revision bump to fix security bug 245850 (CVE-2008-4989), straight to stable on alpha amd64 hppa ia64 sparc x86 as tested on the mentioned bug

(Portage version: 2.2_rc13/cvs/Linux 2.6.27-gentoo x86_64, RepoMan options: --force)

1 files changed, 38 insertions, 0 deletions

diff --git a/net-libs/gnutls/files/gnutls-2.2.5-CVE-2008-4989.patch b/net-libs/gnutls/files/gnutls-2.2.5-CVE-2008-4989.patch
new file mode 100644
index 000000000000..fc4d80f2544c
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-2.2.5-CVE-2008-4989.patch
@@ -0,0 +1,38 @@
+--- gnutls-2.4.1/lib/x509/verify.c.orig	2008-07-01 06:45:51.000000000 +1000
++++ gnutls-2.4.1/lib/x509/verify.c	2008-11-07 16:48:08.000000000 +1100
+@@ -376,6 +376,17 @@
+   int i = 0, ret;
+   unsigned int status = 0, output;
+ 
++  /* Check if the last certificate in the path is self signed.
++   * In that case ignore it (a certificate is trusted only if it
++   * leads to a trusted party by us, not the server's).
++   */
++  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
++                                   certificate_list[clist_size - 1]) > 0
++      && clist_size > 0)
++    {
++      clist_size--;
++    }
++
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -414,17 +425,6 @@
+     }
+ #endif
+ 
+-  /* Check if the last certificate in the path is self signed.
+-   * In that case ignore it (a certificate is trusted only if it
+-   * leads to a trusted party by us, not the server's).
+-   */
+-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+-				    certificate_list[clist_size - 1]) > 0
+-      && clist_size > 0)
+-    {
+-      clist_size--;
+-    }
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)