backport bump - security bug #184934

(Portage version: 2.1.2.9)
author: Daniel Black <dragonheart@gentoo.org> 2007-07-11 10:47:45 +0000
committer: Daniel Black <dragonheart@gentoo.org> 2007-07-11 10:47:45 +0000
commit: a7460431b50ec7d3a559c10391af12042848a9bb (patch)
tree: ac7aa8c2b739f3951543227442d9fb299e9da6bd /net-misc/curl
parent: Polish 2.2.2 ebuild for installing proper docs and headers that work with the... (diff)
download: gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.tar.gz
gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.tar.bz2
gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.zip
4 files changed, 150 insertions, 1 deletions
diff --git a/net-misc/curl/ChangeLog b/net-misc/curl/ChangeLog
index b7128bdf5d80..004e13f42265 100644
--- a/net-misc/curl/ChangeLog
+++ b/net-misc/curl/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for net-misc/curl
 # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/curl/ChangeLog,v 1.86 2007/07/11 09:12:21 dragonheart Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/curl/ChangeLog,v 1.87 2007/07/11 10:47:45 dragonheart Exp $
+
+*curl-7.15.5-r1 (11 Jul 2007)
+
+  11 Jul 2007; Daniel Black <dragonheart@gentoo.org> +curl-7.15.5-r1.ebuild,
+  files/libcurl-gnutlscert.patch:
+  backport patch for CVE-2007-3564
 
 *curl-7.16.4 (11 Jul 2007)
 
