main/gnutls: fix GNUTLS-SA-2020-03-31

bf7ea3dd · Leo · c4fb5bfb · bf7ea3dd · bf7ea3dd
Commit bf7ea3dd authored 4 years ago by Leo
--- a/main/gnutls/APKBUILD
+++ b/main/gnutls/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gnutls
 pkgver=3.6.8
-pkgrel=0
+pkgrel=1
 pkgdesc="A TLS protocol implementation"
 url="https://www.gnutls.org/"
 arch="all"
@@ -16,9 +16,13 @@ _v=${pkgver%.*}
 case $pkgver in
 *.*.*.*) _v=${_v%.*};;
 esac
-source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/gnutls-$pkgver.tar.xz"
+source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz
+	GNUTLS-SA-2020-03-31.patch
+	"

 # secfixes:
+#   3.6.8-r1:
+#     - GNUTLS-SA-2020-03-31
 #   3.6.7-r0:
 #     - CVE-2019-3836
 #     - CVE-2019-3829
@@ -26,7 +30,6 @@ source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/gnutls-$pkgver.tar.xz"
 #     - CVE-2017-7507

 build() {
-	cd "$builddir"
 	LIBS="-lgmp" ./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -43,8 +46,6 @@ build() {
 }

 check() {
-	cd "$builddir"
-
 	make check
 }

@@ -65,4 +66,5 @@ xx() {
 	mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/
 }

-sha512sums="71f0899de0ffb2a39b25928042114e2bbfde7fbf2029d9f91f60bf60794916d13f544fc97337e4e3282e7faa17e79a8012b0e08f98805bee543c0ba4e5d5a905  gnutls-3.6.8.tar.xz"
+sha512sums="71f0899de0ffb2a39b25928042114e2bbfde7fbf2029d9f91f60bf60794916d13f544fc97337e4e3282e7faa17e79a8012b0e08f98805bee543c0ba4e5d5a905  gnutls-3.6.8.tar.xz
+abda4eb55aaca6aa841be7fcee9827b7f018d7311177dcaab76b5e3fed8b90baa18a4d7a3876de15a174472716f9c1ebcba3379ec8f4bef5a71f19516b577622  GNUTLS-SA-2020-03-31.patch"
--- a/main/gnutls/GNUTLS-SA-2020-03-31.patch
+++ b/main/gnutls/GNUTLS-SA-2020-03-31.patch
+From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
+Date: Fri, 27 Mar 2020 17:17:57 +0100
+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
+hello verify request", which failed to "De Morgan" properly.
+
+Signed-off-by: Stefan BÃ¼hler <stbuehler@web.de>
+---
+ lib/handshake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 5739df213e..84a0e52101 100644
+--- a/lib/handshake.c
+++ b/lib/handshake.c
+@@ -2167,7 +2167,7 @@ static int send_client_hello(gnutls_session_t session, int again)
+ 		/* Generate random data
+ 		 */
+ 		if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+-		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
+		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ 			ret = _gnutls_gen_client_random(session);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+-- 
+2.24.1
+
+