diffstat of debian/ for gnutls28_3.4.10-4 gnutls28_3.4.10-4ubuntu1.4co3 changelog | 239 +++++++++++++++++++- control | 221 +++++++++++------- gnutls-doc.install | 1 libgnutls-dev.install | 4 libgnutls28-dev.install | 4 patches/CVE-2016-7444.patch | 25 ++ patches/CVE-2016-8610.patch | 70 +++++ patches/CVE-2017-5334.patch | 72 ++++++ patches/CVE-2017-5335.patch | 127 ++++++++++ patches/CVE-2017-5336.patch | 42 +++ patches/CVE-2017-5337.patch | 95 +++++++ patches/CVE-2017-7507-1.patch | 67 +++++ patches/CVE-2017-7507-2.patch | 120 ++++++++++ patches/CVE-2017-7507-3.patch | 36 +++ patches/CVE-2017-7869.patch | 54 ++++ patches/disable_global_init_override_test.patch | 17 + patches/fallback-for-getrandom.patch | 86 +++++++ patches/fix_expired_certs.patch | 34 ++ patches/series | 14 + patches/use_normal_priority_for_openssl_sslv23.diff | 30 ++ rules | 6 shlibs.local | 3 22 files changed, 1279 insertions(+), 88 deletions(-) diff -Nru gnutls28-3.4.10/debian/changelog gnutls28-3.4.10/debian/changelog --- gnutls28-3.4.10/debian/changelog 2016-03-17 18:41:30.000000000 +0000 +++ gnutls28-3.4.10/debian/changelog 2019-03-27 11:07:24.000000000 +0000 @@ -1,3 +1,130 @@ +gnutls28 (3.4.10-4ubuntu1.4co3) apertis; urgency=medium + + * debian/patches/fallback-for-getrandom.patch + + Add a fallback path for old kernels where getrandom is not available + + + -- Sjoerd Simons Wed, 27 Mar 2019 12:07:24 +0100 + +gnutls28 (3.4.10-4ubuntu1.4co2) apertis; urgency=medium + + * Disable guile and docs. + * Make the build-conflicts with libgmp-dev versioned. + + -- Andrej Shadura Thu, 07 Feb 2019 18:00:25 +0100 + +gnutls28 (3.4.10-4ubuntu1.4co1) 17.12; urgency=medium + + * Merge manually: + - d/control: Build against gmp4 to avoid GPLV3 license issues. + - d/rules: ignore tests due to ftbfs on obs worker + + -- Andrew Lee (李健秋) Tue, 14 Nov 2017 01:13:11 +0800 + +gnutls28 (3.4.10-4ubuntu1.4) xenial; urgency=medium + + * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler: + OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority, + which includes TLS1.2 support. (LP: #1709193) + + -- Simon Deziel Mon, 07 Aug 2017 23:04:43 +0000 + +gnutls28 (3.4.10-4ubuntu1.3) xenial-security; urgency=medium + + * SECURITY UPDATE: null pointer dereference via status response TLS + extension decoding + - debian/patches/CVE-2017-7507-1.patch: ensure response IDs are + properly deinitialized in lib/ext/status_request.c. + - debian/patches/CVE-2017-7507-2.patch: remove parsing of responder IDs + from client extension in lib/ext/status_request.c. + - debian/patches/CVE-2017-7507-3.patch: documented requirements for + parameters in lib/ext/status_request.c. + - CVE-2017-7507 + * SECURITY UPDATE: DoS and possible code execution via OpenPGP + certificate decoding + - debian/patches/CVE-2017-7869.patch: enforce packet limits in + lib/opencdk/read-packet.c. + - CVE-2017-7869 + + -- Marc Deslauriers Mon, 12 Jun 2017 09:32:37 -0400 + +gnutls28 (3.4.10-4ubuntu1.2) xenial-security; urgency=medium + + * SECURITY UPDATE: OCSP validation issue + - debian/patches/CVE-2016-7444.patch: correctly verify the serial + length in lib/x509/ocsp.c. + - CVE-2016-7444 + * SECURITY UPDATE: denial of service via warning alerts + - debian/patches/CVE-2016-8610.patch: set a maximum number of warning + messages in lib/gnutls_int.h, lib/gnutls_handshake.c, + lib/gnutls_state.c. + - CVE-2016-8610 + * SECURITY UPDATE: double-free when reading proxy language + - debian/patches/CVE-2017-5334.patch: fix double-free in + lib/x509/x509_ext.c. + - CVE-2017-5334 + * SECURITY UPDATE: out of memory error in stream reading functions + - debian/patches/CVE-2017-5335.patch: add error checking to + lib/opencdk/read-packet.c. + - CVE-2017-5335 + * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid + - debian/patches/CVE-2017-5336.patch: check return code in + lib/opencdk/pubkey.c. + - CVE-2017-5336 + * SECURITY UPDATE: heap read overflow when reading streams + - debian/patches/CVE-2017-5337.patch: add more precise checks to + lib/opencdk/read-packet.c. + - CVE-2017-5337 + * debian/patches/fix_expired_certs.patch: use datefudge to fix test with + expired certs. + + -- Marc Deslauriers Thu, 26 Jan 2017 10:14:03 -0500 + +gnutls28 (3.4.10-4ubuntu1.1co1) 16.09; urgency=low + + [ Merge-o-Matic ] + * Merge from Ubuntu xenial-updates. Remaining changes: + - d/control: Build against gmp4 to avoid GPLV3 license issues. + - d/rules: ignore tests due to ftbfs on obs worker. + + -- Andrew Lee (李健秋) Tue, 26 Jul 2016 21:05:54 +0800 + +gnutls28 (3.4.10-4ubuntu1.1) xenial-proposed; urgency=medium + + * SRU: LP: #1592693. + * gnutls-doc: Don't install the sgml files, not building with gtk-doc-tools + in xenial. + + -- Matthias Klose Wed, 15 Jun 2016 10:00:17 +0200 + +gnutls28 (3.4.10-4ubuntu1co2) 16.06; urgency=medium + + * debian/rules: ignore tests due to ftbfs on obs worker. + + -- Andrew Lee (李健秋) Tue, 12 Jul 2016 20:07:07 +0800 + +gnutls28 (3.4.10-4ubuntu1co1) 16.06; urgency=low + + [ Merge-o-Matic ] + * Merge from Ubuntu xenial. Remaining changes: + - d/control: Build against gmp4 to avoid GPLV3 license issues. + - d/rules: re-enable tests. + + [ Andrew Lee (李健秋) ] + * debian/debian/gnutls-doc.install: drop sgml files which doesn't + generated in build time. + + -- Andrew Lee (李健秋) Wed, 06 Apr 2016 04:15:11 +0800 + +gnutls28 (3.4.10-4ubuntu1) xenial; urgency=medium + + * Merge with Debian; remaining changes: + - Make gnutls28 default. + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + + -- Matthias Klose Mon, 21 Mar 2016 14:53:18 +0100 + gnutls28 (3.4.10-4) unstable; urgency=medium * 43_fix_cpucapoverride.diff by Nikos Mavrogiannopoulos: Fix @@ -30,6 +157,25 @@ -- Andreas Metzler Sat, 05 Mar 2016 08:45:52 +0100 +gnutls28 (3.4.9-2ubuntu1co1) 16.06; urgency=low + + [ Merge-o-Matic ] + * Merge from Ubuntu xenial. Remaining changes: + - d/control: Build against gmp4 to avoid GPLV3 license issues. + - d/rules: do not fail on tests, some seem to be racy on i586 + builders. + + -- Andrew Lee (李健秋) Mon, 14 Mar 2016 18:47:07 +0800 + +gnutls28 (3.4.9-2ubuntu1) xenial; urgency=medium + + * Merge with Debian; remaining changes: + - Make gnutls28 default. + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + + -- Matthias Klose Wed, 17 Feb 2016 20:47:48 +0100 + gnutls28 (3.4.9-2) unstable; urgency=medium * Upload to unstable. @@ -167,6 +313,15 @@ -- Andreas Metzler Fri, 05 Jun 2015 11:39:19 +0200 +gnutls28 (3.3.20-1ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Make gnutls28 default. + * debian/patches/disable_global_init_override_test.patch: disable failing + test. + + -- Marc Deslauriers Thu, 21 Jan 2016 08:58:40 -0500 + gnutls28 (3.3.20-1) unstable; urgency=medium * autoreconf requires automake 1.12.2, add build-dependency. @@ -183,6 +338,13 @@ -- Andreas Metzler Sun, 22 Nov 2015 17:48:27 +0100 +gnutls28 (3.3.18-1ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Make gnutls28 default. + + -- Marc Deslauriers Fri, 30 Oct 2015 08:32:53 -0400 + gnutls28 (3.3.18-1) unstable; urgency=medium * New upstream version. @@ -244,6 +406,34 @@ -- Andreas Metzler Fri, 12 Jun 2015 19:10:33 +0200 +gnutls28 (3.3.15-5ubuntu2co2) 15.12; urgency=medium + + * d/rules: do not fail on tests, some seem to be racy on i586 builders. + + -- Héctor Orón Martínez Fri, 09 Oct 2015 07:23:38 +0200 + +gnutls28 (3.3.15-5ubuntu2co1) 15.12; urgency=medium + + * d/control: Build against gmp4 to avoid GPLV3 license issues + + -- Héctor Orón Martínez Wed, 30 Sep 2015 23:02:57 +0200 + +gnutls28 (3.3.15-5ubuntu2) wily; urgency=medium + + * SECURITY UPDATE: Double free in certificate DN decoding + - debian/patches/CVE-2015-6251.patch: Reset the output value on error + in lib/x509/common.c. + - CVE-2015-6251 + + -- Marc Deslauriers Mon, 31 Aug 2015 14:45:42 -0400 + +gnutls28 (3.3.15-5ubuntu1) wily; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Make gnutls28 default. + + -- Adam Conrad Thu, 11 Jun 2015 14:47:40 -0600 + gnutls28 (3.3.15-5) unstable; urgency=medium * Upload to unstable. @@ -270,6 +460,16 @@ -- Andreas Metzler Wed, 13 May 2015 19:20:07 +0200 +gnutls28 (3.3.15-2ubuntu1) wily; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Make gnutls28 default. + * Dropped patches included in new version: + - debian/patches/CVE-2015-0294.patch + - debian/patches/CVE-2014-8564.patch + + -- Marc Deslauriers Thu, 21 May 2015 08:47:19 -0400 + gnutls28 (3.3.15-2) unstable; urgency=medium * 50_updated-sign-md5-rep-to-reduce-false-failures.patch from upstream GIT, @@ -403,6 +603,32 @@ -- Andreas Metzler Wed, 12 Nov 2014 19:31:07 +0100 +gnutls28 (3.3.8-3ubuntu3) vivid; urgency=medium + + * SECURITY UPDATE: certificate algorithm consistency issue + - debian/patches/CVE-2015-0294.patch: make sure the two signature + algorithms match on cert import in lib/x509/x509.c. + - CVE-2015-0294 + + -- Marc Deslauriers Fri, 20 Mar 2015 08:16:02 -0400 + +gnutls28 (3.3.8-3ubuntu2) vivid; urgency=medium + + * SECURITY UPDATE: denial of service and possible code execution via + elliptic curves parameter printing + - debian/patches/CVE-2014-8564.patch: add more sanity checks in + lib/gnutls_ecc.c. + - CVE-2014-8564 + + -- Marc Deslauriers Mon, 10 Nov 2014 15:18:59 -0500 + +gnutls28 (3.3.8-3ubuntu1) vivid; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Make gnutls28 default. + + -- Michael Vogt Thu, 30 Oct 2014 15:21:33 +0100 + gnutls28 (3.3.8-3) unstable; urgency=high [ Daniel Kahn Gillmor ] @@ -573,6 +799,18 @@ -- Andreas Metzler Sat, 29 Mar 2014 19:19:37 +0100 +gnutls28 (3.2.16-1ubuntu2) utopic; urgency=medium + + * No-change rebuild to get debug symbols on all architectures. + + -- Brian Murray Tue, 21 Oct 2014 14:15:57 -0700 + +gnutls28 (3.2.16-1ubuntu1) utopic; urgency=medium + + * Make gnutls28 default. + + -- Dimitri John Ledkov Fri, 08 Aug 2014 08:24:17 +0100 + gnutls28 (3.2.16-1) unstable; urgency=medium * New upstream version. @@ -2687,4 +2925,3 @@ -- Ivo Timmermans Fri, 31 Oct 2003 18:47:09 +0100 - diff -Nru gnutls28-3.4.10/debian/control gnutls28-3.4.10/debian/control --- gnutls28-3.4.10/debian/control 2016-03-05 07:16:57.000000000 +0000 +++ gnutls28-3.4.10/debian/control 2019-02-07 17:00:25.000000000 +0000 @@ -1,42 +1,51 @@ Source: gnutls28 Section: libs Priority: optional -Maintainer: Debian GnuTLS Maintainers -Uploaders: Andreas Metzler , +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers +Uploaders: + Andreas Metzler , Eric Dorland , James Westby , Simon Josefsson -Build-Depends: debhelper (>= 9.20150628), nettle-dev (>= 3.1), zlib1g-dev, - libtasn1-6-dev (>= 4.3), autotools-dev, guile-2.0-dev [!ia64 !m68k], - datefudge , dpkg-dev (>= 1.17.14), - libp11-kit-dev (>= 0.23.1), pkg-config, chrpath, libidn11-dev (>= 1.31), - autogen (>= 1:5.16-0), bison, dh-autoreconf, libgmp-dev (>= 2:6), - libopts25-dev, automake (>= 1:1.12.2) -# The b-d on libgmp-dev is not technically necessary, since nettle brings -# it along. However we want to enforce that gnutls is only built if the -# dual-licensed GMP is available, otherwise the resulting binary -# cannot be installed. -Build-Depends-Indep: gtk-doc-tools, texinfo (>= 4.8) -Build-Conflicts: libgnutls-dev +Build-Depends: + autogen (>= 1:5.16-0), + automake (>= 1:1.12.2), + autotools-dev, + bison, + chrpath, + datefudge , + debhelper (>= 9.20150628), + dh-autoreconf, + dpkg-dev (>= 1.17.14), +# guile-2.0-dev [!ia64 !m68k], + libgmp3-dev, + libidn11-dev (>= 1.31), + libopts25-dev, + libp11-kit-dev (>= 0.23.1), + libtasn1-6-dev (>= 4.3), + nettle-dev (>= 3.1), + pkg-config, + zlib1g-dev +Build-Depends-Indep: + gtk-doc-tools, + texinfo (>= 4.8) +Build-Conflicts: + libgmp-dev (>= 2:6.0.0), + libgnutls-dev Standards-Version: 3.9.7 Vcs-Git: https://anonscm.debian.org/git/pkg-gnutls/gnutls.