
--- a/core/wget/PKGBUILD
+++ b/core/wget/PKGBUILD
@@ -1,10 +1,10 @@
-# $Id: PKGBUILD 110655 2011-02-21 09:03:23Z allan $
+# $Id: PKGBUILD 122950 2011-05-07 12:59:07Z allan $
# Maintainer: Allan McRae <allan@archlinux.org>
# Contributor: Judd Vinet <jvinet@zeroflux.org>
pkgname=wget
pkgver=1.12
-pkgrel=5
+pkgrel=7
pkgdesc="A network utility to retrieve files from the Web"
arch=('i686' 'x86_64')
url="http://www.gnu.org/software/wget/wget.html"
@@ -15,15 +15,25 @@ optdepends=('ca-certificates: HTTPS downloads')
backup=('etc/wgetrc')
install=wget.install
source=(ftp://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.gz
- wget-1.12-CVE-2010-2252.patch)
+ wget-1.12-CVE-2010-2252.patch
+ wget-1.12-subjectAltName.patch)
md5sums=('141461b9c04e454dc8933c9d1f2abf83'
- '2c8bc23eff98fd4efc3f96394fc8e61e')
+ '2c8bc23eff98fd4efc3f96394fc8e61e'
+ 'bd589403b7bb4967a6f41b0f43b1c8aa')
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
-
+
# Fix arbitrary file overwrite via 3xx redirect (CVE-2010-2252)
- patch -Np1 -i ../wget-1.12-CVE-2010-2252.patch
+ patch -Np1 -i $srcdir/wget-1.12-CVE-2010-2252.patch
+
+ # https://savannah.gnu.org/bugs/index.php?20421
+ patch -Np0 -i $srcdir/wget-1.12-subjectAltName.patch
+
+ # Note : We do not build with --enable-nls, because there is a bug in wget causing
+ # international domain names to be not properly converted to punycode if
+ # the current locale is a UTF-8 one
+ # See : http://lists.gnu.org/archive/html/bug-wget/2011-02/msg00026.html
./configure -with-ssl --prefix=/usr --sysconfdir=/etc
make
@@ -32,11 +42,14 @@ build() {
package() {
cd "${srcdir}/${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}" install
-
+
cat >> "$pkgdir/etc/wgetrc" <<EOF
# default root certs location
ca_certificate=/etc/ssl/certs/ca-certificates.crt
EOF
+ # remove IRI option from wgetrc as it does not work (see above)
+ sed -i '118,120d' $pkgdir/etc/wgetrc
+
}
diff --git a/core/wget/wget-1.12-subjectAltName.patch b/core/wget/wget-1.12-subjectAltName.patch
new file mode 100644
index 000000000..20f08d216
--- /dev/null
+++ b/core/wget/wget-1.12-subjectAltName.patch
@@ -0,0 +1,216 @@
+=== modified file 'src/openssl.c'
+--- src/openssl.c 2009-09-22 16:16:43 +0000
++++ src/openssl.c 2009-10-24 23:06:44 +0000
+@@ -39,7 +39,7 @@
+ #include <string.h>
+
+ #include <openssl/ssl.h>
+-#include <openssl/x509.h>
++#include <openssl/x509v3.h>
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+
+@@ -486,9 +486,11 @@
+ ssl_check_certificate (int fd, const char *host)
+ {
+ X509 *cert;
++ GENERAL_NAMES *subjectAltNames;
+ char common_name[256];
+ long vresult;
+ bool success = true;
++ bool alt_name_checked = false;
+
+ /* If the user has specified --no-check-cert, we still want to warn
+ him about problems with the server's certificate. */
+@@ -536,7 +538,8 @@
+ break;
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
++ logprintf (LOG_NOTQUIET,
++ _(" Self-signed certificate encountered.\n"));
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
+@@ -558,10 +561,6 @@
+ /* Check that HOST matches the common name in the certificate.
+ #### The following remains to be done:
+
+- - It should use dNSName/ipAddress subjectAltName extensions if
+- available; according to rfc2818: "If a subjectAltName extension
+- of type dNSName is present, that MUST be used as the identity."
+-
+ - When matching against common names, it should loop over all
+ common names and choose the most specific one, i.e. the last
+ one, not the first one, which the current code picks.
+@@ -569,50 +568,123 @@
+ - Ensure that ASN1 strings from the certificate are encoded as
+ UTF-8 which can be meaningfully compared to HOST. */
+
+- X509_NAME *xname = X509_get_subject_name(cert);
+- common_name[0] = '\0';
+- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
+- sizeof (common_name));
++ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
+
+- if (!pattern_match (common_name, host))
++ if (subjectAltNames)
+ {
+- logprintf (LOG_NOTQUIET, _("\
+-%s: certificate common name %s doesn't match requested host name %s.\n"),
+- severity, quote_n (0, common_name), quote_n (1, host));
+- success = false;
++ /* Test subject alternative names */
++
++ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?
