diff options
Diffstat (limited to 'core')
-rw-r--r-- | core/bash/PKGBUILD | 8 | ||||
-rw-r--r-- | core/cronie/PKGBUILD | 3 | ||||
-rw-r--r-- | core/libcap/PKGBUILD | 6 | ||||
-rw-r--r-- | core/openssh/PKGBUILD | 8 | ||||
-rw-r--r-- | core/wget/PKGBUILD | 27 | ||||
-rw-r--r-- | core/wget/wget-1.12-subjectAltName.patch | 216 |
6 files changed, 250 insertions, 18 deletions
diff --git a/core/bash/PKGBUILD b/core/bash/PKGBUILD index b02b49641..c8d6c0c36 100644 --- a/core/bash/PKGBUILD +++ b/core/bash/PKGBUILD @@ -1,10 +1,10 @@ -# $Id: PKGBUILD 114694 2011-03-15 13:55:01Z allan $ +# $Id: PKGBUILD 123077 2011-05-08 02:14:26Z allan $ # Maintainer: Aaron Griffin <aaron@archlinux.org> # Maintainer: Allan McRae <allan@archlinux.org> pkgname=bash _basever=4.2 -_patchlevel=008 #prepare for some patches +_patchlevel=010 #prepare for some patches pkgver=$_basever.$_patchlevel pkgrel=1 pkgdesc="The GNU Bourne Again shell" @@ -82,4 +82,6 @@ md5sums=('3fb927c7c33022f1c327f14a81c0d4b0' 'e70e45de33426b38153b390be0dbbcd4' 'ce4e5c484993705b27daa151eca242c2' '88d1f96db29461767602e2546803bda7' - '24c574bf6d6a581e300823d9c1276af6') + '24c574bf6d6a581e300823d9c1276af6' + '4c5835f2fbab36c4292bb334977e5b6d' + '0a51602b535ef661ee707be6c8bdb373') diff --git a/core/cronie/PKGBUILD b/core/cronie/PKGBUILD index 15d70051a..428c837e3 100644 --- a/core/cronie/PKGBUILD +++ b/core/cronie/PKGBUILD @@ -3,12 +3,13 @@ pkgname='cronie' pkgver=1.4.7 -pkgrel=7 +pkgrel=8 pkgdesc='Daemon that runs specified programs at scheduled times and related tools' url='https://fedorahosted.org/cronie/' license=('custom:BSD') arch=('i686' 'x86_64') depends=('pam' 'bash' 'run-parts') +optdepends=('smtp-server: sending cron job output via email') source=("https://fedorahosted.org/releases/c/r/${pkgname}/${pkgname}-${pkgver}.tar.gz" 'cron.deny' diff --git a/core/libcap/PKGBUILD b/core/libcap/PKGBUILD index 4a30e4009..2d91dbbf9 100644 --- a/core/libcap/PKGBUILD +++ b/core/libcap/PKGBUILD @@ -1,9 +1,9 @@ -#$Id: PKGBUILD 107283 2011-01-23 06:26:22Z allan $ +#$Id: PKGBUILD 122049 2011-05-02 01:47:02Z allan $ # Maintainer: Allan McRae <allan@archlinux.org> # Contributor: Hugo Doria <hugo@archlinux.org> pkgname=libcap -pkgver=2.20 +pkgver=2.21 pkgrel=1 pkgdesc="POSIX 1003.1e capabilities" arch=('i686' 'x86_64') @@ -11,7 +11,7 @@ url="http://www.kernel.org/pub/linux/libs/security/linux-privs/" license=('GPL') depends=('glibc' 'attr') source=(http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${pkgname}-${pkgver}.tar.gz) -md5sums=('8ce6905851ffdde287d00d8269775ade') +md5sums=('61966ef40f2dee8731b69db895e4548d') build() { cd ${srcdir}/${pkgname}-${pkgver} diff --git a/core/openssh/PKGBUILD b/core/openssh/PKGBUILD index 68fb3d417..756c5cd60 100644 --- a/core/openssh/PKGBUILD +++ b/core/openssh/PKGBUILD @@ -1,22 +1,22 @@ -# $Id: PKGBUILD 122202 2011-05-03 02:17:44Z bisson $ +# $Id: PKGBUILD 123287 2011-05-09 17:39:25Z bisson $ # Maintainer: Gaetan Bisson <bisson@archlinux.org> # Contributor: Aaron Griffin <aaron@archlinux.org> # Contributor: judd <jvinet@zeroflux.org> pkgname=openssh pkgver=5.8p2 -pkgrel=1 +pkgrel=5 pkgdesc='Free version of the SSH connectivity tools' arch=('i686' 'x86_64') license=('custom:BSD') url='http://www.openssh.org/portable.html' backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd') -depends=('tcp_wrappers' 'heimdal' 'libedit') +depends=('tcp_wrappers' 'heimdal' 'openssl' 'libedit') source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz" 'sshd.confd' 'sshd.pam' 'sshd') -sha1sums=('e610270e0c5484fb291cd81bbcbefbeb5e391a62' +sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5' 'ec102deb69cad7d14f406289d2fc11fee6eddbdd' '660092c57bde28bed82078f74011f95fc51c2293' '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5') diff --git a/core/wget/PKGBUILD b/core/wget/PKGBUILD index ca9407c22..6712f4491 100644 --- a/core/wget/PKGBUILD +++ b/core/wget/PKGBUILD @@ -1,10 +1,10 @@ -# $Id: PKGBUILD 110655 2011-02-21 09:03:23Z allan $ +# $Id: PKGBUILD 122950 2011-05-07 12:59:07Z allan $ # Maintainer: Allan McRae <allan@archlinux.org> # Contributor: Judd Vinet <jvinet@zeroflux.org> pkgname=wget pkgver=1.12 -pkgrel=5 +pkgrel=7 pkgdesc="A network utility to retrieve files from the Web" arch=('i686' 'x86_64') url="http://www.gnu.org/software/wget/wget.html" @@ -15,15 +15,25 @@ optdepends=('ca-certificates: HTTPS downloads') backup=('etc/wgetrc') install=wget.install source=(ftp://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.gz - wget-1.12-CVE-2010-2252.patch) + wget-1.12-CVE-2010-2252.patch + wget-1.12-subjectAltName.patch) md5sums=('141461b9c04e454dc8933c9d1f2abf83' - '2c8bc23eff98fd4efc3f96394fc8e61e') + '2c8bc23eff98fd4efc3f96394fc8e61e' + 'bd589403b7bb4967a6f41b0f43b1c8aa') build() { cd "${srcdir}/${pkgname}-${pkgver}" - + # Fix arbitrary file overwrite via 3xx redirect (CVE-2010-2252) - patch -Np1 -i ../wget-1.12-CVE-2010-2252.patch + patch -Np1 -i $srcdir/wget-1.12-CVE-2010-2252.patch + + # https://savannah.gnu.org/bugs/index.php?20421 + patch -Np0 -i $srcdir/wget-1.12-subjectAltName.patch + + # Note : We do not build with --enable-nls, because there is a bug in wget causing + # international domain names to be not properly converted to punycode if + # the current locale is a UTF-8 one + # See : http://lists.gnu.org/archive/html/bug-wget/2011-02/msg00026.html ./configure -with-ssl --prefix=/usr --sysconfdir=/etc make @@ -32,11 +42,14 @@ build() { package() { cd "${srcdir}/${pkgname}-${pkgver}" make DESTDIR="${pkgdir}" install - + cat >> "$pkgdir/etc/wgetrc" <<EOF # default root certs location ca_certificate=/etc/ssl/certs/ca-certificates.crt EOF + # remove IRI option from wgetrc as it does not work (see above) + sed -i '118,120d' $pkgdir/etc/wgetrc + } diff --git a/core/wget/wget-1.12-subjectAltName.patch b/core/wget/wget-1.12-subjectAltName.patch new file mode 100644 index 000000000..20f08d216 --- /dev/null +++ b/core/wget/wget-1.12-subjectAltName.patch @@ -0,0 +1,216 @@ +=== modified file 'src/openssl.c' +--- src/openssl.c 2009-09-22 16:16:43 +0000 ++++ src/openssl.c 2009-10-24 23:06:44 +0000 +@@ -39,7 +39,7 @@ + #include <string.h> + + #include <openssl/ssl.h> +-#include <openssl/x509.h> ++#include <openssl/x509v3.h> + #include <openssl/err.h> + #include <openssl/rand.h> + +@@ -486,9 +486,11 @@ + ssl_check_certificate (int fd, const char *host) + { + X509 *cert; ++ GENERAL_NAMES *subjectAltNames; + char common_name[256]; + long vresult; + bool success = true; ++ bool alt_name_checked = false; + + /* If the user has specified --no-check-cert, we still want to warn + him about problems with the server's certificate. */ +@@ -536,7 +538,8 @@ + break; + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: +- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n")); ++ logprintf (LOG_NOTQUIET, ++ _(" Self-signed certificate encountered.\n")); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n")); +@@ -558,10 +561,6 @@ + /* Check that HOST matches the common name in the certificate. + #### The following remains to be done: + +- - It should use dNSName/ipAddress subjectAltName extensions if +- available; according to rfc2818: "If a subjectAltName extension +- of type dNSName is present, that MUST be used as the identity." +- + - When matching against common names, it should loop over all + common names and choose the most specific one, i.e. the last + one, not the first one, which the current code picks. +@@ -569,50 +568,123 @@ + - Ensure that ASN1 strings from the certificate are encoded as + UTF-8 which can be meaningfully compared to HOST. */ + +- X509_NAME *xname = X509_get_subject_name(cert); +- common_name[0] = '\0'; +- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, +- sizeof (common_name)); ++ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); + +- if (!pattern_match (common_name, host)) ++ if (subjectAltNames) + { +- logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name %s doesn't match requested host name %s.