summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'mail-client')
-rw-r--r--mail-client/mutt/ChangeLog10
-rw-r--r--mail-client/mutt/Manifest6
-rw-r--r--mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch458
-rw-r--r--mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch178
-rw-r--r--mail-client/mutt/mutt-1.5.19-r1.ebuild (renamed from mail-client/mutt/mutt-1.5.19.ebuild)11
5 files changed, 657 insertions, 6 deletions
diff --git a/mail-client/mutt/ChangeLog b/mail-client/mutt/ChangeLog
index 1503100f8494..74fdb62609a1 100644
--- a/mail-client/mutt/ChangeLog
+++ b/mail-client/mutt/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for mail-client/mutt
# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.129 2009/06/09 07:18:04 grobian Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/ChangeLog,v 1.130 2009/06/18 09:20:37 grobian Exp $
+
+*mutt-1.5.19-r1 (18 Jun 2009)
+
+ 18 Jun 2009; Fabian Groffen <grobian@gentoo.org>
+ +files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch,
+ +files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch,
+ -mutt-1.5.19.ebuild, +mutt-1.5.19-r1.ebuild:
+ Revision bump for CVE-2009-1390, add related patches
09 Jun 2009; Fabian Groffen <grobian@gentoo.org>
+files/mutt-1.5.19-libgnutls-test-15c662a95b91.patch, mutt-1.5.19.ebuild:
diff --git a/mail-client/mutt/Manifest b/mail-client/mutt/Manifest
index 93dbea664e50..8a67337b67ac 100644
--- a/mail-client/mutt/Manifest
+++ b/mail-client/mutt/Manifest
@@ -9,6 +9,8 @@ AUX mutt-1.5.13-sasl.patch 2468 RMD160 7c0ee6795f8b7a11059f3802b098735897cf7cf2
AUX mutt-1.5.15-parallel-make.patch 946 RMD160 80c9bfa187c784d650f5850469021f94547c897e SHA1 5b8b9e2d3bc8e36b8a95fc3bc79f5bfe50ec5008 SHA256 d4b6abc9f43989a6c7a22f3fbaafd4ffa524ad516c4cb5b8cfe884985cce74f6
AUX mutt-1.5.16-parallel-make.patch 936 RMD160 f6a216d9ff06ae55d9569e05632b60332cf49ebe SHA1 0a9b98b37987ffa10039424bb6f5849a08dbb168 SHA256 3ecc199b83f6fa747d342694d8ffacf0aedd4590e0d9943c9b6004c31cbdb931
AUX mutt-1.5.19-libgnutls-test-15c662a95b91.patch 9187 RMD160 b5d981c5aeb66f9fc1212c74884bfd91914a97c7 SHA1 76cdfe28610aa68eec2506aeab53324de9dbf57e SHA256 7fe0edbfb2ee862bfef0fd3c53e19cf589a908c52299206db72c1c701e7fb6c8
+AUX mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch 12678 RMD160 4d5e38cbd970a78c6d49b67c91ce41283e00862a SHA1 af2c5e470b49a4f8f04cc188d17ac4dd0b54e831 SHA256 a11797d8eb5566ebafe28d1b70d75bd2d373d0db32ad513d3dfaee2ad7876cf1
+AUX mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch 5527 RMD160 67a9d22456971c32f3922fb7d065fbf8ac32edd0 SHA1 e85706063b9bd56d7ed08f0007ce19133a8425e1 SHA256 05e91ddbe4fc70569221d9529f7673c48326bb7cd1f01485ab3c1ebb34db594a
AUX slang.patch 493 RMD160 16dcedee86fe91ecac48ec5be8a6f67798ef7ac0 SHA1 f913e8c717f76186b0edc8856bf02a167d540c70 SHA256 040c8b63b2d805dae800fa9b1826d158b7104641339cee9a404985616b3502c7
DIST mutt-1.5.13-gentoo-patches.tar.bz2 53418 RMD160 67274bef651c1c78d1e6878d8bb17316abf9d30e SHA1 95819031d9b14914c04ebd36e3ee004b564b942c SHA256 b0a8737ab8ec42b5f071eb08356a2572c49f98c73c3bf42396fd481c4650ef1d
DIST mutt-1.5.13.tar.gz 3442681 RMD160 9327b7f928aad78a20c2395629113ac2519bb945 SHA1 6d5b88d33e1727bf0342c31f06d55d7a3d2d4e0a SHA256 e0481690c0caf23b5c88359b2dbac70308f8f138663e8fee482b163562fe8da9
@@ -26,6 +28,6 @@ EBUILD mutt-1.5.13-r2.ebuild 4410 RMD160 35bd57d44d7bd67f35a3e343a5a7090a0897700
EBUILD mutt-1.5.14.ebuild 4477 RMD160 854063ac3471204336557b95f2f0b84db782e1a7 SHA1 48f12bd49d495620870f39e80a295d6c009a609f SHA256 cc27d01f1d3d727b37c9b9dad92fff1afd9600301238d195cbcb69d47244bb29
EBUILD mutt-1.5.15-r2.ebuild 4528 RMD160 2359d39b6d5758d977b1cbfce4c320dc0abb0ed7 SHA1 9a34328905989c05c7ebc5892c0e8151433897b0 SHA256 37c613bcdc54cef3d93b013c6cb792deb2be3ca2de85765a937323bae5041264
EBUILD mutt-1.5.16.ebuild 4989 RMD160 2a9ae3ece8f56692e0077b7b3940e607c79f2a14 SHA1 a79646fbfce1e85ecc2f8aaa4728e3c7303185f0 SHA256 55a70c2bb8f144549e6a12a4ba6bcb8796202d4f7be25fb809fefa2848615368
-EBUILD mutt-1.5.19.ebuild 5724 RMD160 4dfa7234559643c067d8a21d8fd1f1058950ecef SHA1 1dbf5a22c95ba22bc38793ea3fe380e962b2c180 SHA256 718e4650dbb02e7331f55010cea1362537eb91fae7b6ec8cfe68fca6ee12b391
-MISC ChangeLog 28908 RMD160 c6f8ef6ac1f65e1aef482d3cb4b08ef922231113 SHA1 0fb35d16ab457ec15409d47c54858c45e02af79f SHA256 b7d278c9544eb83d2f0cba1146b5ac32056286f8f83e36c19e28c7a9e21b894c
+EBUILD mutt-1.5.19-r1.ebuild 5919 RMD160 607fad884f4c84d09b289f5dca0bf25f7e72ddfe SHA1 14c860c87f5da3d740bfc73baa4cecd108188de7 SHA256 85bbdbdded28b54c5c528c245c925a3dbdf7340fea32b47f82f19e7da7558079
+MISC ChangeLog 29222 RMD160 dd3d31f5dfd22da434cb4b14342a09df6d239660 SHA1 42cf086decd24c08df88e7e66af4149a52a8b9d9 SHA256 b112932a02af51094ffc59768e3e1091d085c03f7337157b785b3480d0919094
MISC metadata.xml 631 RMD160 10c1955ddab3675eaf66cefb8b048f63c3cfdada SHA1 2bf05cda645721d9eec36475e7961459d2986351 SHA256 cb99c48a1a6bacbf5d331b42a1803f6526f4805ed4abc730ce6606a9786bd9a7
diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
new file mode 100644
index 000000000000..4441d51266a6
--- /dev/null
+++ b/mail-client/mutt/files/mutt-1.5.19-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
@@ -0,0 +1,458 @@
+http://thread.gmane.org/gmane.comp.security.oss.general/1847
+http://bugs.gentoo.org/show_bug.cgi?id=274488
+
+whitespace-only hunks removed
+
+Index: mutt_ssl_gnutls.c
+===================================================================
+--- mutt_ssl_gnutls.c (revision 5623:7d0583e0315d)
++++ mutt_ssl_gnutls.c (revision 5853:0b13183e40e0)
+@@ -34,4 +34,13 @@
+ #include "mutt_regex.h"
+
++/* certificate error bitmap values */
++#define CERTERR_VALID 0
++#define CERTERR_EXPIRED 1
++#define CERTERR_NOTYETVALID 2
++#define CERTERR_REVOKED 4
++#define CERTERR_NOTTRUSTED 8
++#define CERTERR_HOSTNAME 16
++#define CERTERR_SIGNERNOTCA 32
++
+ typedef struct _tlssockdata
+ {
+@@ -409,5 +418,5 @@
+
+ b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1);
+- fclose(fd1);
++ safe_fclose (&fd1);
+
+ do {
+@@ -505,5 +514,5 @@
+ buf[0] = '\0';
+ tls_fingerprint (GNUTLS_DIG_MD5, buf, sizeof (buf), cert);
+- while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL)
++ while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum, 0)) != NULL)
+ {
+ if(linestr[0] == '#' && linestr[1] == 'H')
+@@ -518,5 +527,5 @@
+ regfree(&preg);
+ FREE(&linestr);
+- fclose(fp);
++ safe_fclose (&fp);
+ return 1;
+ }
+@@ -526,9 +535,113 @@
+
+ regfree(&preg);
+- fclose(fp);
++ safe_fclose (&fp);
+ }
+
+ /* not found a matching name */
+ return 0;
++}
++
++static int tls_check_preauth (const gnutls_datum_t *certdata,
++ gnutls_certificate_status certstat,
++ const char *hostname, int chainidx, int* certerr,
++ int* savedcert)
++{
++ gnutls_x509_crt cert;
++
++ *certerr = CERTERR_VALID;
++ *savedcert = 0;
++
++ if (gnutls_x509_crt_init (&cert) < 0)
++ {
++ mutt_error (_("Error initialising gnutls certificate data"));
++ mutt_sleep (2);
++ return -1;
++ }
++
++ if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
++ {
++ mutt_error (_("Error processing certificate data"));
++ mutt_sleep (2);
++ gnutls_x509_crt_deinit (cert);
++ return -1;
++ }
++
++ if (option (OPTSSLVERIFYDATES) != M_NO)
++ {
++ if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
++ *certerr |= CERTERR_EXPIRED;
++ if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
++ *certerr |= CERTERR_NOTYETVALID;
++ }
++
++ if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
++ && !gnutls_x509_crt_check_hostname (cert, hostname)
++ && !tls_check_stored_hostname (certdata, hostname))
++ *certerr |= CERTERR_HOSTNAME;
++
++ /* see whether certificate is in our cache (certificates file) */
++ if (tls_compare_certificates (certdata))
++ {
++ *savedcert = 1;
++
++ if (chainidx == 0 && certstat & GNUTLS_CERT_INVALID)
++ {
++ /* doesn't matter - have decided is valid because server
++ certificate is in our trusted cache */
++ certstat ^= GNUTLS_CERT_INVALID;
++ }
++
++ if (chainidx == 0 && certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
++ {
++ /* doesn't matter that we haven't found the signer, since
++ certificate is in our trusted cache */
++ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
++ }
++
++ if (chainidx <= 1 && certstat & GNUTLS_CERT_SIGNER_NOT_CA)
++ {
++ /* Hmm. Not really sure how to handle this, but let's say
++ that we don't care if the CA certificate hasn't got the
++ correct X.509 basic constraints if server or first signer
++ certificate is in our cache. */
++ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
++ }
++ }
++
++ if (certstat & GNUTLS_CERT_REVOKED)
++ {
++ *certerr |= CERTERR_REVOKED;
++ certstat ^= GNUTLS_CERT_REVOKED;
++ }
++
++ if (certstat & GNUTLS_CERT_INVALID)
++ {
++ *certerr |= CERTERR_NOTTRUSTED;
++ certstat ^= GNUTLS_CERT_INVALID;
++ }
++
++ if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
++ {
++ /* NB: already cleared if cert in cache */
++ *certerr |= CERTERR_NOTTRUSTED;
++ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
++ }
++
++ if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
++ {
++ /* NB: already cleared if cert in cache */
++ *certerr |= CERTERR_SIGNERNOTCA;
++ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
++ }
++
++ gnutls_x509_crt_deinit (cert);
++
++ /* we've been zeroing the interesting bits in certstat -
++ don't return OK if there are any unhandled bits we don't
++ understand */
++ if (*certerr == CERTERR_VALID && certstat == 0)
++ return 0;
++
++ return -1;
+ }
+
+@@ -537,11 +650,6 @@
+ const char* hostname, int idx, int len)
+ {
++ int certerr, savedcert;
+ gnutls_x509_crt cert;
+- int certerr_hostname = 0;
+- int certerr_expired = 0;
+- int certerr_notyetvalid = 0;
+- int certerr_nottrusted = 0;
+- int certerr_revoked = 0;
+- int certerr_signernotca = 0;
+ char buf[SHORT_STRING];
+ char fpbuf[SHORT_STRING];
+@@ -563,4 +671,9 @@
+ int i, row, done, ret;
+
++ if (!tls_check_preauth (certdata, certstat, hostname, idx, &certerr,
++ &savedcert))
++ return 1;
++
++ /* interactive check from user */
+ if (gnutls_x509_crt_init (&cert) < 0)
+ {
+@@ -569,5 +682,5 @@
+ return 0;
+ }
+-
++
+ if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
+ {
+@@ -577,82 +690,5 @@
+ return -1;
+ }
+-
+- if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
+- certerr_expired = 1;
+- if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
+- certerr_notyetvalid = 1;
+-
+- if (!idx)
+- {
+- if (!gnutls_x509_crt_check_hostname (cert, hostname) &&
+- !tls_check_stored_hostname (certdata, hostname))
+- certerr_hostname = 1;
+- }
+-
+- /* see whether certificate is in our cache (certificates file) */
+- if (tls_compare_certificates (certdata))
+- {
+- if (certstat & GNUTLS_CERT_INVALID)
+- {
+- /* doesn't matter - have decided is valid because server
+- certificate is in our trusted cache */
+- certstat ^= GNUTLS_CERT_INVALID;
+- }
+-
+- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
+- {
+- /* doesn't matter that we haven't found the signer, since
+- certificate is in our trusted cache */
+- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
+- }
+-
+- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
+- {
+- /* Hmm. Not really sure how to handle this, but let's say
+- that we don't care if the CA certificate hasn't got the
+- correct X.509 basic constraints if server certificate is
+- in our cache. */
+- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
+- }
+- }
+-
+- if (certstat & GNUTLS_CERT_REVOKED)
+- {
+- certerr_revoked = 1;
+- certstat ^= GNUTLS_CERT_REVOKED;
+- }
+-
+- if (certstat & GNUTLS_CERT_INVALID)
+- {
+- certerr_nottrusted = 1;
+- certstat ^= GNUTLS_CERT_INVALID;
+- }
+-
+- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
+- {
+- /* NB: already cleared if cert in cache */
+- certerr_nottrusted = 1;
+- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
+- }
+-
+- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
+- {
+- /* NB: already cleared if cert in cache */
+- certerr_signernotca = 1;
+- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
+- }
+-
+- /* OK if signed by (or is) a trusted certificate */
+- /* we've been zeroing the interesting bits in certstat -
+- don't return OK if there are any unhandled bits we don't
+- understand */
+- if (!(certerr_expired || certerr_notyetvalid ||
+- certerr_hostname || certerr_nottrusted) && certstat == 0)
+- {
+- gnutls_x509_crt_deinit (cert);
+- return 1;
+- }
+-
+- /* interactive check from user */
++
+ menu = mutt_new_menu (-1);
+ menu->max = 25;
+@@ -756,26 +792,26 @@
+ tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
+ snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf);
+-
+- if (certerr_notyetvalid)
++
++ if (certerr & CERTERR_NOTYETVALID)
+ {
+ row++;
+ strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING);
+ }
+- if (certerr_expired)
++ if (certerr & CERTERR_EXPIRED)
+ {
+ row++;
+ strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING);
+ }
+- if (certerr_revoked)
++ if (certerr & CERTERR_REVOKED)
+ {
+ row++;
+ strfcpy (menu->dialog[row], _("WARNING: Server certificate has been revoked"), SHORT_STRING);
+ }
+- if (certerr_hostname)
++ if (certerr & CERTERR_HOSTNAME)
+ {
+ row++;
+ strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING);
+ }
+- if (certerr_signernotca)
++ if (certerr & CERTERR_SIGNERNOTCA)
+ {
+ row++;
+@@ -789,5 +825,7 @@
+ /* certificates with bad dates, or that are revoked, must be
+ accepted manually each and every time */
+- if (SslCertFile && !certerr_expired && !certerr_notyetvalid && !certerr_revoked)
++ if (SslCertFile && !savedcert
++ && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
++ | CERTERR_REVOKED)))
+ {
+ menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
+@@ -823,10 +861,10 @@
+ {
+ /* save hostname if necessary */
+- if (certerr_hostname)
++ if (certerr & CERTERR_HOSTNAME)
+ {
+ fprintf(fp, "#H %s %s\n", hostname, fpbuf);
+ done = 1;
+ }
+- if (certerr_nottrusted)
++ if (certerr & CERTERR_NOTTRUSTED)
+ {
+ done = 0;
+@@ -842,5 +880,5 @@
+ }
+ }
+- fclose (fp);
++ safe_fclose (&fp);
+ }
+ if (!done)
+@@ -867,4 +905,38 @@
+ }
+
++/* sanity-checking wrapper for gnutls_certificate_verify_peers */
++static gnutls_certificate_status tls_verify_peers (gnutls_session tlsstate)
++{
++ gnutls_certificate_status certstat;
++
++ certstat = gnutls_certificate_verify_peers (tlsstate);
++ if (!certstat)
++ return certstat;
++
++ if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
++ {
++ mutt_error (_("Unable to get certificate from peer"));
++ mutt_sleep (2);
++ return 0;
++ }
++ if (certstat < 0)
++ {
++ mutt_error (_("Certificate verification error (%s)"),
++ gnutls_strerror (certstat));
++ mutt_sleep (2);
++ return 0;
++ }
++
++ /* We only support X.509 certificates (not OpenPGP) at the moment */
++ if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509)
++ {
++ mutt_error (_("Certificate is not X.509"));
++ mutt_sleep (2);
++ return 0;
++ }
++
++ return certstat;
++}
++
+ static int tls_check_certificate (CONNECTION* conn)
+ {
+@@ -874,5 +946,5 @@
+ unsigned int cert_list_size = 0;
+ gnutls_certificate_status certstat;
+- int i, rc;
++ int certerr, i, preauthrc, savedcert, rc = 0;
+
+ if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
+@@ -883,27 +955,5 @@
+ }
+
+- certstat = gnutls_certificate_verify_peers (state);
+-
+- if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
+- {
+- mutt_error (_("Unable to get certificate from peer"));
+- mutt_sleep (2);
+- return 0;
+- }
+- if (certstat < 0)
+- {
+- mutt_error (_("Certificate verification error (%s)"),
+- gnutls_strerror (certstat));
+- mutt_sleep (2);
+- return 0;
+- }
+-
+- /* We only support X.509 certificates (not OpenPGP) at the moment */
+- if (gnutls_certificate_type_get (state) != GNUTLS_CRT_X509)
+- {
+- mutt_error (_("Certificate is not X.509"));
+- mutt_sleep (2);
+- return 0;
+- }
++ certstat = tls_verify_peers (state);
+
+ cert_list = gnutls_certificate_get_peers (state, &cert_list_size);
+@@ -915,12 +965,41 @@
+ }
+
++ /* tls_verify_peers doesn't check hostname or expiration, so walk
++ * from most specific to least checking these. If we see a saved certificate,
++ * its status short-circuits the remaining checks. */
++ preauthrc = 0;
++ for (i = 0; i < cert_list_size; i++) {
++ rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
++ &certerr, &savedcert);
++ preauthrc += rc;
++
++ if (savedcert)
++ {
++ if (!preauthrc)
++ return 1;
++ else
++ break;
++ }
++ }
++
++ /* then check interactively, starting from chain root */
+ for (i = cert_list_size - 1; i >= 0; i--)
+ {
+ rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
+ i, cert_list_size);
+- if (rc)
+- return rc;
+- }
+-
+- return 0;
+-}
++
++ /* add signers to trust set, then reverify */
++ if (i && rc) {
++ rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i],
++ GNUTLS_X509_FMT_DER);
++ if (rc != 1)
++ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
++
++ certstat = tls_verify_peers (state);