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-gnutls/gnutls.git/ Homepage: http://www.gnutls.org/ -Package: libgnutls28-dev -Section: libdevel +Package: gnutls-bin Architecture: any -Provides: gnutls-dev, libgnutls-openssl-dev -Depends: libgnutls30 (= ${binary:Version}), - libgnutls-openssl27 (= ${binary:Version}), - libgnutlsxx28 (= ${binary:Version}), - nettle-dev, libc6-dev | libc-dev, zlib1g-dev, - libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31), ${misc:Depends} -Suggests: gnutls-doc, gnutls-bin, guile-gnutls -Conflicts: gnutls-dev -Replaces: gnutls-dev -Multi-Arch: same -Description: GNU TLS library - development files +Section: net +Depends: + ${misc:Depends}, + ${shlibs:Depends} +Multi-Arch: foreign +Description: GNU TLS library - commandline utilities GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -53,19 +62,22 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains the GnuTLS development files. + This package contains a commandline interface to the GNU TLS library, which + can be used to set up secure connections from e.g. shell scripts, debugging + connection issues or managing certificates. + . + Useful utilities include: + - TLS termination: gnutls-cli, gnutls-serv, crywrap + - key and certificate management: certtool, ocsptool, p11tool + - credential management: srptool, psktool -Package: libgnutls30 -Priority: standard -Architecture: any -# GMP >= 6 is dual-licensed GPLv2+/LGPLv2.1+. Be nice to rdeps and -# enforce usage of this version. - Remove on gmp soname bump! -Depends: ${shlibs:Depends}, ${misc:Depends}, libgmp10 (>= 2:6) -Conflicts: libnettle4, libhogweed2 -Pre-Depends: ${misc:Pre-Depends} -Suggests: gnutls-bin -Multi-Arch: same -Description: GNU TLS library - main runtime library +Package: gnutls-doc +Architecture: all +Section: doc +Depends: + ${misc:Depends} +Multi-Arch: foreign +Description: GNU TLS library - documentation and examples GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -82,14 +94,16 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains the main runtime library. + This package contains all the GnuTLS documentation. -Package: gnutls-bin -Architecture: any -Section: net -Depends: ${shlibs:Depends}, ${misc:Depends} -Multi-Arch: foreign -Description: GNU TLS library - commandline utilities +Package: guile-gnutls +Architecture: amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64el s390 s390x sparc +Section: lisp +Depends: + guile-2.0, + ${misc:Depends}, + ${shlibs:Depends} +Description: GNU TLS library - GNU Guile bindings GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -106,21 +120,35 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains a commandline interface to the GNU TLS library, which - can be used to set up secure connections from e.g. shell scripts, debugging - connection issues or managing certificates. - . - Useful utilities include: - - TLS termination: gnutls-cli, gnutls-serv, crywrap - - key and certificate management: certtool, ocsptool, p11tool - - credential management: srptool, psktool + This package contains the GNU Guile 2.0 modules. -Package: gnutls-doc -Architecture: all -Section: doc -Depends: ${misc:Depends} -Multi-Arch: foreign -Description: GNU TLS library - documentation and examples +Package: libgnutls-dev +Section: libdevel +Architecture: any +Provides: + gnutls-dev, + libgnutls-openssl-dev +Depends: + libc6-dev | libc-dev, + libgnutls-openssl27 (= ${binary:Version}), + libgnutls30 (= ${binary:Version}), + libgnutlsxx28 (= ${binary:Version}), + libidn11-dev (>= 1.31), + libp11-kit-dev, + libtasn1-6-dev, + nettle-dev, + zlib1g-dev, + ${misc:Depends} +Suggests: + gnutls-bin, + gnutls-doc, + guile-gnutls +Conflicts: + gnutls-dev +Replaces: + gnutls-dev +Multi-Arch: same +Description: GNU TLS library - development files GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -137,14 +165,19 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains all the GnuTLS documentation. + This package contains the GnuTLS development files. -Package: guile-gnutls -# everything except ia64 - Field must be single line, unfolded! -Architecture: amd64 arm64 armel armhf i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64el s390 s390x sparc hurd-i386 -Section: lisp -Depends: ${misc:Depends},${shlibs:Depends}, guile-2.0 -Description: GNU TLS library - GNU Guile bindings +Package: libgnutls-openssl27 +Priority: standard +Architecture: any +Depends: + libgnutls30 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Pre-Depends: + ${misc:Pre-Depends} +Multi-Arch: same +Description: GNU TLS library - OpenSSL wrapper GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -161,15 +194,39 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains the GNU