diffstat of debian/ for gnutls28_3.2.11-2 gnutls28_3.2.11-2ubuntu1.1

 changelog                      |   39 +++++
 control                        |  103 ++++++-------
 patches/21_CVE-2014-3466.patch |  319 +++++++++++++++++++++++++++++++++++++++++
 patches/series                 |    1 
 4 files changed, 411 insertions(+), 51 deletions(-)

diff -Nru gnutls28-3.2.11/debian/changelog gnutls28-3.2.11/debian/changelog
--- gnutls28-3.2.11/debian/changelog	2014-03-01 07:49:06.000000000 +0000
+++ gnutls28-3.2.11/debian/changelog	2015-06-11 15:43:03.000000000 +0000
@@ -1,3 +1,27 @@
+gnutls28 (3.2.11-2ubuntu1.1) trusty-security; urgency=medium
+
+  [ Gianfranco Costamagna ]
+  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
+    execution via crafted ServerHello message
+    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
+      session id size. Based on upstream patch. (LP: #1326779)
+
+  [ Tyler Hicks ]
+  * debian/patches/21_CVE-2014-3466.patch: Fold in the test for
+    CVE-2014-3466's fix. Based on upstream patch.
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Thu, 11 Jun 2015 10:42:35 -0500
+
+gnutls28 (3.2.11-2ubuntu1) trusty; urgency=medium
+
+  * Resynchronise with Debian.  Remaining changes:
+    - Drop gnutls-bin and -doc since we want to use the versions in gnutls26
+      as the defaults instead.
+  * Add arm64 and ppc64el to the list of non-ia64 architectures on which
+    guile-gnutls is built.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 05 Mar 2014 10:31:28 +0000
+
 gnutls28 (3.2.11-2) unstable; urgency=high
 
   * Bump version of Build-Depends on libp11-kit-dev, as required by 3.2.11.
@@ -182,6 +206,21 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 04 Aug 2013 13:28:13 +0200
 
+gnutls28 (3.2.3-1ubuntu2) trusty; urgency=medium
+
+  * Fix detection of floating point endianness.
+  * Use dh-autoreconf to update libtool.m4 for new ports.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 05 Feb 2014 05:17:52 +0000
+
+gnutls28 (3.2.3-1ubuntu1) saucy; urgency=low
+
+  * Sync with Debian (LP: #1068029). Remaining change:
+    - Drop gnutls-bin and -doc since we want to use the versions
+      in gnutls26 as the defaults instead
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Tue, 30 Jul 2013 21:40:07 -0400
+
 gnutls28 (3.2.3-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru gnutls28-3.2.11/debian/control gnutls28-3.2.11/debian/control
--- gnutls28-3.2.11/debian/control	2014-02-16 07:54:32.000000000 +0000
+++ gnutls28-3.2.11/debian/control	2014-03-05 10:30:54.000000000 +0000
@@ -1,7 +1,8 @@
 Source: gnutls28
 Section: libs
 Priority: optional
-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
 Uploaders: Andreas Metzler <ametzler@debian.org>,
  Eric Dorland <eric@debian.org>,
  James Westby <jw+debian@jameswestby.net>,
@@ -91,59 +92,59 @@
  .
  This package contains the debugger symbols.
 
-Package: gnutls-bin
-Architecture: any
-Section: net
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Multi-Arch: foreign
-Description: GNU TLS library - commandline utilities
- GnuTLS is a portable library which implements the Transport Layer
- Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
- Transport Layer Security (DTLS 1.0, 1.2) protocols.
- .
- GnuTLS features support for:
-  - TLS extensions: server name indication, max record size, opaque PRF
-    input, etc.
-  - authentication using the SRP protocol.
-  - authentication using both X.509 certificates and OpenPGP keys.
-  - TLS Pre-Shared-Keys (PSK) extension.
-  - Inner Application (TLS/IA) extension.
-  - X.509 and OpenPGP certificate handling.
-  - X.509 Proxy Certificates (RFC 3820).
-  - all the strong encryption algorithms (including SHA-256/384/512 and
-    Camellia (RFC 4132)).