++ * Signal it by host_in_octet_string. */
++ ASN1_OCTET_STRING *host_in_octet_string = NULL;
++ host_in_octet_string = a2i_IPADDRESS (host);
++
++ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames);
++ int i;
++ for (i=0; i < numaltnames; i++)
++ {
++ const GENERAL_NAME *name =
++ sk_GENERAL_NAME_value (subjectAltNames, i);
++ if (name)
++ {
++ if (host_in_octet_string)
++ {
++ if (name->type == GEN_IPADD)
++ {
++ /* Check for ipAddress */
++ /* TODO: Should we convert between IPv4-mapped IPv6
++ * addresses and IPv4 addresses? */
++ alt_name_checked = true;
++ if (!ASN1_STRING_cmp (host_in_octet_string,
++ name->d.iPAddress))
++ break;
++ }
++ }
++ else if (name->type == GEN_DNS)
++ {
++ /* Check for dNSName */
++ alt_name_checked = true;
++ /* dNSName should be IA5String (i.e. ASCII), however who
++ * does trust CA? Convert it into UTF-8 for sure. */
++ unsigned char *name_in_utf8 = NULL;
++ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName))
++ {
++ /* Compare and check for NULL attack in ASN1_STRING */
++ if (pattern_match ((char *)name_in_utf8, host) &&
++ (strlen ((char *)name_in_utf8) ==
++ ASN1_STRING_length (name->d.dNSName)))
++ {
++ OPENSSL_free (name_in_utf8);
++ break;
++ }
++ OPENSSL_free (name_in_utf8);
++ }
++ }
++ }
++ }
++ sk_GENERAL_NAME_free (subjectAltNames);
++ if (host_in_octet_string)
++ ASN1_OCTET_STRING_free(host_in_octet_string);
++
++ if (alt_name_checked == true && i >= numaltnames)
++ {
++ logprintf (LOG_NOTQUIET,
++ _("%s: no certificate subject alternative name matches\n"
++ "\trequested host name %s.\n"),
++ severity, quote_n (1, host));
++ success = false;
++ }
+ }
+- else
++
++ if (alt_name_checked == false)
+ {
+- /* We now determine the length of the ASN1 string. If it differs from
+- * common_name's length, then there is a \0 before the string terminates.
+- * This can be an instance of a null-prefix attack.
+- *
+- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+- * */
+-
+- int i = -1, j;
+- X509_NAME_ENTRY *xentry;
+- ASN1_STRING *sdata;
+-
+- if (xname) {
+- for (;;)
+- {
+- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
+- if (j == -1) break;
+- i = j;
++ /* Test commomName */
++ X509_NAME *xname = X509_get_subject_name(cert);
++ common_name[0] = '\0';
++ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
++ sizeof (common_name));
++
++ if (!pattern_match (common_name, host))
++ {
++ logprintf (LOG_NOTQUIET, _("\
++ %s: certificate common name %s doesn't match requested host name %s.\n"),
++ severity, quote_n (0, common_name), quote_n (1, host));
++ success = false;
++ }
++ else
++ {
++ /* We now determine the length of the ASN1 string. If it
++ * differs from common_name's length, then there is a \0
++ * before the string terminates. This can be an instance of a
++ * null-prefix attack.
++ *
++ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
++ * */
++
++ int i = -1, j;
++ X509_NAME_ENTRY *xentry;
++ ASN1_STRING *sdata;
++
++ if (xname) {
++ for (;;)
++ {
++ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
++ if (j == -1) break;
++ i = j;
++ }
+ }
+- }
+
+- xentry = X509_NAME_get_entry(xname,i);
+- sdata = X509_NAME_ENTRY_get_data(xentry);
+- if (strlen (common_name) != ASN1_STRING_length (sdata))
+- {
+- logprintf (LOG_NOTQUIET, _("\
+-%s: certificate common name is invalid (contains a NUL character).\n\
+-This may be an indication that the host is not who it claims to be\n\
+-(that is, it is not the real %s).\n"),
+- severity, quote (host));
+- success = false;
++ xentry = X509_NAME_get_entry(xname,i);
++ sdata = X509_NAME_ENTRY_get_data(xentry);
++ if (strlen (common_name) != ASN1_STRING_length (sdata))
++ {
++ logprintf (LOG_NOTQUIET, _("\
++ %s: certificate common name is invalid (contains a NUL character).\n\
++ This may be an indication that the host is not who it claims to be\n\
++ (that is, it is not the real %s).\n"),
++ severity, quote (host));
++ success = false;
++ }
+ }
+ }
+
+@@ -631,3 +703,7 @@
+ /* Allow --no-check-cert to disable certificate checking. */
+ return opt.check_cert ? success : true;
+ }
++
++/*
++ * vim: tabstop=2 shiftwidth=2 softtabstop=2
++ */
+