Revision bump for CVE-2009-1390, add related patches

Package-Manager: portage-2.1.6.13/cvs/Linux x86_64
author: Fabian Groffen <grobian@gentoo.org> 2009-06-18 09:20:37 +0000
committer: Fabian Groffen <grobian@gentoo.org> 2009-06-18 09:20:37 +0000
commit: 70a250be13d09e3e7fe8381e72942b607b16e39c (patch)
tree: 1b6aebcfe7001067e665afe7a8ec7b38bdd25120 /mail-client
parent: keyword ~x86-fbsd (diff)
download: historical-70a250be13d09e3e7fe8381e72942b607b16e39c.tar.gz
historical-70a250be13d09e3e7fe8381e72942b607b16e39c.tar.bz2
historical-70a250be13d09e3e7fe8381e72942b607b16e39c.zip
5 files changed, 657 insertions, 6 deletions
diff --git a/mail-client/mutt/ChangeLog b/mail-client/mutt/ChangeLog
index 1503100f8494..74fdb62609a1 100644
--- a/mail-client/mutt/ChangeLog
+++ b/mail-client/mutt/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for mail-client/mutt
 # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.129 2009/06/09 07:18:04 grobian Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.130 2009/06/18 09:20:37 grobian Exp $
+
+*mutt-1.5.19-r1 (18 Jun 2009)
+
+  18 Jun 2009; Fabian Groffen <grobian@gentoo.org>
+  +files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch,
+  +files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch,
+  -mutt-1.5.19.ebuild, +mutt-1.5.19-r1.ebuild:
+  Revision bump for CVE-2009-1390, add related patches
 
   09 Jun 2009; Fabian Groffen <grobian@gentoo.org>
   +files/mutt-1.5.19-libgnutls-test-15c662a95b91.patch, mutt-1.5.19.ebuild:
diff --git a/mail-client/mutt/Manifest b/mail-client/mutt/Manifest
index 93dbea664e50..8a67337b67ac 100644
--- a/mail-client/mutt/Manifest
+++ b/mail-client/mutt/Manifest
@@ -9,6 +9,8 @@ AUX mutt-1.5.13-sasl.patch 2468 RMD160 7c0ee6795f8b7a11059f3802b098735897cf7cf2
 AUX mutt-1.5.15-parallel-make.patch 946 RMD160 80c9bfa187c784d650f5850469021f94547c897e SHA1 5b8b9e2d3bc8e36b8a95fc3bc79f5bfe50ec5008 SHA256 d4b6abc9f43989a6c7a22f3fbaafd4ffa524ad516c4cb5b8cfe884985cce74f6
 AUX mutt-1.5.16-parallel-make.patch 936 RMD160 f6a216d9ff06ae55d9569e05632b60332cf49ebe SHA1 0a9b98b37987ffa10039424bb6f5849a08dbb168 SHA256 3ecc199b83f6fa747d342694d8ffacf0aedd4590e0d9943c9b6004c31cbdb931
 AUX mutt-1.5.19-libgnutls-test-15c662a95b91.patch 9187 RMD160 b5d981c5aeb66f9fc1212c74884bfd91914a97c7 SHA1 76cdfe28610aa68eec2506aeab53324de9dbf57e SHA256 7fe0edbfb2ee862bfef0fd3c53e19cf589a908c52299206db72c1c701e7fb6c8
+AUX mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch 12678 RMD160 4d5e38cbd970a78c6d49b67c91ce41283e00862a SHA1 af2c5e470b49a4f8f04cc188d17ac4dd0b54e831 SHA256 a11797d8eb5566ebafe28d1b70d75bd2d373d0db32ad513d3dfaee2ad7876cf1
+AUX mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch 5527 RMD160 67a9d22456971c32f3922fb7d065fbf8ac32edd0 SHA1 e85706063b9bd56d7ed08f0007ce19133a8425e1 SHA256 05e91ddbe4fc70569221d9529f7673c48326bb7cd1f01485ab3c1ebb34db594a
 AUX slang.patch 493 RMD160 16dcedee86fe91ecac48ec5be8a6f67798ef7ac0 SHA1 f913e8c717f76186b0edc8856bf02a167d540c70 SHA256 040c8b63b2d805dae800fa9b1826d158b7104641339cee9a404985616b3502c7
 DIST mutt-1.5.13-gentoo-patches.tar.bz2 53418 RMD160 67274bef651c1c78d1e6878d8bb17316abf9d30e SHA1 95819031d9b14914c04ebd36e3ee004b564b942c SHA256 b0a8737ab8ec42b5f071eb08356a2572c49f98c73c3bf42396fd481c4650ef1d
 DIST mutt-1.5.13.tar.gz 3442681 RMD160 9327b7f928aad78a20c2395629113ac2519bb945 SHA1 6d5b88d33e1727bf0342c31f06d55d7a3d2d4e0a SHA256 e0481690c0caf23b5c88359b2dbac70308f8f138663e8fee482b163562fe8da9
@@ -26,6 +28,6 @@ EBUILD mutt-1.5.13-r2.ebuild 4410 RMD160 35bd57d44d7bd67f35a3e343a5a7090a0897700
 EBUILD mutt-1.5.14.ebuild 4477 RMD160 854063ac3471204336557b95f2f0b84db782e1a7 SHA1 48f12bd49d495620870f39e80a295d6c009a609f SHA256 cc27d01f1d3d727b37c9b9dad92fff1afd9600301238d195cbcb69d47244bb29