- .
- This package contains a commandline interface to the GNU TLS library, which
- can be used to set up secure connections from e.g. shell scripts, debugging
- connection issues or managing certificates.
-
-Package: gnutls-doc
-Architecture: all
-Section: doc
-Depends: ${misc:Depends}
-Multi-Arch: foreign
-Description: GNU TLS library - documentation and examples
- GnuTLS is a portable library which implements the Transport Layer
- Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
- Transport Layer Security (DTLS 1.0, 1.2) protocols.
- .
- GnuTLS features support for:
-  - TLS extensions: server name indication, max record size, opaque PRF
-    input, etc.
-  - authentication using the SRP protocol.
-  - authentication using both X.509 certificates and OpenPGP keys.
-  - TLS Pre-Shared-Keys (PSK) extension.
-  - Inner Application (TLS/IA) extension.
-  - X.509 and OpenPGP certificate handling.
-  - X.509 Proxy Certificates (RFC 3820).
-  - all the strong encryption algorithms (including SHA-256/384/512 and
-    Camellia (RFC 4132)).
- .
- This package contains all the GnuTLS documentation.
+#Package: gnutls-bin
+#Architecture: any
+#Section: net
+#Depends: ${shlibs:Depends}, ${misc:Depends}
+#Multi-Arch: foreign
+#Description: GNU TLS library - commandline utilities
+# GnuTLS is a portable library which implements the Transport Layer
+# Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+# Transport Layer Security (DTLS 1.0, 1.2) protocols.
+# .
+# GnuTLS features support for:
+#  - TLS extensions: server name indication, max record size, opaque PRF
+#    input, etc.
+#  - authentication using the SRP protocol.
+#  - authentication using both X.509 certificates and OpenPGP keys.
+#  - TLS Pre-Shared-Keys (PSK) extension.
+#  - Inner Application (TLS/IA) extension.
+#  - X.509 and OpenPGP certificate handling.
+#  - X.509 Proxy Certificates (RFC 3820).
+#  - all the strong encryption algorithms (including SHA-256/384/512 and
+#    Camellia (RFC 4132)).
+# .
+# This package contains a commandline interface to the GNU TLS library, which
+# can be used to set up secure connections from e.g. shell scripts, debugging
+# connection issues or managing certificates.
+
+#Package: gnutls-doc
+#Architecture: all
+#Section: doc
+#Depends: ${misc:Depends}
+#Multi-Arch: foreign
+#Description: GNU TLS library - documentation and examples
+# GnuTLS is a portable library which implements the Transport Layer
+# Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+# Transport Layer Security (DTLS 1.0, 1.2) protocols.
+# .
+# GnuTLS features support for:
+#  - TLS extensions: server name indication, max record size, opaque PRF
+#    input, etc.
+#  - authentication using the SRP protocol.
+#  - authentication using both X.509 certificates and OpenPGP keys.
+#  - TLS Pre-Shared-Keys (PSK) extension.
+#  - Inner Application (TLS/IA) extension.
+#  - X.509 and OpenPGP certificate handling.
+#  - X.509 Proxy Certificates (RFC 3820).
+#  - all the strong encryption algorithms (including SHA-256/384/512 and
+#    Camellia (RFC 4132)).
+# .
+# This package contains all the GnuTLS documentation.
 
 Package: guile-gnutls
 # everything except ia64 - Field must be single line, unfolded!
-Architecture: amd64 armel armhf i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc hurd-i386
+Architecture: amd64 arm64 armel armhf i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64el s390 s390x sparc hurd-i386
 Section: lisp
 Depends: ${misc:Depends},${shlibs:Depends}, guile-2.0
 Description: GNU TLS library - GNU Guile bindings
diff -Nru gnutls28-3.2.11/debian/patches/21_CVE-2014-3466.patch gnutls28-3.2.11/debian/patches/21_CVE-2014-3466.patch
--- gnutls28-3.2.11/debian/patches/21_CVE-2014-3466.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.2.11/debian/patches/21_CVE-2014-3466.patch	2015-06-11 15:35:16.000000000 +0000
@@ -0,0 +1,319 @@
+From 688ea6428a432c39203d00acd1af0e7684e5ddfd Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri, 23 May 2014 19:50:31 +0200
+Subject: [PATCH] Prevent memory corruption due to server hello parsing.
