diff --git a/dirmngr-1.1.0-no-blocking.patch b/dirmngr-1.1.0-no-blocking.patch new file mode 100644 index 0000000..bd3421a --- /dev/null +++ b/dirmngr-1.1.0-no-blocking.patch @@ -0,0 +1,81 @@ +--- trunk/src/http.c 2010/12/14 19:22:32 346 ++++ trunk/src/http.c 2011/01/20 14:56:48 347 +@@ -98,6 +98,16 @@ + }; + #endif/*!USE_DNS_SRV*/ + ++#ifdef HAVE_PTH ++# define my_select(a,b,c,d,e) pth_select ((a), (b), (c), (d), (e)) ++# define my_connect(a,b,c) pth_connect ((a), (b), (c)) ++# define my_accept(a,b,c) pth_accept ((a), (b), (c)) ++#else ++# define my_select(a,b,c,d,e) select ((a), (b), (c), (d), (e)) ++# define my_connect(a,b,c) connect ((a), (b), (c)) ++# define my_accept(a,b,c) accept ((a), (b), (c)) ++#endif ++ + + #ifdef HAVE_W32_SYSTEM + #define sock_close(a) closesocket(a) +@@ -1333,14 +1343,14 @@ + FD_ZERO (&rfds); + FD_SET (fd, &rfds); + +- if (select (fd + 1, &rfds, NULL, NULL, NULL) <= 0) ++ if (my_select (fd + 1, &rfds, NULL, NULL, NULL) <= 0) + continue; /* ignore any errors */ + + if (!FD_ISSET (fd, &rfds)) + continue; + + addrlen = sizeof peer; +- client = accept (fd, (struct sockaddr *) &peer, &addrlen); ++ client = my_accept (fd, (struct sockaddr *) &peer, &addrlen); + if (client == -1) + continue; /* oops */ + +@@ -1406,7 +1416,7 @@ + addr.sin_port = htons(port); + memcpy (&addr.sin_addr,&inaddr,sizeof(inaddr)); + +- if (!connect (sock,(struct sockaddr *)&addr,sizeof(addr)) ) ++ if (!my_connect (sock,(struct sockaddr *)&addr,sizeof(addr)) ) + return sock; + sock_close(sock); + return -1; +@@ -1474,7 +1484,7 @@ + return -1; + } + +- if (connect (sock, ai->ai_addr, ai->ai_addrlen)) ++ if (my_connect (sock, ai->ai_addr, ai->ai_addrlen)) + last_errno = errno; + else + connected = 1; +@@ -1528,7 +1538,7 @@ + for (i = 0; host->h_addr_list[i] && !connected; i++) + { + memcpy (&addr.sin_addr, host->h_addr_list[i], host->h_length); +- if (connect (sock, (struct sockaddr *) &addr, sizeof (addr))) ++ if (my_connect (sock, (struct sockaddr *) &addr, sizeof (addr))) + last_errno = errno; + else + { +@@ -1594,7 +1604,7 @@ + + tv.tv_sec = 0; + tv.tv_usec = 50000; +- select (0, NULL, NULL, NULL, &tv); ++ my_select (0, NULL, NULL, NULL, &tv); + goto again; + } + if (nread == GNUTLS_E_REHANDSHAKE) +@@ -1649,7 +1659,7 @@ + + tv.tv_sec = 0; + tv.tv_usec = 50000; +- select (0, NULL, NULL, NULL, &tv); ++ my_select (0, NULL, NULL, NULL, &tv); + continue; + } + log_info ("TLS network write failed: %s\n", diff --git a/dirmngr.spec b/dirmngr.spec index be96ab7..8bc0e42 100644 --- a/dirmngr.spec +++ b/dirmngr.spec @@ -4,14 +4,13 @@ Name: dirmngr Summary: Client for Managing/Downloading CRLs Version: 1.1.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ and GPLv3+ and OpenLDAP Group: System Environment/Libraries URL: http://www.gnupg.org/ Source0: ftp://ftp.gnupg.org/gcrypt/dirmngr/dirmngr-%{version}.tar.bz2 Source1: ftp://ftp.gnupg.org/gcrypt/dirmngr/dirmngr-%{version}.tar.bz2.sig -Patch1: dirmngr-1.1.0-ocsp-crash.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Source10: dirmngr.conf @@ -19,7 +18,10 @@ Source11: ldapservers.conf Source12: dirmngr.logrotate Source13: dirmngrtmp.conf +Patch1: dirmngr-1.1.0-ocsp-crash.patch + ## upstream patches +Patch20: dirmngr-1.1.0-no-blocking.patch BuildRequires: gawk BuildRequires: gettext @@ -47,6 +49,8 @@ the dirmngr-client tool. %setup -q %patch1 -p1 -b .crash +%patch20 -p1 -b .no-blocking + pushd doc iconv -f iso-8859-1 -t utf-8 dirmngr.texi -o dirmngr.texi.NEW && mv dirmngr.texi.NEW dirmngr.texi iconv -f iso-8859-1 -t utf-8 dirmngr.info -o dirmngr.info.NEW && mv dirmngr.info.NEW dirmngr.info @@ -133,6 +137,10 @@ rm -rf %{buildroot} %changelog +* Mon Jun 20 2011 Tomas Mraz - 1.1.0-6 +- upstream fix for CVE-2011-2207 (blocking other request processing + when one CRL request is being processed) (#710529) + * Tue Feb 08 2011 Fedora Release Engineering - 1.1.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild