diff options
Diffstat (limited to 'mail-client')
-rw-r--r-- | mail-client/mutt/ChangeLog | 10 | ||||
-rw-r--r-- | mail-client/mutt/Manifest | 6 | ||||
-rw-r--r-- | mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch | 458 | ||||
-rw-r--r-- | mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch | 178 | ||||
-rw-r--r-- | mail-client/mutt/mutt-1.5.19-r1.ebuild (renamed from mail-client/mutt/mutt-1.5.19.ebuild) | 11 |
5 files changed, 657 insertions, 6 deletions
diff --git a/mail-client/mutt/ChangeLog b/mail-client/mutt/ChangeLog index 1503100f8494..74fdb62609a1 100644 --- a/mail-client/mutt/ChangeLog +++ b/mail-client/mutt/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for mail-client/mutt # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.129 2009/06/09 07:18:04 grobian Exp $ +# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.130 2009/06/18 09:20:37 grobian Exp $ + +*mutt-1.5.19-r1 (18 Jun 2009) + + 18 Jun 2009; Fabian Groffen <grobian@gentoo.org> + +files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch, + +files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch, + -mutt-1.5.19.ebuild, +mutt-1.5.19-r1.ebuild: + Revision bump for CVE-2009-1390, add related patches 09 Jun 2009; Fabian Groffen <grobian@gentoo.org> +files/mutt-1.5.19-libgnutls-test-15c662a95b91.patch, mutt-1.5.19.ebuild: diff --git a/mail-client/mutt/Manifest b/mail-client/mutt/Manifest index 93dbea664e50..8a67337b67ac 100644 --- a/mail-client/mutt/Manifest +++ b/mail-client/mutt/Manifest @@ -9,6 +9,8 @@ AUX mutt-1.5.13-sasl.patch 2468 RMD160 7c0ee6795f8b7a11059f3802b098735897cf7cf2 AUX mutt-1.5.15-parallel-make.patch 946 RMD160 80c9bfa187c784d650f5850469021f94547c897e SHA1 5b8b9e2d3bc8e36b8a95fc3bc79f5bfe50ec5008 SHA256 d4b6abc9f43989a6c7a22f3fbaafd4ffa524ad516c4cb5b8cfe884985cce74f6 AUX mutt-1.5.16-parallel-make.patch 936 RMD160 f6a216d9ff06ae55d9569e05632b60332cf49ebe SHA1 0a9b98b37987ffa10039424bb6f5849a08dbb168 SHA256 3ecc199b83f6fa747d342694d8ffacf0aedd4590e0d9943c9b6004c31cbdb931 AUX mutt-1.5.19-libgnutls-test-15c662a95b91.patch 9187 RMD160 b5d981c5aeb66f9fc1212c74884bfd91914a97c7 SHA1 76cdfe28610aa68eec2506aeab53324de9dbf57e SHA256 7fe0edbfb2ee862bfef0fd3c53e19cf589a908c52299206db72c1c701e7fb6c8 +AUX mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch 12678 RMD160 4d5e38cbd970a78c6d49b67c91ce41283e00862a SHA1 af2c5e470b49a4f8f04cc188d17ac4dd0b54e831 SHA256 a11797d8eb5566ebafe28d1b70d75bd2d373d0db32ad513d3dfaee2ad7876cf1 +AUX mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch 5527 RMD160 67a9d22456971c32f3922fb7d065fbf8ac32edd0 SHA1 e85706063b9bd56d7ed08f0007ce19133a8425e1 SHA256 05e91ddbe4fc70569221d9529f7673c48326bb7cd1f01485ab3c1ebb34db594a AUX slang.patch 493 RMD160 16dcedee86fe91ecac48ec5be8a6f67798ef7ac0 SHA1 f913e8c717f76186b0edc8856bf02a167d540c70 SHA256 040c8b63b2d805dae800fa9b1826d158b7104641339cee9a404985616b3502c7 DIST mutt-1.5.13-gentoo-patches.tar.bz2 53418 RMD160 67274bef651c1c78d1e6878d8bb17316abf9d30e SHA1 95819031d9b14914c04ebd36e3ee004b564b942c SHA256 b0a8737ab8ec42b5f071eb08356a2572c49f98c73c3bf42396fd481c4650ef1d DIST mutt-1.5.13.tar.gz 3442681 RMD160 9327b7f928aad78a20c2395629113ac2519bb945 SHA1 6d5b88d33e1727bf0342c31f06d55d7a3d2d4e0a SHA256 e0481690c0caf23b5c88359b2dbac70308f8f138663e8fee482b163562fe8da9 @@ -26,6 +28,6 @@ EBUILD mutt-1.5.13-r2.ebuild 4410 RMD160 35bd57d44d7bd67f35a3e343a5a7090a0897700 EBUILD mutt-1.5.14.ebuild 4477 RMD160 854063ac3471204336557b95f2f0b84db782e1a7 SHA1 48f12bd49d495620870f39e80a295d6c009a609f SHA256 cc27d01f1d3d727b37c9b9dad92fff1afd9600301238d195cbcb69d47244bb29 EBUILD mutt-1.5.15-r2.ebuild 4528 RMD160 2359d39b6d5758d977b1cbfce4c320dc0abb0ed7 SHA1 9a34328905989c05c7ebc5892c0e8151433897b0 SHA256 37c613bcdc54cef3d93b013c6cb792deb2be3ca2de85765a937323bae5041264 EBUILD mutt-1.5.16.ebuild 4989 RMD160 2a9ae3ece8f56692e0077b7b3940e607c79f2a14 SHA1 a79646fbfce1e85ecc2f8aaa4728e3c7303185f0 SHA256 55a70c2bb8f144549e6a12a4ba6bcb8796202d4f7be25fb809fefa2848615368 -EBUILD mutt-1.5.19.ebuild 5724 RMD160 4dfa7234559643c067d8a21d8fd1f1058950ecef SHA1 1dbf5a22c95ba22bc38793ea3fe380e962b2c180 SHA256 718e4650dbb02e7331f55010cea1362537eb91fae7b6ec8cfe68fca6ee12b391 -MISC ChangeLog 28908 RMD160 c6f8ef6ac1f65e1aef482d3cb4b08ef922231113 SHA1 0fb35d16ab457ec15409d47c54858c45e02af79f SHA256 b7d278c9544eb83d2f0cba1146b5ac32056286f8f83e36c19e28c7a9e21b894c +EBUILD mutt-1.5.19-r1.ebuild 5919 RMD160 607fad884f4c84d09b289f5dca0bf25f7e72ddfe SHA1 14c860c87f5da3d740bfc73baa4cecd108188de7 SHA256 85bbdbdded28b54c5c528c245c925a3dbdf7340fea32b47f82f19e7da7558079 +MISC ChangeLog 29222 RMD160 dd3d31f5dfd22da434cb4b14342a09df6d239660 SHA1 42cf086decd24c08df88e7e66af4149a52a8b9d9 SHA256 b112932a02af51094ffc59768e3e1091d085c03f7337157b785b3480d0919094 MISC metadata.xml 631 RMD160 10c1955ddab3675eaf66cefb8b048f63c3cfdada SHA1 2bf05cda645721d9eec36475e7961459d2986351 SHA256 cb99c48a1a6bacbf5d331b42a1803f6526f4805ed4abc730ce6606a9786bd9a7 diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch new file mode 100644 index 000000000000..4441d51266a6 --- /dev/null +++ b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch @@ -0,0 +1,458 @@ +http://thread.gmane.org/gmane.comp.security.oss.general/1847 +http://bugs.gentoo.org/show_bug.cgi?id=274488 + +whitespace-only hunks removed + +Index: mutt_ssl_gnutls.c +=================================================================== +--- mutt_ssl_gnutls.c (revision 5623:7d0583e0315d) ++++ mutt_ssl_gnutls.c (revision 5853:0b13183e40e0) +@@ -34,4 +34,13 @@ + #include "mutt_regex.h" + ++/* certificate error bitmap values */ ++#define CERTERR_VALID 0 ++#define CERTERR_EXPIRED 1 ++#define CERTERR_NOTYETVALID 2 ++#define CERTERR_REVOKED 4 ++#define CERTERR_NOTTRUSTED 8 ++#define CERTERR_HOSTNAME 16 ++#define CERTERR_SIGNERNOTCA 32 ++ + typedef struct _tlssockdata + { +@@ -409,5 +418,5 @@ + + b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1); +- fclose(fd1); ++ safe_fclose (&fd1); + + do { +@@ -505,5 +514,5 @@ + buf[0] = '\0'; + tls_fingerprint (GNUTLS_DIG_MD5, buf, sizeof (buf), cert); +- while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL) ++ while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum, 0)) != NULL) + { + if(linestr[0] == '#' && linestr[1] == 'H') +@@ -518,5 +527,5 @@ + regfree(&preg); + FREE(&linestr); +- fclose(fp); ++ safe_fclose (&fp); + return 1; + } +@@ -526,9 +535,113 @@ + + regfree(&preg); +- fclose(fp); ++ safe_fclose (&fp); + } + + /* not found a matching name */ + return 0; ++} ++ ++static int tls_check_preauth (const gnutls_datum_t *certdata, ++ gnutls_certificate_status certstat, ++ const char *hostname, int chainidx, int* certerr, ++ int* savedcert) ++{ ++ gnutls_x509_crt cert; ++ ++ *certerr = CERTERR_VALID; ++ *savedcert = 0; ++ ++ if (gnutls_x509_crt_init (&cert) < 0) ++ { ++ mutt_error (_("Error initialising gnutls certificate data")); ++ mutt_sleep (2); ++ return -1; ++ } ++ ++ if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0) ++ { ++ mutt_error (_("Error processing certificate data")); ++ mutt_sleep (2); ++ gnutls_x509_crt_deinit (cert); ++ return -1; ++ } ++ ++ if (option (OPTSSLVERIFYDATES) != M_NO) ++ { ++ if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL)) ++ *certerr |= CERTERR_EXPIRED; ++ if (gnutls_x509_crt_get_activation_time (cert) > time(NULL)) ++ *certerr |= CERTERR_NOTYETVALID; ++ } ++ ++ if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO ++ && !gnutls_x509_crt_check_hostname (cert, hostname) ++ && !tls_check_stored_hostname (certdata, hostname)) ++ *certerr |= CERTERR_HOSTNAME; ++ ++ /* see whether certificate is in our cache (certificates file) */ ++ if (tls_compare_certificates (certdata)) ++ { ++ *savedcert = 1; ++ ++ if (chainidx == 0 && certstat & GNUTLS_CERT_INVALID) ++ { ++ /* doesn't matter - have decided is valid because server ++ certificate is in our trusted cache */ ++ certstat ^= GNUTLS_CERT_INVALID; ++ } ++ ++ if (chainidx == 0 && certstat & GNUTLS_CERT_SIGNER_NOT_FOUND) ++ { ++ /* doesn't matter that we haven't found the signer, since ++ certificate is in our trusted cache */ ++ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND; ++ } ++ ++ if (chainidx <= 1 && certstat & GNUTLS_CERT_SIGNER_NOT_CA) ++ { ++ /* Hmm. Not really sure how to handle this, but let's say ++ that we don't care if the CA certificate hasn't got the ++ correct X.509 basic constraints if server or first signer ++ certificate is in our cache. */ ++ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; ++ } ++ } ++ ++ if (certstat & GNUTLS_CERT_REVOKED) ++ { ++ *certerr |= CERTERR_REVOKED; ++ certstat ^= GNUTLS_CERT_REVOKED; ++ } ++ ++ if (certstat & GNUTLS_CERT_INVALID) ++ { ++ *certerr |= CERTERR_NOTTRUSTED; ++ certstat ^= GNUTLS_CERT_INVALID; ++ } ++ ++ if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND) ++ { ++ /* NB: already cleared if cert in cache */ ++ *certerr |= CERTERR_NOTTRUSTED; ++ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND; ++ } ++ ++ if (certstat & GNUTLS_CERT_SIGNER_NOT_CA) ++ { ++ /* NB: already cleared if cert in cache */ ++ *certerr |= CERTERR_SIGNERNOTCA; ++ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; ++ } ++ ++ gnutls_x509_crt_deinit (cert); ++ ++ /* we've been zeroing the interesting bits in certstat - ++ don't return OK if there are any unhandled bits we don't ++ understand */ ++ if (*certerr == CERTERR_VALID && certstat == 0) ++ return 0; ++ ++ return -1; + } + +@@ -537,11 +650,6 @@ + const char* hostname, int idx, int len) + { ++ int certerr, savedcert; + gnutls_x509_crt cert; +- int certerr_hostname = 0; +- int certerr_expired = 0; +- int certerr_notyetvalid = 0; +- int certerr_nottrusted = 0; +- int certerr_revoked = 0; +- int certerr_signernotca = 0; + char buf[SHORT_STRING]; + char fpbuf[SHORT_STRING]; +@@ -563,4 +671,9 @@ + int i, row, done, ret; + ++ if (!tls_check_preauth (certdata, certstat, hostname, idx, &certerr, ++ &savedcert)) ++ return 1; ++ ++ /* interactive check from user */ + if (gnutls_x509_crt_init (&cert) < 0) + { +@@ -569,5 +682,5 @@ + return 0; + } +- ++ + if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0) + { +@@ -577,82 +690,5 @@ + return -1; + } +- +- if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL)) +- certerr_expired = 1; +- if (gnutls_x509_crt_get_activation_time (cert) > time(NULL)) +- certerr_notyetvalid = 1; +- +- if (!idx) +- { +- if (!gnutls_x509_crt_check_hostname (cert, hostname) && +- !tls_check_stored_hostname (certdata, hostname)) +- certerr_hostname = 1; +- } +- +- /* see whether certificate is in our cache (certificates file) */ +- if (tls_compare_certificates (certdata)) +- { +- if (certstat & GNUTLS_CERT_INVALID) +- { +- /* doesn't matter - have decided is valid because server +- certificate is in our trusted cache */ +- certstat ^= GNUTLS_CERT_INVALID; +- } +- +- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND) +- { +- /* doesn't matter that we haven't found the signer, since +- certificate is in our trusted cache */ +- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND; +- } +- +- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA) +- { +- /* Hmm. Not really sure how to handle this, but let's say +- that we don't care if the CA certificate hasn't got the +- correct X.509 basic constraints if server certificate is +- in our cache. */ +- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; +- } +- } +- +- if (certstat & GNUTLS_CERT_REVOKED) +- { +- certerr_revoked = 1; +- certstat ^= GNUTLS_CERT_REVOKED; +- } +- +- if (certstat & GNUTLS_CERT_INVALID) +- { +- certerr_nottrusted = 1; +- certstat ^= GNUTLS_CERT_INVALID; +- } +- +- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND) +- { +- /* NB: already cleared if cert in cache */ +- certerr_nottrusted = 1; +- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND; +- } +- +- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA) +- { +- /* NB: already cleared if cert in cache */ +- certerr_signernotca = 1; +- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; +- } +- +- /* OK if signed by (or is) a trusted certificate */ +- /* we've been zeroing the interesting bits in certstat - +- don't return OK if there are any unhandled bits we don't +- understand */ +- if (!(certerr_expired || certerr_notyetvalid || +- certerr_hostname || certerr_nottrusted) && certstat == 0) +- { +- gnutls_x509_crt_deinit (cert); +- return 1; +- } +- +- /* interactive check from user */ ++ + menu = mutt_new_menu (-1); + menu->max = 25; +@@ -756,26 +792,26 @@ + tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata); + snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf); +- +- if (certerr_notyetvalid) ++ ++ if (certerr & CERTERR_NOTYETVALID) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING); + } +- if (certerr_expired) ++ if (certerr & CERTERR_EXPIRED) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING); + } +- if (certerr_revoked) ++ if (certerr & CERTERR_REVOKED) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server certificate has been revoked"), SHORT_STRING); + } +- if (certerr_hostname) ++ if (certerr & CERTERR_HOSTNAME) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING); + } +- if (certerr_signernotca) ++ if (certerr & CERTERR_SIGNERNOTCA) + { + row++; +@@ -789,5 +825,7 @@ + /* certificates with bad dates, or that are revoked, must be + accepted manually each and every time */ +- if (SslCertFile && !certerr_expired && !certerr_notyetvalid && !certerr_revoked) ++ if (SslCertFile && !savedcert ++ && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID ++ | CERTERR_REVOKED))) + { + menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); +@@ -823,10 +861,10 @@ + { + /* save hostname if necessary */ +- if (certerr_hostname) ++ if (certerr & CERTERR_HOSTNAME) + { + fprintf(fp, "#H %s %s\n", hostname, fpbuf); + done = 1; + } +- if (certerr_nottrusted) ++ if (certerr & CERTERR_NOTTRUSTED) + { + done = 0; +@@ -842,5 +880,5 @@ + } + } +- fclose (fp); ++ safe_fclose (&fp); + } + if (!done) +@@ -867,4 +905,38 @@ + } + ++/* sanity-checking wrapper for gnutls_certificate_verify_peers */ ++static gnutls_certificate_status tls_verify_peers (gnutls_session tlsstate) ++{ ++ gnutls_certificate_status certstat; ++ ++ certstat = gnutls_certificate_verify_peers (tlsstate); ++ if (!certstat) ++ return certstat; ++ ++ if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND) ++ { ++ mutt_error (_("Unable to get certificate from peer")); ++ mutt_sleep (2); ++ return 0; ++ } ++ if (certstat < 0) ++ { ++ mutt_error (_("Certificate verification error (%s)"), ++ gnutls_strerror (certstat)); ++ mutt_sleep (2); ++ return 0; ++ } ++ ++ /* We only support X.509 certificates (not OpenPGP) at the moment */ ++ if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509) ++ { ++ mutt_error (_("Certificate is not X.509")); ++ mutt_sleep (2); ++ return 0; ++ } ++ ++ return certstat; ++} ++ + static int tls_check_certificate (CONNECTION* conn) + { +@@ -874,5 +946,5 @@ + unsigned int cert_list_size = 0; + gnutls_certificate_status certstat; +- int i, rc; ++ int certerr, i, preauthrc, savedcert, rc = 0; + + if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE) +@@ -883,27 +955,5 @@ + } + +- certstat = gnutls_certificate_verify_peers (state); +- +- if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND) +- { +- mutt_error (_("Unable to get certificate from peer")); +- mutt_sleep (2); +- return 0; +- } +- if (certstat < 0) +- { +- mutt_error (_("Certificate verification error (%s)"), +- gnutls_strerror (certstat)); +- mutt_sleep (2); +- return 0; +- } +- +- /* We only support X.509 certificates (not OpenPGP) at the moment */ +- if (gnutls_certificate_type_get (state) != GNUTLS_CRT_X509) +- { +- mutt_error (_("Certificate is not X.509")); +- mutt_sleep (2); +- return 0; +- } ++ certstat = tls_verify_peers (state); + + cert_list = gnutls_certificate_get_peers (state, &cert_list_size); +@@ -915,12 +965,41 @@ + } + ++ /* tls_verify_peers doesn't check hostname or expiration, so walk ++ * from most specific to least checking these. If we see a saved certificate, ++ * its status short-circuits the remaining checks. */ ++ preauthrc = 0; ++ for (i = 0; i < cert_list_size; i++) { ++ rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i, ++ &certerr, &savedcert); ++ preauthrc += rc; ++ ++ if (savedcert) ++ { ++ if (!preauthrc) ++ return 1; ++ else ++ break; ++ } ++ } ++ ++ /* then check interactively, starting from chain root */ + for (i = cert_list_size - 1; i >= 0; i--) + { + rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host, + i, cert_list_size); +- if (rc) +- return rc; +- } +- +- return 0; +-} ++ ++ /* add signers to trust set, then reverify */ ++ if (i && rc) { ++ rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i], ++ GNUTLS_X509_FMT_DER); ++ if (rc != 1) ++ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc)); ++ ++ certstat = tls_verify_peers (state); ++ if (!certstat) ++ return 1; ++ } ++ } ++ ++ return rc; ++} diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch new file mode 100644 index 000000000000..7022c19a206c --- /dev/null +++ b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch @@ -0,0 +1,178 @@ +http://thread.gmane.org/gmane.comp.security.oss.general/1847 +http://bugs.gentoo.org/show_bug.cgi?id=274488 + +whitespace-only hunks removed + +Index: mutt_ssl.c +=================================================================== +--- mutt_ssl.c (revision 5622:3af7e8af1983) ++++ mutt_ssl.c (revision 5870:dc9ec900c657) +@@ -565,17 +565,20 @@ + + /* expiration check */ +- if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) +- { +- dprint (2, (debugfile, "Server certificate is not yet valid\n")); +- mutt_error (_("Server certificate is not yet valid")); +- mutt_sleep (2); +- return 0; +- } +- if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) +- { +- dprint (2, (debugfile, "Server certificate has expired")); +- mutt_error (_("Server certificate has expired")); +- mutt_sleep (2); +- return 0; ++ if (option (OPTSSLVERIFYDATES) != M_NO) ++ { ++ if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) ++ { ++ dprint (2, (debugfile, "Server certificate is not yet valid\n")); ++ mutt_error (_("Server certificate is not yet valid")); ++ mutt_sleep (2); ++ return 0; ++ } ++ if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) ++ { ++ dprint (2, (debugfile, "Server certificate has expired")); ++ mutt_error (_("Server certificate has expired")); ++ mutt_sleep (2); ++ return 0; ++ } + } + +@@ -585,5 +588,5 @@ + if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)) + { +- fclose (fp); ++ safe_fclose (&fp); + return 0; + } +@@ -592,10 +595,10 @@ + { + pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1; +- ++ + if (pass) + break; + } + X509_free (cert); +- fclose (fp); ++ safe_fclose (&fp); + + return pass; +@@ -737,6 +740,8 @@ + } + +-/* check whether cert is preauthorized */ +-static int ssl_check_preauth (X509 *cert, CONNECTION *conn) ++/* check whether cert is preauthorized. If host is not null, verify that ++ * it matches the certificate. ++ * Return > 0: authorized, < 0: problems, 0: unknown validity */ ++static int ssl_check_preauth (X509 *cert, const char* host) + { + char buf[SHORT_STRING]; +@@ -750,11 +755,14 @@ + + buf[0] = 0; +- if (!check_host (cert, conn->account.host, buf, sizeof (buf))) +- { +- mutt_error (_("Certificate host check failed: %s"), buf); +- mutt_sleep (2); +- return -1; +- } +- dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n")); ++ if (host && option (OPTSSLVERIFYHOST) != M_NO) ++ { ++ if (!check_host (cert, host, buf, sizeof (buf))) ++ { ++ mutt_error (_("Certificate host check failed: %s"), buf); ++ mutt_sleep (2); ++ return -1; ++ } ++ dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n")); ++ } + + if (check_certificate_by_signer (cert)) +@@ -780,42 +788,28 @@ + X509 *cert; + +- if ((preauthrc = ssl_check_preauth (data->cert, conn)) > 0) ++ if ((preauthrc = ssl_check_preauth (data->cert, conn->account.host)) > 0) + return preauthrc; + + chain = SSL_get_peer_cert_chain (data->ssl); + chain_len = sk_X509_num (chain); +- if (!chain || (chain_len < 1)) ++ /* negative preauthrc means the certificate won't be accepted without ++ * manual override. */ ++ if (preauthrc < 0 || !chain || (chain_len <= 1)) + return interactive_check_cert (data->cert, 0, 0); + +- /* check the chain from root to peer */ ++ /* check the chain from root to peer. */ + for (i = chain_len-1; i >= 0; i--) + { + cert = sk_X509_value (chain, i); +- if (check_certificate_cache (cert)) +- dprint (2, (debugfile, "ssl chain: already cached: %s\n", cert->name)); +- else if (i /* 0 is the peer */ || !preauthrc) +- { +- if (check_certificate_by_signer (cert)) +- { +- dprint (2, (debugfile, "ssl chain: checked by signer: %s\n", cert->name)); +- ssl_cache_trusted_cert (cert); ++ ++ /* if the certificate validates or is manually accepted, then add it to ++ * the trusted set and recheck the peer certificate */ ++ if (ssl_check_preauth (cert, NULL) ++ || interactive_check_cert (cert, i, chain_len)) ++ { ++ ssl_cache_trusted_cert (cert); ++ if (ssl_check_preauth (data->cert, conn->account.host)) + return 1; +- } +- else if (SslCertFile && check_certificate_by_digest (cert)) +- { +- dprint (2, (debugfile, "ssl chain: trusted with file: %s\n", cert->name)); +- ssl_cache_trusted_cert (cert); +- return 1; +- } +- else /* allow users to shoot their foot */ +- { +- dprint (2, (debugfile, "ssl chain: check failed: %s\n", cert->name)); +- if (interactive_check_cert (cert, i, chain_len)) +- return 1; +- } +- } +- else /* highly suspicious because (i==0 && preauthrc < 0) */ +- if (interactive_check_cert (cert, i, chain_len)) +- return 1; ++ } + } + +@@ -882,6 +876,8 @@ + len - idx, len); + menu->title = title; +- if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0 +- && X509_cmp_current_time (X509_get_notBefore (cert)) < 0) ++ if (SslCertFile ++ && (option (OPTSSLVERIFYDATES) == M_NO ++ || (X509_cmp_current_time (X509_get_notAfter (cert)) >= 0 ++ && X509_cmp_current_time (X509_get_notBefore (cert)) < 0))) + { + menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); +@@ -893,5 +889,5 @@ + menu->keys = _("ro"); + } +- ++ + helpstr[0] = '\0'; + mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT); +@@ -918,5 +914,5 @@ + if (PEM_write_X509 (fp, cert)) + done = 1; +- fclose (fp); ++ safe_fclose (&fp); + } + if (!done) diff --git a/mail-client/mutt/mutt-1.5.19.ebuild b/mail-client/mutt/mutt-1.5.19-r1.ebuild index 89ecab9f8161..103274e0d8d1 100644 --- a/mail-client/mutt/mutt-1.5.19.ebuild +++ b/mail-client/mutt/mutt-1.5.19-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2009 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19.ebuild,v 1.6 2009/06/09 07:18:04 grobian Exp $ +# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19-r1.ebuild,v 1.1 2009/06/18 09:20:37 grobian Exp $ inherit eutils flag-o-matic autotools @@ -64,14 +64,19 @@ DEPEND="${RDEPEND} PATCHDIR="${WORKDIR}"/${P}-gentoo-patches${PATCHSET_REV} src_unpack() { - unpack ${A//${SIDEBAR_PATCH_N}} && cd "${S}" || die "unpack failed" + unpack ${A//${SIDEBAR_PATCH_N}} + cd "${S}" + + epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch + # CVE-2009-1390 http://thread.gmane.org/gmane.comp.security.oss.general/1847 + epatch "${FILESDIR}"/${P}-mutt_ssl-3af7e8af1983-dc9ec900c657.patch + epatch "${FILESDIR}"/${P}-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch if ! use vanilla && ! use sidebar ; then use nntp || rm "${PATCHDIR}"/06-nntp.patch for p in "${PATCHDIR}"/*.patch ; do epatch "${p}" done - epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch fi if use sidebar ; then |