diff options
Diffstat (limited to 'dev-libs')
-rw-r--r-- | dev-libs/openssl/ChangeLog | 11 | ||||
-rw-r--r-- | dev-libs/openssl/Manifest | 13 | ||||
-rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch | 15 | ||||
-rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch | 21 | ||||
-rw-r--r-- | dev-libs/openssl/openssl-0.9.8g-r2.ebuild | 187 |
5 files changed, 240 insertions, 7 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog index 86c201d940cf..d122cd722d9a 100644 --- a/dev-libs/openssl/ChangeLog +++ b/dev-libs/openssl/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for dev-libs/openssl # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.260 2008/05/28 16:30:40 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.261 2008/05/30 21:30:29 cardoe Exp $ + +*openssl-0.9.8g-r2 (30 May 2008) + + 30 May 2008; Doug Goldstein <cardoe@gentoo.org> + +files/openssl-0.9.8g-CVE-2008-0891.patch, + +files/openssl-0.9.8g-CVE-2008-1672.patch, +openssl-0.9.8g-r2.ebuild: + Security fix for CVE-2008-0891 & CVE-2008-1672. bug #223429 *openssl-0.9.8h (28 May 2008) @@ -29,7 +36,7 @@ 19 Nov 2007; Joshua Kinard <kumba@gentoo.org> openssl-0.9.8g.ebuild: Stable on mips, per #198370. - 16 Nov 2007; Doug Klima <cardoe@gentoo.org> openssl-0.9.8g.ebuild: + 16 Nov 2007; Doug Goldstein <cardoe@gentoo.org> openssl-0.9.8g.ebuild: change depend to mit-krb5 since openssl's Configure script specifically states they don't support building against heimdal and it will break. Which results in a die during the ebuild diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index c22d99636fb2..5b7768b03939 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -18,6 +18,8 @@ AUX openssl-0.9.8e-bsd-sparc64.patch 1666 RMD160 fa3ac81b409fa908949185805f733fd AUX openssl-0.9.8e-make.patch 794 RMD160 2a99f48ef103fa369cc8c513efcc0330eb855b7d SHA1 b6b93f6db5f6519312b35df268eab51c2c3ca988 SHA256 f318fdebb6e035185c2bba2513ceac81f5cd229c1426e16ea4faed528f7795be AUX openssl-0.9.8e-padlock-O0.patch 844 RMD160 e53dccc662c27a8a62fb45649f567f68394802f2 SHA1 aa6b069997c523738a068d6ce462e5f8bba1844a SHA256 f9ae47c6459d655707adb73333963a6dcd923c82d36cb34949bcc31e5aefc6d4 AUX openssl-0.9.8f-fix-version.patch 445 RMD160 ab3136992eb4028bff06bbc35322a1c2621485e8 SHA1 7a53632a9e13e00737930b22068d88b57879c925 SHA256 73d9952fc7032099a03b3b7fa143229646ae6e52394b4facd043afbce65658f1 +AUX openssl-0.9.8g-CVE-2008-0891.patch 576 RMD160 77e5e7d70f2d47961a8ebcc24cf3dad652d6da67 SHA1 f9415a6270e535300bf6126fe93f4620a2b65829 SHA256 33474833c286ef8c6aada66a9b68893ae6904085c85dbcb382c51de88894a005 +AUX openssl-0.9.8g-CVE-2008-1672.patch 836 RMD160 16faf7fc779ad4565cf110dafac113659da715a1 SHA1 bb64007df7982f5227cb7f1f6b5825556e0f1e91 SHA256 15ed1f219f2d82d93a6f170ae1b389f7ef76e6f14f033c2e05134503e8368ba1 AUX openssl-0.9.8g-sslv3-no-tlsext.patch 848 RMD160 37bad7b70fd0bdae91fffe337dcbe820b371a163 SHA1 32043ee7841bd95bc647efa8fd7ecb5dcc2fa223 SHA256 d61299ab9b5f96f37979d60ea8e65430c59ef3242627de50be8e2fc87c8753be DIST openssl-0.9.8e.tar.gz 3341665 RMD160 c1a498606dc0fc7219376b950fab6b53687466db SHA1 b429872d2a287714ab37e42296e6a5fbe23d32ff SHA256 414e8428b95fbc51707965fda31390497d058290356426bfe084b49464a60340 DIST openssl-0.9.8f.tar.gz 3357445 RMD160 ad0d9d8b238dbede1aa6b76256d11038bd281e05 SHA1 e8716370093b112763ace0c66c06a0d6049e413b SHA256 be5afd386f5d7acff019acaf46cdaad89a8b42cc9cee85d1adb2774627f32b42 @@ -27,14 +29,15 @@ EBUILD openssl-0.9.8e-r3.ebuild 5832 RMD160 ca8af0f3e4a375e49c217858798a7f88e3bc EBUILD openssl-0.9.8e-r4.ebuild 6557 RMD160 ad9946a39fd4beb295b35a4b10bfc06fc0c77099 SHA1 e62202b0ec42ce354413fbf486870bdf6df95867 SHA256 c6a8090276ba069dc50cb21fe07437166f0cd1d456e8d9fd20e82bc732ec3559 EBUILD openssl-0.9.8f.ebuild 6215 RMD160 7af3dc8ed2b30206ff44e8d80af0c585cc7cea51 SHA1 12dc43a8baf204c3ac724344652c95ce0f8f4bed SHA256 4ffbdf05b8ea00618d3868a8a265220ff25bb5b1d8d58b150b3b6a5868e03fca EBUILD openssl-0.9.8g-r1.ebuild 6069 RMD160 80e894745c915973fab4a905f4290d9edd933ec2 SHA1 001401f0fb616251daa429c5185c7505fb0f0f55 SHA256 83c6417c325601f99200caceba67c6cdf8e32d5a09110d3dd6390046e0c47bd4 +EBUILD openssl-0.9.8g-r2.ebuild 6201 RMD160 9676fe108c6c986488a0fda0742ad8df8ae33143 SHA1 ca414a30821f792268b0444e78a96209bceeaec8 SHA256 578a2b2038e5c33636cb60c9f1fbd43f57dd7ca3bbb1044f438e5a28fcb0856a EBUILD openssl-0.9.8g.ebuild 6075 RMD160 b00d2ee7d97f3f5ae4bfb45c83ce439db9e9e05f SHA1 dedb66afe8c2e502cfd44507517f821a27e5d2eb SHA256 25ea50177ea4619921bcd0e93dcea1c04d135b4a6eb26c6ed4097491e1485f60 EBUILD openssl-0.9.8h.ebuild 6070 RMD160 3921448846496f393ce2bde48e0f9917632a3f92 SHA1 a37bae8e54f6fdcb9851efd31a794ceca81132c5 SHA256 3859370a56a85b08a3fbe893be7b4c728b4c02ff7f48d414645056da87d97e48 -MISC ChangeLog 38966 RMD160 f1606ec43425fe3a5838039cc7dc099858aa6d2a SHA1 ff69832030351004ca1f13b3795160f5de247de6 SHA256 0573973283266b8d1ffc44b4526da2f842c3226f1160e4ffea47e0e271088174 +MISC ChangeLog 39234 RMD160 5b1d972c84ae3175499db0404a29148ee6400c73 SHA1 f42296cdf7fba2dc1f0fff333df4f710a66ca310 SHA256 9f90b9c41a60fedb32f8a7ec2dd234ef0879bb0460d316e1a905a163176afe23 MISC metadata.xml 164 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 SHA1 9c213f5803676c56439df3716be07d6692588856 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.7 (GNU/Linux) +Version: GnuPG v2.0.9 (GNU/Linux) -iD8DBQFIPYi2j9hvisErhMIRAgH4AKDewc5+KFdZofH4fBOeGBFCXRGqYgCdGJjN -5IFY4vq3jSWvVT2S0rrZwk0= -=llOh +iEYEARECAAYFAkhAcf4ACgkQoeSe8B0zEfw6mgCePIWkVitZU0IFpiMkU7TGCWdk ++oAAmwSYCqA83k+dubT1DlZ3U/cYUZYe +=koDK -----END PGP SIGNATURE----- diff --git a/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch new file mode 100644 index 000000000000..840bfb02ebd5 --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch @@ -0,0 +1,15 @@ +Index: ssl/t1_lib.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v +retrieving revision 1.13.2.8 +diff -u -r1.13.2.8 t1_lib.c +--- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000 1.13.2.8 ++++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000 +@@ -381,6 +381,7 @@ + s->session->tlsext_hostname[len]='\0'; + if (strlen(s->session->tlsext_hostname) != len) { + OPENSSL_free(s->session->tlsext_hostname); ++ s->session->tlsext_hostname = NULL; + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } diff --git a/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch new file mode 100644 index 000000000000..9aa07e97e631 --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch @@ -0,0 +1,21 @@ +Index: ssl/s3_clnt.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v +retrieving revision 1.88.2.12 +diff -u -r1.88.2.12 s3_clnt.c +--- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000 1.88.2.12 ++++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000 +@@ -2061,6 +2061,13 @@ + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else diff --git a/dev-libs/openssl/openssl-0.9.8g-r2.ebuild b/dev-libs/openssl/openssl-0.9.8g-r2.ebuild new file mode 100644 index 000000000000..34b06d728d69 --- /dev/null +++ b/dev-libs/openssl/openssl-0.9.8g-r2.ebuild @@ -0,0 +1,187 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8g-r2.ebuild,v 1.1 2008/05/30 21:30:29 cardoe Exp $ + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1" +HOMEPAGE="http://www.openssl.org/" +SRC_URI="mirror://openssl/source/${P}.tar.gz" + +LICENSE="openssl" +SLOT="0" +KEYWORDS="-* ~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd" +IUSE="bindist gmp kerberos sse2 test zlib" + +RDEPEND="gmp? ( dev-libs/gmp ) + zlib? ( sys-libs/zlib ) + kerberos? ( app-crypt/mit-krb5 )" +DEPEND="${RDEPEND} + sys-apps/diffutils + >=dev-lang/perl-5 + test? ( sys-devel/bc )" +PDEPEND="app-misc/ca-certificates" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch + epatch "${FILESDIR}"/${PN}-0.9.7-alpha-default-gcc.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-parallel-build.patch + epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch + epatch "${FILESDIR}"/${PN}-0.9.8-toolchain.