rpms/gnutls/F-8 gnutls-1.4.1-cve-2008-4989.patch,NONE,1.1

[Tomáš Mráz]

Author: tmraz

Update of /cvs/pkgs/rpms/gnutls/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9322

Added Files:
	gnutls-1.4.1-cve-2008-4989.patch 
Log Message:
* Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 1.6.3-5
- fix chain verification issue CVE-2008-4989 (#470079)


gnutls-1.4.1-cve-2008-4989.patch:

--- NEW FILE gnutls-1.4.1-cve-2008-4989.patch ---
diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
--- gnutls-1.4.1/lib/x509/verify.c.chain-verify	2008-11-11 10:55:19.000000000 +0100
+++ gnutls-1.4.1/lib/x509/verify.c	2008-11-11 10:58:54.000000000 +0100
@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
   int i = 0, ret;
   unsigned int status = 0, output;
 
+  /* Check if the last certificate in the path is self signed.
+   * In that case ignore it (a certificate is trusted only if it
+   * leads to a trusted party by us, not the server's).
+   */
+  if (clist_size > 1 &&
+      gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+				    certificate_list[clist_size - 1]) > 0)
+    {
+      clist_size--;
+    }
+
   /* Verify the last certificate in the certificate path
    * against the trusted CA certificate list.
    *
@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
     }
 #endif
 
-  /* Check if the last certificate in the path is self signed.
-   * In that case ignore it (a certificate is trusted only if it
-   * leads to a trusted party by us, not the server's).
-   */
-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
-				    certificate_list[clist_size - 1]) > 0
-      && clist_size > 0)
-    {
-      clist_size--;
-    }
-
   /* Verify the certificate path (chain) 
    */
   for (i = clist_size - 1; i > 0; i--)