+
+Issue discovered by Joonas Kuorilehto of Codenomicon.
+origin: upstream, https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd
+origin: backport, https://www.gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf7ce52b36474c157f782d9ca977
+---
+ lib/gnutls_handshake.c  |    2 
+ tests/Makefile.am       |    2 
+ tests/long-session-id.c |  274 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 276 insertions(+), 2 deletions(-)
+
+Index: gnutls28-3.2.11/lib/gnutls_handshake.c
+===================================================================
+--- gnutls28-3.2.11.orig/lib/gnutls_handshake.c	2015-06-11 10:33:52.965385966 -0500
++++ gnutls28-3.2.11/lib/gnutls_handshake.c	2015-06-11 10:33:52.961385985 -0500
+@@ -1744,7 +1744,7 @@ _gnutls_read_server_hello(gnutls_session
+ 	DECR_LEN(len, 1);
+ 	session_id_len = data[pos++];
+ 
+-	if (len < session_id_len) {
++	if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+ 	}
+Index: gnutls28-3.2.11/tests/long-session-id.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ gnutls28-3.2.11/tests/long-session-id.c	2015-06-11 10:33:52.961385985 -0500
+@@ -0,0 +1,274 @@
++/*
++ * Copyright (C) 2012 Free Software Foundation, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main()
++{
++	exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <sys/types.h>
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <sys/wait.h>
++#include <arpa/inet.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/dtls.h>
++#include <signal.h>
++
++static int debug = 0;
++static void terminate(int);
++
++/* This program tests the robustness of record
++ * decoding.
++ */
++
++static void client_log_func(int level, const char *str)
++{
++	fprintf(stderr, "client|<%d>| %s", level, str);
++}
++
++static unsigned char server_cert_pem[] =
++    "-----BEGIN CERTIFICATE-----\n"
++    "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++    "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++    "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++    "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++    "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++    "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++    "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++    "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++    "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++    "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++    "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++    "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++    "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++	sizeof(server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++    "-----BEGIN RSA PRIVATE KEY-----\n"
++    "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++    "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++    "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++    "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++    "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++    "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++    "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++    "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++    "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++    "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++    "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++    "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++    "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++    "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++	sizeof(server_key_pem)
++};
++
++
++/* A very basic TLS client, with anonymous authentication.
++ */
++
++static void client(int fd, const char *prio)
++{
++	int ret;
++	gnutls_anon_client_credentials_t anoncred;
++	gnutls_certificate_credentials_t x509_cred;
++	gnutls_session_t session;
++	/* Need to enable anonymous KX specifically. */
++
++	gnutls_global_init();
++
++	if (debug) {
++		gnutls_global_set_log_function(client_log_func);
++		gnutls_global_set_log_level(7);
++	}
++
++	gnutls_anon_allocate_client_credentials(&anoncred);
