From 821ac429221b9978e64463adad7cd03dbfff6965 Mon Sep 17 00:00:00 2001
From: Alon Bar-Lev <alonbl@gentoo.org>
Date: Fri, 23 Sep 2016 01:00:08 +0300
Subject: [PATCH] net-libs/gnutls: fix CVE-2016-7444

Thanks:  behemothchess
Bug: 594738
Package-Manager: portage-2.2.28
---
 net-libs/gnutls/Manifest                      |   2 -
 .../files/gnutls-3.3.24-CVE-2016-7444.patch   |  28 +++
 net-libs/gnutls/gnutls-3.3.24-r1.ebuild       | 178 ++++++++++++++++++
 3 files changed, 206 insertions(+), 2 deletions(-)
 create mode 100644 net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch
 create mode 100644 net-libs/gnutls/gnutls-3.3.24-r1.ebuild

diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index 6c8ad16c1e642..2185e4e8671ee 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,7 +1,5 @@
 DIST gnutls-3.3.17.1.tar.xz 6339588 SHA256 b40f158030a92f450a07b20300a3996710ca19800848d9f6fd62493170c5bbb4 SHA512 9f2945abe1251db176fa227f2c90be46dba831af97647f04b960c71a50fc597776be31080733f9417f2242c4c6ae92fa897bf02d5f2ba40863e94df245c03319 WHIRLPOOL 8a04e56a5f47ddaad106081a613ead85a107b013d3e894074745e9439e0a7797b7f528aab5db7e3ac808f1c5c361c4717d7f0cb3abc943a6f912e5b6981db320
 DIST gnutls-3.3.23.tar.xz 6304332 SHA256 f53453857e369d66d665c40389201c0b9dacb7ccda560fd21b20b798687a4239 SHA512 5c2e93ddbff3ca2fc5f8fca8eeaef363bf8fe0f5dce2f4a9448e3235c930baa09d59a456a019283a451d19e0497d3ae645786080aa31febc7f1bcd71c6de1e09 WHIRLPOOL fa082db1933eefc7e061dc7f7e6584d03920f40584865e2983250097db9acea0e6d0c075e8207a2e5b96e37ae77db2b91bcf21e97cc7dfdec0744904de4b5866
 DIST gnutls-3.3.24.tar.xz 6294532 SHA256 5b65fe2a91c8dfa32bedc78acffcb152e5426cd3349e2afc43cccc9bdaf18aa5 SHA512 1fbb2e15ade14db15d7acc9ff559ecfc39517fd99e6c784583a7a4f8786daf8053f35f41e39cde0eeb5a1dfd3193ad908b52f62f945fbd43c147dc87e55f192f WHIRLPOOL 0725b35af9bbb4a7ee8f430af95e078066fb455328dd0ee71cca6633d093fe0433c7d869ebf0fabf8983679a32ff8451a2b631aec672810eb7bc55a3de28cc7d
-DIST gnutls-3.4.14.tar.xz 6673148 SHA256 35deddf2779b76ac11057de38bf380b8066c05de21b94263ad5b6dfa75dfbb23 SHA512 d75f6b4dea2dc742cd7f60ee0ee540d41b69991aaa937ca0138cfdf4a1e0dfaaa3863464303bfa5799e14ee02de252f71c59a7a9e57b96ff8af653e419edfd4e WHIRLPOOL 1869b831521f4ef5dde5a6694fdf6239793b404478a9b7e97ec2b4af2f1a4326fa5b65521a74d664113a84d2ff1b660269fcf1f3ca1db361fddfab2af3c191dd
 DIST gnutls-3.4.15.tar.xz 6676480 SHA256 eb2a013905f5f2a0cbf7bcc1d20c85a50065063ee87bd33b496c4e19815e3498 SHA512 03157f2da22890ecd080ad58144a9aabe933382c0b7e969b7b194a0248bb5e6e25207078c0a92755650d0004970eb1c0cf0140dbdbf2e615808f9978e965a5e5 WHIRLPOOL a5f866e44421b6ecb492587f9eee09373fbda0644cc71468995fd2756b620c254c2cd69c07e8db30df415810d1090daf5ea5d50b33f2fda02c0758a7d4ee04e8
-DIST gnutls-3.5.3.tar.xz 6895068 SHA256 92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef SHA512 d53d8067628ce49e5bb0dbbd76761a27f585b0a38356c0d8524db6cf96542f54a7f8a87c5772335c1ca1ceec1e111e11c54636bb24ca2ac014c367b96c9e3969 WHIRLPOOL fc0b7a744c6c08a48c43a2e95781ec7139600b45b12f8352db01824468f301ab56f2adfec6f7a4806247fe33eadaa234ad541a27c75d8689c2817a0f5967aa05
 DIST gnutls-3.5.4.tar.xz 6930620 SHA256 4e38014332e0f70c5d19b0eca8d85025ccd0d8be85894c0aaa498b42f6b9a8eb SHA512 175aab43b6349a62530938333910feb26ea5d923e151a9942fd5a6989f87193b18862e69bbbdb6308f889585d428d689d8fd3a6e8149f9fd1ac2882802ea6a9f WHIRLPOOL 6625adb815a69ba24e19b7966884f36577e8035272884d3d3b38c813ddd73e211ec3d2180c4e9160ad8459acab0ee72a36b328eae27357d6d1eb6476a06db75a
diff --git a/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch b/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch
new file mode 100644
index 0000000000000..82ab36f6ada76
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.3.24-CVE-2016-7444.patch
@@ -0,0 +1,28 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+), 0 deletions(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 92db9b6..8181f2e 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
+--
+libgit2 0.24.0
+
diff --git a/net-libs/gnutls/gnutls-3.3.24-r1.ebuild b/net-libs/gnutls/gnutls-3.3.24-r1.ebuild
new file mode 100644
index 0000000000000..4b00e29f0378c
--- /dev/null
+++ b/net-libs/gnutls/gnutls-3.3.24-r1.ebuild
@@ -0,0 +1,178 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit autotools libtool eutils multilib-minimal versionator
+
+DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
+HOMEPAGE="http://www.gnutls.org/"
+SRC_URI="mirror://gnupg/gnutls/v$(get_version_component_range 1-2)/${P}.tar.xz"
+
+# LGPL-3 for libgnutls library and GPL-3 for libgnutls-extra library.