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch + epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583 + epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316 + epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch + epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch + + # Security Fixes + epatch "${FILESDIR}"/${PN}-0.9.8g-CVE-2008-0891.patch + epatch "${FILESDIR}"/${PN}-0.9.8g-CVE-2008-1672.patch + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed" + chmod a+rx gentoo.config + + # Don't build manpages if we don't want them + has noman FEATURES \ + && sed -i '/^install:/s:install_docs::' Makefile.org \ + || sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org + + # Try to derice users and work around broken ass toolchains + if [[ $(gcc-major-version) == "3" ]] ; then + filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops + [[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O + fi + [[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing + append-flags -Wa,--noexecstack + + # using a library directory other than lib requires some magic + sed -i \ + -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \ + -e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \ + Makefile.org engines/Makefile \ + || die "sed failed" + ./config --test-sanity || die "I AM NOT SANE" +} + +src_compile() { + unset APPS #197996 + + tc-export CC AR RANLIB + + # Clean out patent-or-otherwise-encumbered code + # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) + # IDEA: 5,214,703 25/05/2010 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm + # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography + # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 + # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5 + + use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; } + echoit() { echo "$@" ; "$@" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + local sslout=$(./gentoo.config) + einfo "Use configuration ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + echoit \ + ./${config} \ + ${sslout} \ + $(use sse2 || echo "no-sse2") \ + enable-camellia \ + $(use_ssl !bindist ec) \ + $(use_ssl !bindist idea) \ + enable-mdc2 \ + $(use_ssl !bindist rc5) \ + enable-tlsext \ + $(use_ssl gmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ + $(use_ssl zlib) \ + $(use_ssl zlib zlib-dynamic) \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + shared threads \ + || die "Configure failed" + + # Clean out hardcoded flags that openssl uses + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ + ) + sed -i \ + -e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \ + -e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \ + Makefile || die + + # depend is needed to use $confopts + # rehash is needed to prep the certs/ dir + emake -j1 depend || die "depend failed" + emake all rehash || die "make all failed" +} + +src_test() { + # make sure sandbox doesnt die on *BSD + addpredict /dev/crypto + + emake -j1 test || die "make test failed" +} + +src_install() { + emake -j1 INSTALL_PREFIX="${D}" install || die + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el + dohtml doc/* + + # create the certs directory + dodir /etc/ssl/certs + cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs" + rm -r "${D}"/etc/ssl/certs/{demo,expired} + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${D}"/usr/share/man + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} ; d=${d#./} ; m=${m##*/} + [[ ${m} == openssl.1* ]] && continue + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + mv ${d}/{,ssl-}${m} + ln -s ssl-${m} ${d}/openssl-${m} + # locate any symlinks that point to this man page ... we assume + # that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + rm -f ${d}/${s} + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + diropts -m0700 + keepdir /etc/ssl/private +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} + + if [[ ${CHOST} == i686* ]] ; then + ewarn "Due to the way openssl is architected, you cannot" + ewarn "switch between optimized versions without breaking" + ewarn "ABI. The default i686 0.9.8 ABI was an unoptimized" + ewarn "version with horrible performance. This version uses" + ewarn "the optimized ABI. If you experience segfaults when" + ewarn "using ssl apps (like openssh), just re-emerge the" + ewarn "offending package." + fi +} |