 EBUILD mutt-1.5.15-r2.ebuild 4528 RMD160 2359d39b6d5758d977b1cbfce4c320dc0abb0ed7 SHA1 9a34328905989c05c7ebc5892c0e8151433897b0 SHA256 37c613bcdc54cef3d93b013c6cb792deb2be3ca2de85765a937323bae5041264
 EBUILD mutt-1.5.16.ebuild 4989 RMD160 2a9ae3ece8f56692e0077b7b3940e607c79f2a14 SHA1 a79646fbfce1e85ecc2f8aaa4728e3c7303185f0 SHA256 55a70c2bb8f144549e6a12a4ba6bcb8796202d4f7be25fb809fefa2848615368
-EBUILD mutt-1.5.19.ebuild 5724 RMD160 4dfa7234559643c067d8a21d8fd1f1058950ecef SHA1 1dbf5a22c95ba22bc38793ea3fe380e962b2c180 SHA256 718e4650dbb02e7331f55010cea1362537eb91fae7b6ec8cfe68fca6ee12b391
-MISC ChangeLog 28908 RMD160 c6f8ef6ac1f65e1aef482d3cb4b08ef922231113 SHA1 0fb35d16ab457ec15409d47c54858c45e02af79f SHA256 b7d278c9544eb83d2f0cba1146b5ac32056286f8f83e36c19e28c7a9e21b894c
+EBUILD mutt-1.5.19-r1.ebuild 5919 RMD160 607fad884f4c84d09b289f5dca0bf25f7e72ddfe SHA1 14c860c87f5da3d740bfc73baa4cecd108188de7 SHA256 85bbdbdded28b54c5c528c245c925a3dbdf7340fea32b47f82f19e7da7558079
+MISC ChangeLog 29222 RMD160 dd3d31f5dfd22da434cb4b14342a09df6d239660 SHA1 42cf086decd24c08df88e7e66af4149a52a8b9d9 SHA256 b112932a02af51094ffc59768e3e1091d085c03f7337157b785b3480d0919094
 MISC metadata.xml 631 RMD160 10c1955ddab3675eaf66cefb8b048f63c3cfdada SHA1 2bf05cda645721d9eec36475e7961459d2986351 SHA256 cb99c48a1a6bacbf5d331b42a1803f6526f4805ed4abc730ce6606a9786bd9a7
diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
new file mode 100644
index 000000000000..4441d51266a6
--- /dev/null
+++ b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
@@ -0,0 +1,458 @@
+http://thread.gmane.org/gmane.comp.security.oss.general/1847
+http://bugs.gentoo.org/show_bug.cgi?id=274488
+
+whitespace-only hunks removed
+
+Index: mutt_ssl_gnutls.c
+===================================================================
+--- mutt_ssl_gnutls.c (revision 5623:7d0583e0315d)
++++ mutt_ssl_gnutls.c (revision 5853:0b13183e40e0)
+@@ -34,4 +34,13 @@
+ #include "mutt_regex.h"
+ 
++/* certificate error bitmap values */
++#define CERTERR_VALID       0
++#define CERTERR_EXPIRED     1
++#define CERTERR_NOTYETVALID 2
++#define CERTERR_REVOKED     4
++#define CERTERR_NOTTRUSTED  8
++#define CERTERR_HOSTNAME    16
++#define CERTERR_SIGNERNOTCA 32
++
+ typedef struct _tlssockdata
+ {
+@@ -409,5 +418,5 @@
+ 
+   b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1);
+-  fclose(fd1);
++  safe_fclose (&fd1);
+ 
+   do {
+@@ -505,5 +514,5 @@
+     buf[0] = '\0';
+     tls_fingerprint (GNUTLS_DIG_MD5, buf, sizeof (buf), cert);
+-    while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL)
++    while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum, 0)) != NULL)
+     {
+       if(linestr[0] == '#' && linestr[1] == 'H')
+@@ -518,5 +527,5 @@
+             regfree(&preg);
+             FREE(&linestr);
+-            fclose(fp);
++            safe_fclose (&fp);
+             return 1;
+           }
+@@ -526,9 +535,113 @@
+ 
+     regfree(&preg);
+-    fclose(fp);
++    safe_fclose (&fp);
+   }
+ 
+   /* not found a matching name */
+   return 0;
++}
++
++static int tls_check_preauth (const gnutls_datum_t *certdata,
++                              gnutls_certificate_status certstat,
++                              const char *hostname, int chainidx, int* certerr,
++                              int* savedcert)
++{
++  gnutls_x509_crt cert;
++
++  *certerr = CERTERR_VALID;
++  *savedcert = 0;
++
++  if (gnutls_x509_crt_init (&cert) < 0)
++  {
++    mutt_error (_("Error initialising gnutls certificate data"));
++    mutt_sleep (2);
++    return -1;
++  }
++
++  if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
++  {