\n"), +- severity, quote_n (0, common_name), quote_n (1, host)); +- success = false; ++ /* Test subject alternative names */ ++ ++ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)? ++ * Signal it by host_in_octet_string. */ ++ ASN1_OCTET_STRING *host_in_octet_string = NULL; ++ host_in_octet_string = a2i_IPADDRESS (host); ++ ++ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames); ++ int i; ++ for (i=0; i < numaltnames; i++) ++ { ++ const GENERAL_NAME *name = ++ sk_GENERAL_NAME_value (subjectAltNames, i); ++ if (name) ++ { ++ if (host_in_octet_string) ++ { ++ if (name->type == GEN_IPADD) ++ { ++ /* Check for ipAddress */ ++ /* TODO: Should we convert between IPv4-mapped IPv6 ++ * addresses and IPv4 addresses? */ ++ alt_name_checked = true; ++ if (!ASN1_STRING_cmp (host_in_octet_string, ++ name->d.iPAddress)) ++ break; ++ } ++ } ++ else if (name->type == GEN_DNS) ++ { ++ /* Check for dNSName */ ++ alt_name_checked = true; ++ /* dNSName should be IA5String (i.e. ASCII), however who ++ * does trust CA? Convert it into UTF-8 for sure. */ ++ unsigned char *name_in_utf8 = NULL; ++ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName)) ++ { ++ /* Compare and check for NULL attack in ASN1_STRING */ ++ if (pattern_match ((char *)name_in_utf8, host) && ++ (strlen ((char *)name_in_utf8) == ++ ASN1_STRING_length (name->d.dNSName))) ++ { ++ OPENSSL_free (name_in_utf8); ++ break; ++ } ++ OPENSSL_free (name_in_utf8); ++ } ++ } ++ } ++ } ++ sk_GENERAL_NAME_free (subjectAltNames); ++ if (host_in_octet_string) ++ ASN1_OCTET_STRING_free(host_in_octet_string); ++ ++ if (alt_name_checked == true && i >= numaltnames) ++ { ++ logprintf (LOG_NOTQUIET, ++ _("%s: no certificate subject alternative name matches\n" ++ "\trequested host name %s.\n"), ++ severity, quote_n (1, host)); ++ success = false; ++ } + } +- else ++ ++ if (alt_name_checked == false) + { +- /* We now determine the length of the ASN1 string. If it differs from +- * common_name's length, then there is a \0 before the string terminates. +- * This can be an instance of a null-prefix attack. +- * +- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike +- * */ +- +- int i = -1, j; +- X509_NAME_ENTRY *xentry; +- ASN1_STRING *sdata; +- +- if (xname) { +- for (;;) +- { +- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); +- if (j == -1) break; +- i = j; ++ /* Test commomName */ ++ X509_NAME *xname = X509_get_subject_name(cert); ++ common_name[0] = '\0'; ++ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, ++ sizeof (common_name)); ++ ++ if (!pattern_match (common_name, host)) ++ { ++ logprintf (LOG_NOTQUIET, _("\ ++ %s: certificate common name %s doesn't match requested host name %s.\n"), ++ severity, quote_n (0, common_name), quote_n (1, host)); ++ success = false; ++ } ++ else ++ { ++ /* We now determine the length of the ASN1 string. If it ++ * differs from common_name's length, then there is a \0 ++ * before the string terminates. This can be an instance of a ++ * null-prefix attack. ++ * ++ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike ++ * */ ++ ++ int i = -1, j; ++ X509_NAME_ENTRY *xentry; ++ ASN1_STRING *sdata; ++ ++ if (xname) { ++ for (;;) ++ { ++ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); ++ if (j == -1) break; ++ i = j; ++ } + } +- } + +- xentry = X509_NAME_get_entry(xname,i); +- sdata = X509_NAME_ENTRY_get_data(xentry); +- if (strlen (common_name) != ASN1_STRING_length (sdata)) +- { +- logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name is invalid (contains a NUL character).\n\ +-This may be an indication that the host is not who it claims to be\n\ +-(that is, it is not the real %s).\n"), +- severity, quote (host)); +- success = false; ++ xentry = X509_NAME_get_entry(xname,i); ++ sdata = X509_NAME_ENTRY_get_data(xentry); ++ if (strlen (common_name) != ASN1_STRING_length (sdata)) ++ { ++ logprintf (LOG_NOTQUIET, _("\ ++ %s: certificate common name is invalid (contains a NUL character).\n\ ++ This may be an indication that the host is not who it claims to be\n\ ++ (that is, it is not the real %s).\n"), ++ severity, quote (host)); ++ success = false; ++ } + } + } + +@@ -631,3 +703,7 @@ + /* Allow --no-check-cert to disable certificate checking. */ + return opt.check_cert ? success : true; + } ++ ++/* ++ * vim: tabstop=2 shiftwidth=2 softtabstop=2 ++ */ + |