++ if (!certstat)
++ return 1;
++ }
++ }
++
++ return rc;
++}
diff --git a/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
new file mode 100644
index 000000000000..7022c19a206c
--- /dev/null
+++ b/mail-client/mutt/files/mutt-1.5.19-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
@@ -0,0 +1,178 @@
+http://thread.gmane.org/gmane.comp.security.oss.general/1847
+http://bugs.gentoo.org/show_bug.cgi?id=274488
+
+whitespace-only hunks removed
+
+Index: mutt_ssl.c
+===================================================================
+--- mutt_ssl.c (revision 5622:3af7e8af1983)
++++ mutt_ssl.c (revision 5870:dc9ec900c657)
+@@ -565,17 +565,20 @@
+
+ /* expiration check */
+- if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
+- {
+- dprint (2, (debugfile, "Server certificate is not yet valid\n"));
+- mutt_error (_("Server certificate is not yet valid"));
+- mutt_sleep (2);
+- return 0;
+- }
+- if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
+- {
+- dprint (2, (debugfile, "Server certificate has expired"));
+- mutt_error (_("Server certificate has expired"));
+- mutt_sleep (2);
+- return 0;
++ if (option (OPTSSLVERIFYDATES) != M_NO)
++ {
++ if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
++ {
++ dprint (2, (debugfile, "Server certificate is not yet valid\n"));
++ mutt_error (_("Server certificate is not yet valid"));
++ mutt_sleep (2);
++ return 0;
++ }
++ if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
++ {
++ dprint (2, (debugfile, "Server certificate has expired"));
++ mutt_error (_("Server certificate has expired"));
++ mutt_sleep (2);
++ return 0;
++ }
+ }
+
+@@ -585,5 +588,5 @@
+ if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+ {
+- fclose (fp);
++ safe_fclose (&fp);
+ return 0;
+ }
+@@ -592,10 +595,10 @@
+ {
+ pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1;
+-
++
+ if (pass)
+ break;
+ }
+ X509_free (cert);
+- fclose (fp);
++ safe_fclose (&fp);
+
+ return pass;
+@@ -737,6 +740,8 @@
+ }
+
+-/* check whether cert is preauthorized */
+-static int ssl_check_preauth (X509 *cert, CONNECTION *conn)
++/* check whether cert is preauthorized. If host is not null, verify that
++ * it matches the certificate.
++ * Return > 0: authorized, < 0: problems, 0: unknown validity */
++static int ssl_check_preauth (X509 *cert, const char* host)
+ {
+ char buf[SHORT_STRING];
+@@ -750,11 +755,14 @@
+
+ buf[0] = 0;
+- if (!check_host (cert, conn->account.host, buf, sizeof (buf)))
+- {
+- mutt_error (_("Certificate host check failed: %s"), buf);
+- mutt_sleep (2);
+- return -1;
+- }
+- dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
++ if (host && option (OPTSSLVERIFYHOST) != M_NO)
++ {
++ if (!check_host (cert, host, buf, sizeof (buf)))
++ {
++ mutt_error (_("Certificate host check failed: %s"), buf);
++ mutt_sleep (2);
++ return -1;
++ }
++ dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
++ }
+
+ if (check_certificate_by_signer (cert))
+@@ -780,42 +788,28 @@
+ X509 *cert;
+
+- if ((preauthrc = ssl_check_preauth (data->cert, conn)) > 0)
++ if ((preauthrc = ssl_check_preauth (data->cert, conn->account.host)) > 0)
+ return preauthrc;
+
+ chain = SSL_get_peer_cert_chain (data->ssl);
+ chain_len = sk_X509_num (chain);
+- if (!chain || (chain_len < 1))
++ /* negative preauthrc means the certificate won't be accepted without
++ * manual override. */