++    mutt_error (_("Error processing certificate data"));
++    mutt_sleep (2);
++    gnutls_x509_crt_deinit (cert);
++    return -1;
++  }
++
++  if (option (OPTSSLVERIFYDATES) != M_NO)
++  {
++    if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
++      *certerr |= CERTERR_EXPIRED;
++    if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
++      *certerr |= CERTERR_NOTYETVALID;
++  }
++
++  if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
++      && !gnutls_x509_crt_check_hostname (cert, hostname)
++      && !tls_check_stored_hostname (certdata, hostname))
++    *certerr |= CERTERR_HOSTNAME;
++
++  /* see whether certificate is in our cache (certificates file) */
++  if (tls_compare_certificates (certdata))
++  {
++    *savedcert = 1;
++
++    if (chainidx == 0 && certstat & GNUTLS_CERT_INVALID)
++    {
++      /* doesn't matter - have decided is valid because server
++       certificate is in our trusted cache */
++      certstat ^= GNUTLS_CERT_INVALID;
++    }
++
++    if (chainidx == 0 && certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
++    {
++      /* doesn't matter that we haven't found the signer, since
++       certificate is in our trusted cache */
++      certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
++    }
++
++    if (chainidx <= 1 && certstat & GNUTLS_CERT_SIGNER_NOT_CA)
++    {
++      /* Hmm. Not really sure how to handle this, but let's say
++       that we don't care if the CA certificate hasn't got the
++       correct X.509 basic constraints if server or first signer
++       certificate is in our cache. */
++      certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
++    }
++  }
++
++  if (certstat & GNUTLS_CERT_REVOKED)
++  {
++    *certerr |= CERTERR_REVOKED;
++    certstat ^= GNUTLS_CERT_REVOKED;
++  }
++
++  if (certstat & GNUTLS_CERT_INVALID)
++  {
++    *certerr |= CERTERR_NOTTRUSTED;
++    certstat ^= GNUTLS_CERT_INVALID;
++  }
++
++  if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
++  {
++    /* NB: already cleared if cert in cache */
++    *certerr |= CERTERR_NOTTRUSTED;
++    certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
++  }
++
++  if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
++  {
++    /* NB: already cleared if cert in cache */
++    *certerr |= CERTERR_SIGNERNOTCA;
++    certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
++  }
++
++  gnutls_x509_crt_deinit (cert);
++
++  /* we've been zeroing the interesting bits in certstat -
++   don't return OK if there are any unhandled bits we don't
++   understand */
++  if (*certerr == CERTERR_VALID && certstat == 0)
++    return 0;
++
++  return -1;
+ }
+ 
+@@ -537,11 +650,6 @@
+                                       const char* hostname, int idx, int len)
+ {
++  int certerr, savedcert;
+   gnutls_x509_crt cert;
+-  int certerr_hostname = 0;
+-  int certerr_expired = 0;
+-  int certerr_notyetvalid = 0;
+-  int certerr_nottrusted = 0;
+-  int certerr_revoked = 0;
+-  int certerr_signernotca = 0;
+   char buf[SHORT_STRING];
+   char fpbuf[SHORT_STRING];
+@@ -563,4 +671,9 @@
+   int i, row, done, ret;
+ 
++  if (!tls_check_preauth (certdata, certstat, hostname, idx, &certerr,
++      &savedcert))
++    return 1;
++
++  /* interactive check from user */
+   if (gnutls_x509_crt_init (&cert) < 0)
+   {
+@@ -569,5 +682,5 @@
+     return 0;
+   }
+-  
++
+   if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
+   {
+@@ -577,82 +690,5 @@
+     return -1;
+   }
+-  
+-  if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
+-    certerr_expired = 1;
+-  if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
+-    certerr_notyetvalid = 1;
+-
+-  if (!idx)
+-  {
+-    if (!gnutls_x509_crt_check_hostname (cert, hostname) &&
+-        !tls_check_stored_hostname (certdata, hostname))
+-      certerr_hostname = 1;
+-  }
+-  
+-  /* see whether certificate is in our cache (certificates file) */
+-  if (tls_compare_certificates (certdata))
+-  {
+-    if (certstat & GNUTLS_CERT_INVALID)
+-    {
+-      /* doesn't matter - have decided is valid because server
+-       certificate is in our trusted cache */
+-      certstat ^= GNUTLS_CERT_INVALID;
+-    }
+-    
+-    if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
+-    {
+-      /* doesn't matter that we haven't found the signer, since
+-       certificate is in our trusted cache */
+-      certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
+-    }
+-    
+-    if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
+-    {
+-      /* Hmm. Not really sure how to handle this, but let's say
+-       that we don't care if the CA certificate hasn't got the
+-       correct X.509 basic constraints if server certificate is
+-       in our cache. */
+-      certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
+-    }
+-  }
+-
+-  if (certstat & GNUTLS_CERT_REVOKED)
+-  {
+-    certerr_revoked = 1;
+-    certstat ^= GNUTLS_CERT_REVOKED;
+-  }
+-  
+-  if (certstat & GNUTLS_CERT_INVALID)
+-  {
+-    certerr_nottrusted = 1;
+-    certstat ^= GNUTLS_CERT_INVALID;
+-  }
+-  
+-  if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
+-  {
+-    /* NB: already cleared if cert in cache */
+-    certerr_nottrusted = 1;
+-    certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
+-  }
+-  
+-  if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
+-  {
+-    /* NB: already cleared if cert in cache */
+-    certerr_signernotca = 1;
+-    certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
+-  }
+-
+-  /* OK if signed by (or is) a trusted certificate */
+-  /* we've been zeroing the interesting bits in certstat - 
+-   don't return OK if there are any unhandled bits we don't
+-   understand */
+-  if (!(certerr_expired || certerr_notyetvalid || 
+-	certerr_hostname || certerr_nottrusted) && certstat == 0)
+-  {
+-    gnutls_x509_crt_deinit (cert);
+-    return 1;
+-  }
+-
+-  /* interactive check from user */
++
+   menu = mutt_new_menu (-1);
+   menu->max = 25;
+@@ -756,26 +792,26 @@
+   tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
+   snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf);
+-  
+-  if (certerr_notyetvalid)
++
++  if (certerr & CERTERR_NOTYETVALID)
+   {
+     row++;
+     strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING);
+   }
+-  if (certerr_expired)
++  if (certerr & CERTERR_EXPIRED)
+   {
+     row++;
+     strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING);
+   }
+-  if (certerr_revoked)
++  if (certerr & CERTERR_REVOKED)
+   {
+     row++;
+     strfcpy (menu->dialog[row], _("WARNING: Server certificate has been revoked"), SHORT_STRING);
+   }
+-  if (certerr_hostname)
++  if (certerr & CERTERR_HOSTNAME)
+   {
+     row++;
+     strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING);
+   }
+-  if (certerr_signernotca)
++  if (certerr & CERTERR_SIGNERNOTCA)
+   {
+     row++;
+@@ -789,5 +825,7 @@
+   /* certificates with bad dates, or that are revoked, must be
+    accepted manually each and every time */
+-  if (SslCertFile && !certerr_expired && !certerr_notyetvalid && !certerr_revoked)
++  if (SslCertFile && !savedcert
++        && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
++                        | CERTERR_REVOKED)))
+   {
+     menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
+@@ -823,10 +861,10 @@
+ 	{
+ 	  /* save hostname if necessary */
+-	  if (certerr_hostname)