Guile 2.0 modules. + This package contains the runtime library of the GnuTLS OpenSSL wrapper. -Package: libgnutlsxx28 -Priority: extra +Package: libgnutls28-dev +Section: libdevel Architecture: any -Depends: libgnutls30 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} -Pre-Depends: ${misc:Pre-Depends} +Depends: + libgnutls-dev (= ${binary:Version}) Multi-Arch: same -Description: GNU TLS library - C++ runtime library +Description: dummy transitional package for GNU TLS library - development files + This is a transitional dummy package for libgnutls28-dev to + libgnutls-dev migration. GnuTLS is a portable library which + implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and + Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security + (DTLS 1.0, 1.2) protocols. + . + This package can be safely removed. + +Package: libgnutls30 +Priority: standard +Architecture: any +Depends: + libgmp3c2, + ${misc:Depends}, + ${shlibs:Depends} +Conflicts: + libhogweed2, + libnettle4 +Pre-Depends: + ${misc:Pre-Depends} +Suggests: + gnutls-bin +Multi-Arch: same +Description: GNU TLS library - main runtime library GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -186,15 +243,19 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains the C++ runtime libraries. + This package contains the main runtime library. -Package: libgnutls-openssl27 -Priority: standard +Package: libgnutlsxx28 +Priority: extra Architecture: any -Depends: libgnutls30 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} -Pre-Depends: ${misc:Pre-Depends} +Depends: + libgnutls30 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Pre-Depends: + ${misc:Pre-Depends} Multi-Arch: same -Description: GNU TLS library - OpenSSL wrapper +Description: GNU TLS library - C++ runtime library GnuTLS is a portable library which implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security (DTLS 1.0, 1.2) protocols. @@ -211,4 +272,4 @@ - all the strong encryption algorithms (including SHA-256/384/512 and Camellia (RFC 4132)). . - This package contains the runtime library of the GnuTLS OpenSSL wrapper. + This package contains the C++ runtime libraries. diff -Nru gnutls28-3.4.10/debian/gnutls-doc.install gnutls28-3.4.10/debian/gnutls-doc.install --- gnutls28-3.4.10/debian/gnutls-doc.install 2013-12-01 17:51:19.000000000 +0000 +++ gnutls28-3.4.10/debian/gnutls-doc.install 2017-11-06 02:44:34.000000000 +0000 @@ -1,7 +1,6 @@ doc/reference/html/*html usr/share/doc/gnutls-doc/api-reference doc/reference/html/*png usr/share/doc/gnutls-doc/api-reference doc/reference/html/*.css usr/share/doc/gnutls-doc/api-reference -doc/reference/html/*.sgml usr/share/doc/gnutls-doc/api-reference doc/reference/html/*.devhelp* usr/share/doc/gnutls-doc/api-reference doc/*.html usr/share/doc/gnutls-doc/html doc/*.png usr/share/doc/gnutls-doc/html diff -Nru gnutls28-3.4.10/debian/libgnutls-dev.install gnutls28-3.4.10/debian/libgnutls-dev.install --- gnutls28-3.4.10/debian/libgnutls-dev.install 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/libgnutls-dev.install 2017-11-06 02:44:34.000000000 +0000 @@ -0,0 +1,4 @@ +debian/tmp/usr/include/* +debian/tmp/usr/lib/*/libgnutls*.so +debian/tmp/usr/lib/*/libgnutls*.a +debian/tmp/usr/lib/*/pkgconfig/gnutls.pc diff -Nru gnutls28-3.4.10/debian/libgnutls28-dev.install gnutls28-3.4.10/debian/libgnutls28-dev.install --- gnutls28-3.4.10/debian/libgnutls28-dev.install 2013-12-01 17:51:19.000000000 +0000 +++ gnutls28-3.4.10/debian/libgnutls28-dev.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -debian/tmp/usr/include/* -debian/tmp/usr/lib/*/libgnutls*.so -debian/tmp/usr/lib/*/libgnutls*.a -debian/tmp/usr/lib/*/pkgconfig/gnutls.pc diff -Nru gnutls28-3.4.10/debian/patches/CVE-2016-7444.patch gnutls28-3.4.10/debian/patches/CVE-2016-7444.patch --- gnutls28-3.4.10/debian/patches/CVE-2016-7444.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2016-7444.patch 2017-01-26 15:10:27.000000000 +0000 @@ -0,0 +1,25 @@ +From c089e019ef83a77b2fdca24d0875ef25f6b38f1a Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Sat, 27 Aug 2016 17:03:09 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+), 0 deletions(-) + +Index: gnutls28-3.4.10/lib/x509/ocsp.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/x509/ocsp.c 2017-01-26 10:10:24.872428703 -0500 ++++ gnutls28-3.4.10/lib/x509/ocsp.c 2017-01-26 10:10:24.868428646 -0500 +@@ -1318,6 +1318,7 @@ + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { diff -Nru gnutls28-3.4.10/debian/patches/CVE-2016-8610.patch gnutls28-3.4.10/debian/patches/CVE-2016-8610.patch --- gnutls28-3.4.10/debian/patches/CVE-2016-8610.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2016-8610.patch 2017-01-26 15:10:34.000000000 +0000 @@ -0,0 +1,70 @@ +From 648bf9b00e1cbf45c6d05fab07e91fad97e6926d Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Fri, 14 Oct 2016 10:22:07 +0200 +Subject: [PATCH] handshake: set a maximum number of warning messages that can be received per handshake + +That is to avoid DoS due to the assymetry of cost of sending an alert vs the cost +of processing. +--- + lib/gnutls_handshake.c | 15 ++++++++++----- + lib/gnutls_int.h | 6 +++--- + lib/gnutls_state.c | 2 +- + 3 files changed, 14 insertions(+), 9 deletions(-) + +Index: gnutls28-3.4.10/lib/gnutls_handshake.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/gnutls_handshake.c 2017-01-26 10:10:32.256534850 -0500 ++++ gnutls28-3.4.10/lib/gnutls_handshake.c 2017-01-26 10:10:32.248534735 -0500 +@@ -2649,12 +2649,17 @@ + return ret; \ + if (ret == GNUTLS_E_GOT_APPLICATION_DATA && session->internals.initial_negotiation_completed != 0) \ + return ret; \ +- if (ret == GNUTLS_E_LARGE_PACKET && session->internals.handshake_large_loops < 16) { \ +- session->internals.handshake_large_loops++; \ +- return ret; \ ++ if (session->internals.handshake_suspicious_loops < 16) { \ ++ if (ret == GNUTLS_E_LARGE_PACKET) { \ ++ session->internals.handshake_suspicious_loops++; \ ++ return ret; \ ++ } \ ++ /* a warning alert might interrupt handshake */ \ ++ if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) { \ ++ session->internals.handshake_suspicious_loops++; \ ++ return ret; \ ++ } \ + } \ +- /* a warning alert might interrupt handshake */ \ +- if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \ + gnutls_assert(); \ + ERR( str, ret); \ + /* do not allow non-fatal errors at this point */ \ +Index: gnutls28-3.4.10/lib/gnutls_int.h +=================================================================== +--- gnutls28-3.4.10.orig/lib/gnutls_int.h 2017-01-26 10:10:32.256534850 -0500 ++++ gnutls28-3.4.10/lib/gnutls_int.h 2017-01-26 10:10:32.252534793 -0500 +@@ -953,9 +953,9 @@ + + /* DTLS session state */ + dtls_st dtls; +- /* In case of clients that don't handle GNUTLS_E_LARGE_PACKET, don't +- * force them into an infinite loop */ +- unsigned handshake_large_loops; ++ /* Protect from infinite loops due to GNUTLS_E_LARGE_PACKET non-handling ++ * or due to multiple alerts being received. */ ++ unsigned handshake_suspicious_loops; + /* should be non-zero when a handshake is in progress */ + bool handshake_in_progress; + +Index: gnutls28-3.4.10/lib/gnutls_state.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/gnutls_state.c 2017-01-26 10:10:32.256534850 -0500 ++++ gnutls28-3.4.10/lib/gnutls_state.c 2017-01-26 10:10:32.252534793 -0500 +@@ -262,7 +262,7 @@ + + session->internals.resumable = RESUME_TRUE; + +- session->internals.handshake_large_loops = 0; ++ session->internals.handshake_suspicious_loops = 0; + session->internals.dtls.hsk_read_seq = 0; + session->internals.dtls.hsk_write_seq = 0; + } diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-5334.patch gnutls28-3.4.10/debian/patches/CVE-2017-5334.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-5334.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-5334.patch 2017-01-26 15:10:42.000000000 +0000 @@ -0,0 +1,72 @@ +From bbfd47d4bb6935b3eddae227deb9f340e2c1a69d Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 15 Dec 2016 15:02:18 +0100 +Subject: [PATCH] gnutls_x509_ext_import_proxy: fix issue reading the policy language + +If the language was set but the policy wasn't, that could lead to +a double free, as the value returned to the user was freed. +--- + lib/x509/x509_ext.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +Index: gnutls28-3.4.10/lib/x509/x509_ext.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/x509/x509_ext.c 2017-01-26 10:10:40.316650700 -0500 ++++ gnutls28-3.4.10/lib/x509/x509_ext.c 2017-01-26 10:10:40.312650643 -0500 +@@ -1415,7 +1415,8 @@ + { + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; +- gnutls_datum_t value = { NULL, 0 }; ++ gnutls_datum_t value1 = { NULL, 0 }; ++ gnutls_datum_t value2 = { NULL, 0 }; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo", +@@ -1445,20 +1446,18 @@ + } + + result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage", +- &value); ++ &value1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (policyLanguage) { +- *policyLanguage = (char *)value.data; +- } else { +- gnutls_free(value.data); +- value.data = NULL; ++ *policyLanguage = (char *)value1.data; ++ value1.data = NULL; + } + +- result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value); ++ result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2); + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) { + if (policy) + *policy = NULL; +@@ -1469,16 +1468,17 @@ + goto cleanup; + } else { + if (policy) { +- *policy = (char *)value.data; +- value.data = NULL; ++ *policy = (char *)value2.data; ++ value2.data = NULL; + } + if (sizeof_policy) +- *sizeof_policy = value.size; ++ *sizeof_policy = value2.size; + } + + result = 0; + cleanup: +- gnutls_free(value.data); ++ gnutls_free(value1.data); ++ gnutls_free(value2.data); + asn1_delete_structure(&c2); + + return result; diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-5335.patch gnutls28-3.4.10/debian/patches/CVE-2017-5335.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-5335.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-5335.patch 2017-01-26 15:11:06.000000000 +0000 @@ -0,0 +1,127 @@ +From 785af1ab577f899d2e54172ff120f404709bf172 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 4 Jan 2017 15:22:13 +0100 +Subject: [PATCH] opencdk: added error checking in the stream reading functions + +This addresses an out of memory error. Issue found using oss-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 35 insertions(+), 5 deletions(-) + +Index: gnutls28-3.4.10/lib/opencdk/read-packet.