+# soon to be relicensed as LGPL-2.1 unless heartbeat extension enabled.
+LICENSE="GPL-3 LGPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
+IUSE_LINGUAS=" en cs de fi fr it ms nl pl sv uk vi zh_CN"
+IUSE="+cxx +crywrap dane doc examples guile nls +openssl pkcs11 static-libs test zlib ${IUSE_LINGUAS// / linguas_}"
+# heartbeat support is not disabled until re-licensing happens fullyf
+
+# NOTICE: sys-devel/autogen is required at runtime as we
+# use system libopts
+RDEPEND=">=dev-libs/libtasn1-4.3[${MULTILIB_USEDEP}]
+	>=dev-libs/nettle-2.7:=[gmp,${MULTILIB_USEDEP}]
+	>=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}]
+	sys-devel/autogen
+	crywrap? ( net-dns/libidn )
+	dane? ( >=net-dns/unbound-1.4.20[${MULTILIB_USEDEP}] )
+	guile? ( >=dev-scheme/guile-1.8:*[networking] )
+	nls? ( >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] )
+	pkcs11? ( >=app-crypt/p11-kit-0.20.7[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${RDEPEND}
+	>=sys-devel/automake-1.11.6
+	>=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	doc? (
+		sys-apps/texinfo
+		dev-util/gtk-doc
+	)
+	nls? ( sys-devel/gettext )
+	test? ( app-misc/datefudge )"
+
+DOCS=( AUTHORS ChangeLog NEWS README THANKS doc/TODO )
+
+PATCHES=(
+	"${FILESDIR}/${PN}-3.3.19-build-allow-installing-man-1-even-with-disable-doc.patch"
+	"${FILESDIR}/${P}-CVE-2016-7444.patch"
+)
+
+pkg_setup() {
+	# bug#520818
+	export TZ=UTC
+}
+
+src_prepare() {
+	default
+
+	sed -i \
+		-e 's/imagesdir = $(infodir)/imagesdir = $(htmldir)/' \
+		doc/Makefile.am || die
+
+	# force regeneration of autogen-ed files
+	local file
+	for file in $(grep -l AutoGen-ed src/*.c) ; do
+		rm src/$(basename ${file} .c).{c,h} || die
+	done
+
+	# force regeneration of makeinfo files
+	# have no idea why on some system these files are not
+	# accepted as-is, see bug#520818
+	for file in $(grep -l "produced by makeinfo" doc/*.info) ; do
+		rm "${file}" || die
+	done
+
+	eautoreconf
+
+	# Use sane .so versioning on FreeBSD.
+	elibtoolize
+
+	# bug 497472
+	use cxx || epunt_cxx
+}
+
+multilib_src_configure() {
+	LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
+
+	# TPM needs to be tested before being enabled
+	# hardware-accell is disabled on OSX because the asm files force
+	#   GNU-stack (as doesn't support that) and when that's removed ld
+	#   complains about duplicate symbols
+	ECONF_SOURCE=${S} \
+	econf \
+		--disable-valgrind-tests \
+		--without-included-libtasn1 \
+		--enable-heartbeat-support \
+		$(use_enable cxx) \
+		$(use_enable dane libdane) \
+		$(multilib_native_enable manpages) \
+		$(multilib_native_use_enable doc) \
+		$(multilib_native_use_enable doc gtk-doc) \
+		$(multilib_native_use_enable guile) \
+		$(multilib_native_use_enable crywrap) \
+		$(use_enable nls) \
+		$(use_enable openssl openssl-compatibility) \
+		$(use_enable static-libs static) \
+		$(use_with pkcs11 p11-kit) \
+		$(use_with zlib) \
+		--without-tpm \
+		--with-unbound-root-key-file=/etc/dnssec/root-anchors.txt \
+		$([[ ${CHOST} == *-darwin* ]] && echo --disable-hardware-acceleration)
+
+	if multilib_is_native_abi; then
+		ln -s "${S}"/doc/reference/html doc/reference/html || die
+	fi
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+
+		# symlink certtool for use in other ABIs
+		if use test; then
+			ln -s "${BUILD_DIR}"/src "${T}"/native-tools || die
+		fi
+	else
+		emake -C gl
+		emake -C lib
+		emake -C extra
+		use dane && emake -C libdane
+	fi
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi; then
+		# parallel testing often fails
+		emake -j1 check
+	else
+		# use native ABI tools
+		ln -s "${T}"/native-tools/{certtool,gnutls-{serv,cli}} \
+			"${BUILD_DIR}"/src/ || die
+
+		emake -C gl -j1 check
+		emake -C tests -j1 check
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install
+	else
+		emake -C lib DESTDIR="${D}" install
+		emake -C extra DESTDIR="${D}" install
+		use dane && emake -C libdane DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	prune_libtool_files --all
+
+	dodoc doc/certtool.cfg
+
+	if use doc; then
+		dohtml doc/gnutls.html
+	else
+		rm -fr "${ED}/usr/share/doc/${PF}/html"
+	fi
+
+	if use examples; then
+		docinto examples
+		dodoc doc/examples/*.c
+	fi
+}