++ if (preauthrc < 0 || !chain || (chain_len <= 1))
+ return interactive_check_cert (data->cert, 0, 0);
+
+- /* check the chain from root to peer */
++ /* check the chain from root to peer. */
+ for (i = chain_len-1; i >= 0; i--)
+ {
+ cert = sk_X509_value (chain, i);
+- if (check_certificate_cache (cert))
+- dprint (2, (debugfile, "ssl chain: already cached: %s\n", cert->name));
+- else if (i /* 0 is the peer */ || !preauthrc)
+- {
+- if (check_certificate_by_signer (cert))
+- {
+- dprint (2, (debugfile, "ssl chain: checked by signer: %s\n", cert->name));
+- ssl_cache_trusted_cert (cert);
++
++ /* if the certificate validates or is manually accepted, then add it to
++ * the trusted set and recheck the peer certificate */
++ if (ssl_check_preauth (cert, NULL)
++ || interactive_check_cert (cert, i, chain_len))
++ {
++ ssl_cache_trusted_cert (cert);
++ if (ssl_check_preauth (data->cert, conn->account.host))
+ return 1;
+- }
+- else if (SslCertFile && check_certificate_by_digest (cert))
+- {
+- dprint (2, (debugfile, "ssl chain: trusted with file: %s\n", cert->name));
+- ssl_cache_trusted_cert (cert);
+- return 1;
+- }
+- else /* allow users to shoot their foot */
+- {
+- dprint (2, (debugfile, "ssl chain: check failed: %s\n", cert->name));
+- if (interactive_check_cert (cert, i, chain_len))
+- return 1;
+- }
+- }
+- else /* highly suspicious because (i==0 && preauthrc < 0) */
+- if (interactive_check_cert (cert, i, chain_len))
+- return 1;
++ }
+ }
+
+@@ -882,6 +876,8 @@
+ len - idx, len);
+ menu->title = title;
+- if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
+- && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)
++ if (SslCertFile
++ && (option (OPTSSLVERIFYDATES) == M_NO
++ || (X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
++ && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)))
+ {
+ menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
+@@ -893,5 +889,5 @@
+ menu->keys = _("ro");
+ }
+-
++
+ helpstr[0] = '\0';
+ mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT);
+@@ -918,5 +914,5 @@
+ if (PEM_write_X509 (fp, cert))
+ done = 1;
+- fclose (fp);
++ safe_fclose (&fp);
+ }
+ if (!done)
diff --git a/mail-client/mutt/mutt-1.5.19.ebuild b/mail-client/mutt/mutt-1.5.19-r1.ebuild
index 89ecab9f8161..103274e0d8d1 100644
--- a/mail-client/mutt/mutt-1.5.19.ebuild
+++ b/mail-client/mutt/mutt-1.5.19-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2009 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19.ebuild,v 1.6 2009/06/09 07:18:04 grobian Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/mutt/mutt-1.5.19-r1.ebuild,v 1.1 2009/06/18 09:20:37 grobian Exp $
inherit eutils flag-o-matic autotools
@@ -64,14 +64,19 @@ DEPEND="${RDEPEND}
PATCHDIR="${WORKDIR}"/${P}-gentoo-patches${PATCHSET_REV}
src_unpack() {
- unpack ${A//${SIDEBAR_PATCH_N}} && cd "${S}" || die "unpack failed"
+ unpack ${A//${SIDEBAR_PATCH_N}}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch
+ # CVE-2009-1390 http://thread.gmane.org/gmane.comp.security.oss.general/1847
+ epatch "${FILESDIR}"/${P}-mutt_ssl-3af7e8af1983-dc9ec900c657.patch
+ epatch "${FILESDIR}"/${P}-mutt-gnutls-7d0583e0315d-0b13183e40e0.patch
if ! use vanilla && ! use sidebar ; then
use nntp || rm "${PATCHDIR}"/06-nntp.patch
for p in "${PATCHDIR}"/*.patch ; do
epatch "${p}"
done
- epatch "${FILESDIR}"/${P}-libgnutls-test-15c662a95b91.patch
fi
if use sidebar ; then