++	gnutls_certificate_allocate_credentials(&x509_cred);
++
++	/* Initialize TLS session
++	 */
++	gnutls_init(&session, GNUTLS_CLIENT);
++
++	/* Use default priorities */
++	gnutls_priority_set_direct(session, prio, NULL);
++
++	/* put the anonymous credentials to the current session
++	 */
++	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
++	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
++
++	gnutls_transport_set_int(session, fd);
++
++	/* Perform the TLS handshake
++	 */
++	do {
++		ret = gnutls_handshake(session);
++	}
++	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
++
++	if (gnutls_ecc_curve_get(session) == 0xffffffff) {
++		fprintf(stderr, "memory was overwritten\n");
++		kill(getpid(), SIGSEGV);
++	}
++
++	if (ret < 0) {
++		fprintf(stderr, "client: Handshake failed (expected)\n");
++		gnutls_perror(ret);
++		exit(0);
++	} else {
++		if (debug)
++			fprintf(stderr, "client: Handshake was completed\n");
++	}
++
++	close(fd);
++
++	gnutls_deinit(session);
++
++	gnutls_anon_free_client_credentials(anoncred);
++	gnutls_certificate_free_credentials(x509_cred);
++
++	gnutls_global_deinit();
++}
++
++
++/* These are global */
++pid_t child;
++
++static void terminate(int ret)
++{
++	kill(child, SIGTERM);
++	exit(ret);
++}
++
++static void server(int fd, const char *prio)
++{
++	int ret;
++	uint8_t id[255];
++	uint8_t buffer[] = "\x16\x03\x00\x01\x25"
++		"\x02\x00\x01\x21"
++		"\x03\x00"/*Server Version */
++		/*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00"
++		/*SessionID*/"\xfe";
++
++	ret = read(fd, id, sizeof(id));
++	if (ret < 0) {
++		abort();
++	}
++
++	ret = write(fd, buffer, sizeof(buffer));
++	if (ret < 0) {
++		return;
++	}
++
++	memset(id, 0xff, sizeof(id));
++	ret = write(fd, id, sizeof(id));
++	if (ret < 0) {
++		return;
++	}
++
++	memset(id, 0xff, sizeof(id));
++	ret = write(fd, id, sizeof(id));
++	if (ret < 0) {
++		return;
++	}
++	sleep(3);
++
++	return;
++}
++
++static void start(const char *prio)
++{
++	int fd[2];
++	int ret;
++
++	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
++	if (ret < 0) {
++		perror("socketpair");
++		exit(1);
++	}
++
++	child = fork();
++	if (child < 0) {
++		perror("fork");
++		exit(1);
++	}
++
++	if (child) {
++		/* parent */
++		close(fd[1]);
++		server(fd[0], prio);
++		kill(child, SIGTERM);
++	} else {
++		close(fd[0]);
++		client(fd[1], prio);
++		exit(0);
++	}
++}
++
++static void ch_handler(int sig)
++{
++	int status, ret = 0;
++	wait(&status);
++	if (WEXITSTATUS(status) != 0 ||
++	    (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) {
++		if (WIFSIGNALED(status)) {
++			fprintf(stderr, "Child died with sigsegv\n");
++			ret = 1;
++		} else {
++			fprintf(stderr, "Child died with status %d\n",
++			     WEXITSTATUS(status));
++		}
++		terminate(ret);
++	}
++	return;
++}
++
++int main(int argc, char **argv)
++{
++	signal(SIGCHLD, ch_handler);
++
++	if (argc > 1)
++		debug = 1;
++
++	start("NORMAL");
++	return 0;
++}
++
++#endif				/* _WIN32 */
+Index: gnutls28-3.2.11/tests/Makefile.am
+===================================================================
+--- gnutls28-3.2.11.orig/tests/Makefile.am	2015-06-11 10:33:52.965385966 -0500
++++ gnutls28-3.2.11/tests/Makefile.am	2015-06-11 10:33:52.961385985 -0500
+@@ -73,7 +73,7 @@ ctests = simple gc set_pkcs12_cred certd
+ 	 mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities	\
+ 	 mini-dtls-srtp mini-xssl rsa-encrypt-decrypt mini-loss-time \
+ 	 mini-record mini-dtls-record mini-handshake-timeout mini-record-range \
+-	 mini-cert-status mini-rsa-psk mini-record-2
++	 mini-cert-status mini-rsa-psk mini-record-2 long-session-id
+ 
+ if ENABLE_OCSP
+ ctests += ocsp
diff -Nru gnutls28-3.2.11/debian/patches/series gnutls28-3.2.11/debian/patches/series
--- gnutls28-3.2.11/debian/patches/series	2014-03-01 07:48:02.000000000 +0000
+++ gnutls28-3.2.11/debian/patches/series	2015-06-11 15:28:15.000000000 +0000
@@ -1,3 +1,4 @@
 14_version_gettextcat.diff
 20_bug-in-gnutls_pcert_list_import_x509_raw.patch
 20_CVE-2014-0092.diff
+21_CVE-2014-3466.patch