diff --git a/net-misc/curl/curl-7.15.5-r1.ebuild b/net-misc/curl/curl-7.15.5-r1.ebuild
new file mode 100644
index 000000000000..5e5bfa958be6
--- /dev/null
+++ b/net-misc/curl/curl-7.15.5-r1.ebuild
@@ -0,0 +1,89 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/curl/curl-7.15.5-r1.ebuild,v 1.1 2007/07/11 10:47:45 dragonheart Exp $
+
+# NOTE: If you bump this ebuild, make sure you bump dev-python/pycurl!
+
+inherit libtool eutils
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="http://curl.haxx.se/"
+SRC_URI="http://curl.haxx.se/download/${P}.tar.bz2"
+
+LICENSE="MIT X11"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="ssl ipv6 ldap ares gnutls idn kerberos test"
+
+RDEPEND="gnutls? ( net-libs/gnutls )
+	ssl? ( !gnutls? ( dev-libs/openssl ) )
+	ldap? ( net-nds/openldap )
+	idn? ( net-dns/libidn )
+	ares? ( net-dns/c-ares )
+	kerberos? ( virtual/krb5 )"
+
+DEPEND="${RDEPEND}
+	test? (
+		sys-apps/diffutils
+		dev-lang/perl
+	)"
+# used - but can do without in self test: net-misc/stunnel
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}"/${PN}-7.15-strip-ldflags.patch
+	epatch "${FILESDIR}"/curl-7.15.1-test62.patch
+	epatch "${FILESDIR}"/libcurl-gnutlscert.patch
+	elibtoolize
+}
+
+src_compile() {
+
+	myconf="$(use_enable ldap)
+		$(use_with idn libidn)
+		$(use_enable kerberos gssapi)
+		$(use_enable ipv6)
+		--enable-http
+		--enable-ftp
+		--enable-gopher
+		--enable-file
+		--enable-dict
+		--enable-manual
+		--enable-telnet
+		--enable-nonblocking
+		--enable-largefile"
+
+	if use ipv6 && use ares; then
+		ewarn "c-ares support disabled because it is incompatible with ipv6."
+		myconf="${myconf} --disable-ares"
+	else
+		myconf="${myconf} $(use_enable ares)"
+	fi
+
+	if use gnutls; then
+		myconf="${myconf} --without-ssl --with-gnutls=/usr"
+	elif use ssl; then
+		myconf="${myconf} --without-gnutls --with-ssl=/usr"
+	else
+		myconf="${myconf} --without-gnutls --without-ssl"
+	fi
+
+	if use kerberos; then
+	   myconf="${myconf} --with-gssapi=/usr"
+	fi
+
+	econf ${myconf} || die 'configure failed'
+	emake || die "install failed for current version"
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die "installed failed for current version"
+
+	insinto /usr/share/aclocal
+	doins docs/libcurl/libcurl.m4
+
+	dodoc CHANGES README
+	dodoc docs/FEATURES docs/INTERNALS
+	dodoc docs/MANUAL docs/FAQ docs/BUGS docs/CONTRIBUTE
+}
diff --git a/net-misc/curl/files/digest-curl-7.15.5-r1 b/net-misc/curl/files/digest-curl-7.15.5-r1
new file mode 100644
index 000000000000..201be43dcabf
--- /dev/null
+++ b/net-misc/curl/files/digest-curl-7.15.5-r1
@@ -0,0 +1,3 @@
+MD5 594142c7d53bbdd988e8cef6354eeeff curl-7.15.5.tar.bz2 1543007
+RMD160 4494cffb382c81b7211830c7e6e40ef9ed8f4ef0 curl-7.15.5.tar.bz2 1543007
+SHA256 2980815e53f4caeafc5e35d183d9379bcaaec49f759be1a4ac628cfb6c392fe0 curl-7.15.5.tar.bz2 1543007
diff --git a/net-misc/curl/files/libcurl-gnutlscert.patch b/net-misc/curl/files/libcurl-gnutlscert.patch
new file mode 100644
index 000000000000..f905701c0842
--- /dev/null
+++ b/net-misc/curl/files/libcurl-gnutlscert.patch
@@ -0,0 +1,51 @@
+Index: lib/gtls.c
+===================================================================
+RCS file: /cvsroot/curl/curl/lib/gtls.c,v
+retrieving revision 1.27
+diff -u -r1.27 gtls.c
+--- lib/gtls.c	28 Apr 2007 21:01:30 -0000	1.27
++++ lib/gtls.c	10 Jul 2007 20:27:43 -0000
+@@ -420,6 +420,43 @@
+   else
+     infof(data, "\t common name: %s (matched)\n", certbuf);
+ 
++  /* Check for time-based validity */
++  clock = gnutls_x509_crt_get_expiration_time(x509_cert);
++
++  if(clock == (time_t)-1) {
++    failf(data, "server cert expiration date verify failed");
++    return CURLE_SSL_CONNECT_ERROR;
++  }
++
++  if(clock < time(NULL)) {
++    if (data->set.ssl.verifypeer) {
++      failf(data, "server certificate expiration date has passed.");
++      return CURLE_SSL_PEER_CERTIFICATE;
++    }
++    else
++      infof(data, "\t server certificate expiration date FAILED\n");
++  }
++  else
++    infof(data, "\t server certificate expiration date OK\n");
++
++  clock = gnutls_x509_crt_get_activation_time(x509_cert);
++
++  if(clock == (time_t)-1) {
++    failf(data, "server cert activation date verify failed");
++    return CURLE_SSL_CONNECT_ERROR;
++  }
++
++  if(clock > time(NULL)) {
++    if (data->set.ssl.verifypeer) {
++      failf(data, "server certificate not activated yet.");
++      return CURLE_SSL_PEER_CERTIFICATE;
++    }
++    else
++      infof(data, "\t server certificate activation date FAILED\n");
++  }
++  else
++    infof(data, "\t server certificate activation date OK\n");
++
+   /* Show:
+ 
+   - ciphers used
author	Daniel Black <dragonheart@gentoo.org>	2007-07-11 10:47:45 +0000
committer	Daniel Black <dragonheart@gentoo.org>	2007-07-11 10:47:45 +0000
commit	a7460431b50ec7d3a559c10391af12042848a9bb (patch)
tree	ac7aa8c2b739f3951543227442d9fb299e9da6bd /net-misc/curl
parent	Polish 2.2.2 ebuild for installing proper docs and headers that work with the... (diff)
download	gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.tar.gz gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.tar.bz2 gentoo-2-a7460431b50ec7d3a559c10391af12042848a9bb.zip