++	  if (certerr & CERTERR_HOSTNAME)
+ 	  {
+ 	    fprintf(fp, "#H %s %s\n", hostname, fpbuf);
+ 	    done = 1;
+ 	  }
+-	  if (certerr_nottrusted)
++	  if (certerr & CERTERR_NOTTRUSTED)
+ 	  {
+             done = 0;
+@@ -842,5 +880,5 @@
+ 	    }
+ 	  }
+-	  fclose (fp);
++	  safe_fclose (&fp);
+ 	}
+ 	if (!done)
+@@ -867,4 +905,38 @@
+ }
+ 
++/* sanity-checking wrapper for gnutls_certificate_verify_peers */
++static gnutls_certificate_status tls_verify_peers (gnutls_session tlsstate)
++{
++  gnutls_certificate_status certstat;
++
++  certstat = gnutls_certificate_verify_peers (tlsstate);
++  if (!certstat)
++    return certstat;
++
++  if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
++  {
++    mutt_error (_("Unable to get certificate from peer"));
++    mutt_sleep (2);
++    return 0;
++  }
++  if (certstat < 0)
++  {
++    mutt_error (_("Certificate verification error (%s)"),
++                gnutls_strerror (certstat));
++    mutt_sleep (2);
++    return 0;
++  }
++
++  /* We only support X.509 certificates (not OpenPGP) at the moment */
++  if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509)
++  {
++    mutt_error (_("Certificate is not X.509"));
++    mutt_sleep (2);
++    return 0;
++  }
++
++  return certstat;
++}
++
+ static int tls_check_certificate (CONNECTION* conn)
+ {
+@@ -874,5 +946,5 @@
+   unsigned int cert_list_size = 0;
+   gnutls_certificate_status certstat;
+-  int i, rc;
++  int certerr, i, preauthrc, savedcert, rc = 0;
+ 
+   if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
+@@ -883,27 +955,5 @@
+   }
+ 
+-  certstat = gnutls_certificate_verify_peers (state);
+-
+-  if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
+-  {
+-    mutt_error (_("Unable to get certificate from peer"));
+-    mutt_sleep (2);
+-    return 0;
+-  }
+-  if (certstat < 0)
+-  {
+-    mutt_error (_("Certificate verification error (%s)"),
+-                gnutls_strerror (certstat));
+-    mutt_sleep (2);
+-    return 0;
+-  }
+-
+-  /* We only support X.509 certificates (not OpenPGP) at the moment */
+-  if (gnutls_certificate_type_get (state) != GNUTLS_CRT_X509)
+-  {
+-    mutt_error (_("Certificate is not X.509"));
+-    mutt_sleep (2);
+-    return 0;
+-  }
++  certstat = tls_verify_peers (state);
+ 
+   cert_list = gnutls_certificate_get_peers (state, &cert_list_size);
+@@ -915,12 +965,41 @@
+   }
+ 
++  /* tls_verify_peers doesn't check hostname or expiration, so walk
++   * from most specific to least checking these. If we see a saved certificate,
++   * its status short-circuits the remaining checks. */
++  preauthrc = 0;
++  for (i = 0; i < cert_list_size; i++) {
++    rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
++                           &certerr, &savedcert);
++    preauthrc += rc;
++
++    if (savedcert)
++    {
++      if (!preauthrc)
++        return 1;
++      else
++        break;
++    }
++  }
++
++  /* then check interactively, starting from chain root */
+   for (i = cert_list_size - 1; i >= 0; i--)
+   {
+     rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
+                                     i, cert_list_size);
+-    if (rc)
+-      return rc;
+-  }
+-
+-  return 0;
+-}
++
++    /* add signers to trust set, then reverify */
++    if (i && rc) {
++      rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i],
++                                                  GNUTLS_X509_FMT_DER);
++      if (rc != 1)
++        dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
++
++      certstat = tls_verify_peers (state);
++      if (!certstat)
++        return 1;
++    }
++  }
++
++  return rc;
++}
diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
new file mode 100644
index 000000000000..7022c19a206c
--- /dev/null
+++ b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
@@ -0,0 +1,178 @@
+http://thread.gmane.org/gmane.comp.security.oss.general/1847
+http://bugs.gentoo.org/show_bug.cgi?id=274488
+
+whitespace-only hunks removed
+
+Index: mutt_ssl.c
+===================================================================
+--- mutt_ssl.c (revision 5622:3af7e8af1983)
++++ mutt_ssl.c (revision 5870:dc9ec900c657)
+@@ -565,17 +565,20 @@
+ 
+   /* expiration check */
+-  if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
+-  {
+-    dprint (2, (debugfile, "Server certificate is not yet valid\n"));
+-    mutt_error (_("Server certificate is not yet valid"));
+-    mutt_sleep (2);
+-    return 0;
+-  }
+-  if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
+-  {
+-    dprint (2, (debugfile, "Server certificate has expired"));
+-    mutt_error (_("Server certificate has expired"));
+-    mutt_sleep (2);
+-    return 0;
++  if (option (OPTSSLVERIFYDATES) != M_NO)
++  {
++    if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
++    {
++      dprint (2, (debugfile, "Server certificate is not yet valid\n"));
++      mutt_error (_("Server certificate is not yet valid"));
++      mutt_sleep (2);
++      return 0;
++    }
++    if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
++    {
++      dprint (2, (debugfile, "Server certificate has expired"));
++      mutt_error (_("Server certificate has expired"));
++      mutt_sleep (2);
++      return 0;
++    }
+   }
+ 
+@@ -585,5 +588,5 @@
+   if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+   {
+-    fclose (fp);
++    safe_fclose (&fp);
+     return 0;
+   }
+@@ -592,10 +595,10 @@
+   {
+     pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1;
+-    
++
+     if (pass)
+       break;
+   }
+   X509_free (cert);
+-  fclose (fp);
++  safe_fclose (&fp);
+ 
+   return pass;
+@@ -737,6 +740,8 @@
+ }
+ 
+-/* check whether cert is preauthorized */
+-static int ssl_check_preauth (X509 *cert, CONNECTION *conn)
++/* check whether cert is preauthorized. If host is not null, verify that
++ * it matches the certificate.
++ * Return > 0: authorized, < 0: problems, 0: unknown validity */
++static int ssl_check_preauth (X509 *cert, const char* host)
+ {
+   char buf[SHORT_STRING];
+@@ -750,11 +755,14 @@
+ 
+   buf[0] = 0;
+-  if (!check_host (cert, conn->account.host, buf, sizeof (buf)))
+-  {
+-    mutt_error (_("Certificate host check failed: %s"), buf);
+-    mutt_sleep (2);
+-    return -1;
+-  }
+-  dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
++  if (host && option (OPTSSLVERIFYHOST) != M_NO)
++  {
++    if (!check_host (cert, host, buf, sizeof (buf)))
++    {
++      mutt_error (_("Certificate host check failed: %s"), buf);
++      mutt_sleep (2);
++      return -1;
++    }
++    dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
++  }
+ 
+   if (check_certificate_by_signer (cert))
+@@ -780,42 +788,28 @@
+   X509 *cert;
+ 
+-  if ((preauthrc = ssl_check_preauth (data->cert, conn)) > 0)
++  if ((preauthrc = ssl_check_preauth (data->cert, conn->account.host)) > 0)
+     return preauthrc;
+ 
+   chain = SSL_get_peer_cert_chain (data->ssl);
+   chain_len = sk_X509_num (chain);
+-  if (!chain || (chain_len < 1))
++  /* negative preauthrc means the certificate won't be accepted without
++   * manual override. */
++  if (preauthrc < 0 || !chain || (chain_len <= 1))
+     return interactive_check_cert (data->cert, 0, 0);
+ 
+-  /* check the chain from root to peer */
++  /* check the chain from root to peer. */
+   for (i = chain_len-1; i >= 0; i--)
+   {
+     cert = sk_X509_value (chain, i);
+-    if (check_certificate_cache (cert))
+-      dprint (2, (debugfile, "ssl chain: already cached: %s\n", cert->name));
+-    else if (i /* 0 is the peer */ || !preauthrc)
+-    {
+-      if (check_certificate_by_signer (cert))
+-      {
+-	dprint (2, (debugfile, "ssl chain: checked by signer: %s\n", cert->name));
+-	ssl_cache_trusted_cert (cert);
++
++    /* if the certificate validates or is manually accepted, then add it to
++     * the trusted set and recheck the peer certificate */
++    if (ssl_check_preauth (cert, NULL)
++	|| interactive_check_cert (cert, i, chain_len))
++    {
++      ssl_cache_trusted_cert (cert);
++      if (ssl_check_preauth (data->cert, conn->account.host))
+ 	return 1;
+-      }
+-      else if (SslCertFile && check_certificate_by_digest (cert))
+-      {
+-	dprint (2, (debugfile, "ssl chain: trusted with file: %s\n", cert->name));
+-	ssl_cache_trusted_cert (cert);
+-	return 1;
+-      }
+-      else /* allow users to shoot their foot */
+-      {
+-	dprint (2, (debugfile, "ssl chain: check failed: %s\n", cert->name));
+-	if (interactive_check_cert (cert, i, chain_len))
+-	  return 1;
+-      }
+-    }
+-    else /* highly suspicious because (i==0 && preauthrc < 0) */
+-      if (interactive_check_cert (cert, i, chain_len))
+-	return 1;
++    }
+   }
+ 
+@@ -882,6 +876,8 @@
+ 	    len - idx, len);
+   menu->title = title;
+-  if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
+-      && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)
++  if (SslCertFile
++      && (option (OPTSSLVERIFYDATES) == M_NO
++	  || (X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
++	      && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)))
+   {
+     menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
+@@ -893,5 +889,5 @@
+     menu->keys = _("ro");
+   }
+-  
++
+   helpstr[0] = '\0';
+   mutt_make_help (buf, sizeof (buf), _("Exit  "), MENU_GENERIC, OP_EXIT);
+@@ -918,5 +914,5 @@
+ 	  if (PEM_write_X509 (fp, cert))
+ 	    done = 1;
+-	  fclose (fp);
++	  safe_fclose (&fp);
+ 	}
+ 	if (!done)
diff --git a/mail-client/mutt/mutt-1.5.19.ebuild b/mail-client/mutt/mutt-1.5.19-r1.ebuild
index 89ecab9f8161..103274e0d8d1 100644
--- a/mail-client/mutt/mutt-1.5.19.ebuild
+++ b/mail-client/mutt/mutt-1.5.19-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19.ebuild,v 1.6 2009/06/09 07:18:04 grobian Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19-r1.ebuild,v 1.1 2009/06/18 09:20:37 grobian Exp $
 
 inherit eutils flag-o-matic autotools
 
@@ -64,14 +64,19 @@ DEPEND="${RDEPEND}
 PATCHDIR="${WORKDIR}"/${P}-gentoo-patches${PATCHSET_REV}
 
 src_unpack() {
-	unpack ${A//${SIDEBAR_PATCH_N}} && cd "${S}" || die "unpack failed"
+	unpack ${A//${SIDEBAR_PATCH_N}}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch
+	# CVE-2009-1390 http://thread.gmane.org/gmane.comp.security.oss.general/1847
+	epatch "${FILESDIR}"/${P}-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
+	epatch "${FILESDIR}"/${P}-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
 
 	if ! use vanilla && ! use sidebar ; then
 		use nntp || rm "${PATCHDIR}"/06-nntp.patch
 		for p in "${PATCHDIR}"/*.patch ; do
 			epatch "${p}"
 		done
-		epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch
 	fi
 
 	if use sidebar ; then
author	Fabian Groffen <grobian@gentoo.org>	2009-06-18 09:20:37 +0000
committer	Fabian Groffen <grobian@gentoo.org>	2009-06-18 09:20:37 +0000
commit	70a250be13d09e3e7fe8381e72942b607b16e39c (patch)
tree	1b6aebcfe7001067e665afe7a8ec7b38bdd25120 /mail-client
parent	keyword ~x86-fbsd (diff)
download	historical-70a250be13d09e3e7fe8381e72942b607b16e39c.tar.gz historical-70a250be13d09e3e7fe8381e72942b607b16e39c.tar.bz2 historical-70a250be13d09e3e7fe8381e72942b607b16e39c.zip