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500 ++++ gnutls28-3.4.10/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500 +@@ -50,13 +50,13 @@ + static u32 read_32(cdk_stream_t s) + { + byte buf[4]; +- size_t nread; ++ size_t nread = 0; + + assert(s != NULL); + + stream_read(s, buf, 4, &nread); + if (nread != 4) +- return (u32) - 1; ++ return (u32) -1; + return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]; + } + +@@ -65,7 +65,7 @@ + static u16 read_16(cdk_stream_t s) + { + byte buf[2]; +- size_t nread; ++ size_t nread = 0; + + assert(s != NULL); + +@@ -547,7 +547,7 @@ + static cdk_error_t + read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) + { +- byte c, c1; ++ int c, c1; + size_t size, nread, n; + cdk_subpkt_t node; + cdk_error_t rc; +@@ -562,11 +562,18 @@ + *r_nbytes = 0; + c = cdk_stream_getc(inp); + n++; ++ + if (c == 255) { + size = read_32(inp); ++ if (size == (u32)-1) ++ return CDK_Inv_Packet; ++ + n += 4; + } else if (c >= 192 && c < 255) { + c1 = cdk_stream_getc(inp); ++ if (c1 == EOF) ++ return CDK_Inv_Packet; ++ + n++; + if (c1 == 0) + return 0; +@@ -831,17 +838,29 @@ + read_old_length(cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size) + { + int llen = ctb & 0x03; ++ int c; + + if (llen == 0) { +- *r_len = cdk_stream_getc(inp); ++ c = cdk_stream_getc(inp); ++ if (c == EOF) ++ goto fail; ++ ++ *r_len = c; + (*r_size)++; + } else if (llen == 1) { + *r_len = read_16(inp); ++ if (*r_len == (u16)-1) ++ goto fail; + (*r_size) += 2; + } else if (llen == 2) { + *r_len = read_32(inp); ++ if (*r_len == (u32)-1) { ++ goto fail; ++ } ++ + (*r_size) += 4; + } else { ++ fail: + *r_len = 0; + *r_size = 0; + } +@@ -856,15 +875,25 @@ + int c, c1; + + c = cdk_stream_getc(inp); ++ if (c == EOF) ++ return; ++ + (*r_size)++; + if (c < 192) + *r_len = c; + else if (c >= 192 && c <= 223) { + c1 = cdk_stream_getc(inp); ++ if (c1 == EOF) ++ return; ++ + (*r_size)++; + *r_len = ((c - 192) << 8) + c1 + 192; + } else if (c == 255) { + *r_len = read_32(inp); ++ if (*r_len == (u32)-1) { ++ return; ++ } ++ + (*r_size) += 4; + } else { + *r_len = 1 << (c & 0x1f); diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-5336.patch gnutls28-3.4.10/debian/patches/CVE-2017-5336.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-5336.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-5336.patch 2017-01-26 15:11:13.000000000 +0000 @@ -0,0 +1,42 @@ +From 7dec871f82e205107a81281e3286f0aa9caa93b3 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 4 Jan 2017 14:56:50 +0100 +Subject: [PATCH] opencdk: cdk_pk_get_keyid: fix stack overflow + +Issue found using oss-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/opencdk/pubkey.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c +index 6e753bd..da43129 100644 +--- a/lib/opencdk/pubkey.c ++++ b/lib/opencdk/pubkey.c +@@ -518,6 +518,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid) + { + u32 lowbits = 0; + byte buf[24]; ++ int rc; + + if (pk && (!pk->keyid[0] || !pk->keyid[1])) { + if (pk->version < 4 && is_RSA(pk->pubkey_algo)) { +@@ -525,7 +526,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid) + size_t n; + + n = MAX_MPI_BYTES; +- _gnutls_mpi_print(pk->mpi[0], p, &n); ++ rc = _gnutls_mpi_print(pk->mpi[0], p, &n); ++ if (rc < 0 || n < 8) { ++ keyid[0] = keyid[1] = (u32)-1; ++ return (u32)-1; ++ } ++ + pk->keyid[0] = + p[n - 8] << 24 | p[n - 7] << 16 | p[n - + 6] << 8 | +-- +libgit2 0.24.0 + diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-5337.patch gnutls28-3.4.10/debian/patches/CVE-2017-5337.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-5337.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-5337.patch 2017-01-26 15:13:54.000000000 +0000 @@ -0,0 +1,95 @@ +Backport of: + +From 6231a4a087f9fdbd5f5f274e80c7a71e3e45b9c8 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 4 Jan 2017 14:42:03 +0100 +Subject: [PATCH] opencdk: read_attribute: added more precise checks when reading stream + +That addresses heap read overflows found using oss-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +Index: gnutls28-3.4.10/lib/opencdk/read-packet.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c 2017-01-26 10:11:21.437289687 -0500 ++++ gnutls28-3.4.10/lib/opencdk/read-packet.c 2017-01-26 10:13:07.566968471 -0500 +@@ -477,44 +477,63 @@ + return CDK_Out_Of_Core; + rc = stream_read(inp, buf, pktlen, &nread); + if (rc) { +- cdk_free(buf); +- return CDK_Inv_Packet; ++ gnutls_assert(); ++ rc = CDK_Inv_Packet; ++ goto error; + } ++ + p = buf; + len = *p++; + pktlen--; ++ + if (len == 255) { ++ if (pktlen < 4) { ++ gnutls_assert(); ++ rc = CDK_Inv_Packet; ++ goto error; ++ } ++ + len = _cdk_buftou32(p); + p += 4; + pktlen -= 4; + } else if (len >= 192) { + if (pktlen < 2) { +- cdk_free(buf); +- return CDK_Inv_Packet; ++ gnutls_assert(); ++ rc = CDK_Inv_Packet; ++ goto error; + } + len = ((len - 192) << 8) + *p + 192; + p++; + pktlen--; + } + +- if (*p != 1) { /* Currently only 1, meaning an image, is defined. */ +- cdk_free(buf); +- return CDK_Inv_Packet; ++ if (!len || *p != 1) { /* Currently only 1, meaning an image, is defined. */ ++ rc = CDK_Inv_Packet; ++ goto error; + } ++ + p++; + len--; + +- if (len >= pktlen) +- return CDK_Inv_Packet; ++ if (len >= pktlen) { ++ rc = CDK_Inv_Packet; ++ goto error; ++ } ++ + attr->attrib_img = cdk_calloc(1, len); + if (!attr->attrib_img) { +- cdk_free(buf); +- return CDK_Out_Of_Core; ++ rc = CDK_Out_Of_Core; ++ goto error; + } ++ + attr->attrib_len = len; + memcpy(attr->attrib_img, p, len); + cdk_free(buf); + return rc; ++ ++ error: ++ cdk_free(buf); ++ return rc; + } + + diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch 2017-06-12 13:31:51.000000000 +0000 @@ -0,0 +1,67 @@ +From 4c4d35264fada08b6536425c051fb8e0b05ee86b Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 10:46:03 +0200 +Subject: [PATCH] ext/status_request: ensure response IDs are properly deinitialized + +That is, do not attempt to loop through the array if there is no array +allocated. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:49.636110502 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:49.612110214 -0400 +@@ -68,7 +68,10 @@ typedef struct { + + static void deinit_responder_id(status_request_ext_st *priv) + { +-unsigned i; ++ unsigned i; ++ ++ if (priv->responder_id == NULL) ++ return; + + for (i = 0; i < priv->responder_id_size; i++) + gnutls_free(priv->responder_id[i].data); +@@ -134,6 +137,7 @@ server_recv(gnutls_session_t session, + { + size_t i; + ssize_t data_size = size; ++ unsigned responder_ids = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -152,23 +156,24 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- priv->responder_id_size = _gnutls_read_uint16(data); ++ responder_ids = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); + data += 2; + +- if (data_size <= (ssize_t) (priv->responder_id_size * 2)) ++ if (data_size <= (ssize_t) (responder_ids * 2)) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- if (priv->responder_id != NULL) +- deinit_responder_id(priv); ++ deinit_responder_id(priv); + +- priv->responder_id = gnutls_calloc(1, priv->responder_id_size ++ priv->responder_id = gnutls_calloc(1, responder_ids + * sizeof(*priv->responder_id)); + if (priv->responder_id == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + ++ priv->responder_id_size = responder_ids; ++ + for (i = 0; i < priv->responder_id_size; i++) { + size_t l; + diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch 2017-06-12 13:32:18.000000000 +0000 @@ -0,0 +1,120 @@ +From 3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 11:38:16 +0200 +Subject: [PATCH] ext/status_request: Removed the parsing of responder IDs from client extension + +These values were never used by gnutls, nor were accessible to applications, +and as such there is not reason to parse them. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 68 ++++++++++++++++---------------------------------------------------- + 1 file changed, 16 insertions(+), 52 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:57.940210185 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:57.936210137 -0400 +@@ -66,21 +66,6 @@ typedef struct { + opaque Extensions<0..2^16-1>; + */ + +-static void deinit_responder_id(status_request_ext_st *priv) +-{ +- unsigned i; +- +- if (priv->responder_id == NULL) +- return; +- +- for (i = 0; i < priv->responder_id_size; i++) +- gnutls_free(priv->responder_id[i].data); +- +- gnutls_free(priv->responder_id); +- priv->responder_id = NULL; +- priv->responder_id_size = 0; +-} +- + + static int + client_send(gnutls_session_t session, +@@ -135,9 +120,8 @@ server_recv(gnutls_session_t session, + status_request_ext_st * priv, + const uint8_t * data, size_t size) + { +- size_t i; + ssize_t data_size = size; +- unsigned responder_ids = 0; ++ unsigned rid_bytes = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -156,44 +140,17 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- responder_ids = _gnutls_read_uint16(data); ++ rid_bytes = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); +- data += 2; ++ /*data += 2;*/ + +- if (data_size <= (ssize_t) (responder_ids * 2)) ++ /* sanity check only, we don't use any of the data below */ ++ ++ if (data_size < (ssize_t)rid_bytes) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- deinit_responder_id(priv); +- +- priv->responder_id = gnutls_calloc(1, responder_ids +- * sizeof(*priv->responder_id)); +- if (priv->responder_id == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- priv->responder_id_size = responder_ids; +- +- for (i = 0; i < priv->responder_id_size; i++) { +- size_t l; +- +- DECR_LEN(data_size, 2); +- +- l = _gnutls_read_uint16(data); +- data += 2; +- +- DECR_LEN(data_size, l); +- +- priv->responder_id[i].data = gnutls_malloc(l); +- if (priv->responder_id[i].data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- memcpy(priv->responder_id[i].data, data, l); +- priv->responder_id[i].size = l; +- +- data += l; +- } +- + return 0; + } + +@@ -477,11 +434,18 @@ gnutls_certificate_set_ocsp_status_reque + static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) + { + status_request_ext_st *priv = epriv; ++ unsigned i; + + if (priv == NULL) + return; + +- deinit_responder_id(priv); ++ if (priv->responder_id != NULL) { ++ for (i = 0; i < priv->responder_id_size; i++) ++ gnutls_free(priv->responder_id[i].data); ++ ++ gnutls_free(priv->responder_id); ++ } ++ + gnutls_free(priv->request_extensions.data); + gnutls_free(priv->response.data); + gnutls_free(priv); diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch 2017-06-12 13:32:34.000000000 +0000 @@ -0,0 +1,36 @@ +From e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 11:48:24 +0200 +Subject: [PATCH] gnutls_ocsp_status_request_enable_client: documented requirements for parameters + +That is, the fact that extensions and responder_id parameters must be +allocated, and are assigned to the session. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:32:31.988618904 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:32:31.984618855 -0400 +@@ -265,9 +265,15 @@ _gnutls_status_request_recv_params(gnutl + * + * This function is to be used by clients to request OCSP response + * from the server, using the "status_request" TLS extension. Only +- * OCSP status type is supported. A typical server has a single +- * OCSP response cached, so @responder_id and @extensions +- * should be null. ++ * OCSP status type is supported. ++ * ++ * The @responder_id array, its containing elements as well as ++ * the data of @extensions, must be allocated using gnutls_malloc(). They ++ * will be deinitialized on session cleanup. ++ * ++ * Due to the difficult semantics of the @responder_id and @extensions ++ * parameters, it is recommended to only call this function with these ++ * parameters set to %NULL. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, + * otherwise a negative error code is returned. diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch 2017-06-12 13:31:43.000000000 +0000 @@ -0,0 +1,54 @@ +Backport of: + +From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 20 Feb 2017 11:13:08 +0100 +Subject: [PATCH] cdk_pkt_read: enforce packet limits + +That ensures that there are no overflows in the subsequent +calculations. + +Resolves the oss-fuzz found bug: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 + +Relates: #159 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/opencdk/read-packet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: gnutls28-3.5.6/lib/opencdk/read-packet.c +=================================================================== +--- gnutls28-3.5.6.orig/lib/opencdk/read-packet.c 2017-06-12 09:25:46.991757303 -0400 ++++ gnutls28-3.5.6/lib/opencdk/read-packet.c 2017-06-12 09:25:46.987757255 -0400 +@@ -936,6 +936,7 @@ static void skip_packet(cdk_stream_t inp + assert(pktlen == 0); + } + ++#define MAX_PACKET_LEN (1<<24) + + /** + * cdk_pkt_read: +@@ -988,6 +989,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in + else + read_old_length(inp, ctb, &pktlen, &pktsize); + ++ /* enforce limits to ensure that the following calculations ++ * do not overflow */ ++ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { ++ _cdk_log_info("cdk_pkt_read: too long packet\n"); ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } ++ + pkt->pkttype = pkttype; + pkt->pktlen = pktlen; + pkt->pktsize = pktsize + pktlen; +@@ -1012,6 +1020,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in + break; + + case CDK_PKT_USER_ID: ++ + pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id + + pkt->pktlen + 1); + if (!pkt->pkt.user_id) diff -Nru gnutls28-3.4.10/debian/patches/disable_global_init_override_test.patch gnutls28-3.4.10/debian/patches/disable_global_init_override_test.patch --- gnutls28-3.4.10/debian/patches/disable_global_init_override_test.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/disable_global_init_override_test.patch 2017-11-06 02:44:34.000000000 +0000 @@ -0,0 +1,17 @@ +Description: disable failing test +Author: Marc Deslauriers +Forwarded: no + +Index: b/tests/Makefile.am +=================================================================== +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -90,7 +90,7 @@ ctests = mini-record-2 simple gc set_pkc + x509sign-verify2 mini-alignment oids atfork prf \ + status-request status-request-ok fallback-scsv pkcs8-key-decode \ + mini-session-verify-function auto-verify mini-x509-default-prio \ +- global-init-override pcert-list ++ pcert-list + + mini_dtls_pthread_LDADD = $(LDADD) -lpthread + diff -Nru gnutls28-3.4.10/debian/patches/fallback-for-getrandom.patch gnutls28-3.4.10/debian/patches/fallback-for-getrandom.patch --- gnutls28-3.4.10/debian/patches/fallback-for-getrandom.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/fallback-for-getrandom.patch 2019-03-27 11:07:24.000000000 +0000 @@ -0,0 +1,86 @@ +--- a/lib/nettle/rnd-common.c ++++ b/lib/nettle/rnd-common.c +@@ -38,7 +38,7 @@ + #include + + #if defined(HAVE_LINUX_GETRANDOM) +-# include ++# include + # define getentropy(x, size) getrandom(x, size, 0) + # define HAVE_GETENTROPY + #endif +@@ -147,7 +147,18 @@ + + get_entropy_func _rnd_get_system_entropy = NULL; + +-#if defined(HAVE_GETENTROPY) ++static unsigned int have_getentropy (void) ++{ ++ char c; ++ int ret; ++ ++ ret = getentropy(&c, 1); ++ if (ret == 1 || (ret == -1 && errno == EAGAIN)) ++ return 1; ++ ++ return 0; ++} ++ + static int _rnd_get_system_entropy_simple(void* _rnd, size_t size) + { + if (getentropy(_rnd, size) < 0) { +@@ -160,24 +171,6 @@ + return 0; + } + +-int _rnd_system_entropy_init(void) +-{ +- _rnd_get_system_entropy = _rnd_get_system_entropy_simple; +- return 0; +-} +- +-int _rnd_system_entropy_check(void) +-{ +- return 0; +-} +- +-void _rnd_system_entropy_deinit(void) +-{ +- return; +-} +- +-#else /* /dev/urandom - egd approach */ +- + static int _rnd_get_system_entropy_urandom(void* _rnd, size_t size) + { + uint8_t* rnd = _rnd; +@@ -238,6 +231,9 @@ + int ret; + struct stat st; + ++ if (_gnutls_urandom_fd == -1) ++ return 0; ++ + ret = fstat(_gnutls_urandom_fd, &st); + if (ret < 0 || st.st_mode != _gnutls_urandom_fd_mode) { + return _rnd_system_entropy_init(); +@@ -250,6 +246,11 @@ + int old; + struct stat st; + ++ if (have_getentropy()) { ++ _rnd_get_system_entropy = _rnd_get_system_entropy_simple; ++ return 0; ++ } ++ + _gnutls_urandom_fd = open("/dev/urandom", O_RDONLY); + if (_gnutls_urandom_fd < 0) { + _gnutls_debug_log("Cannot open urandom!\n"); +@@ -292,7 +293,6 @@ + _gnutls_urandom_fd = -1; + } + } +-#endif /* GETENTROPY */ + + #endif /* _WIN32 */ + diff -Nru gnutls28-3.4.10/debian/patches/fix_expired_certs.patch gnutls28-3.4.10/debian/patches/fix_expired_certs.patch --- gnutls28-3.4.10/debian/patches/fix_expired_certs.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/fix_expired_certs.patch 2017-01-26 16:28:55.000000000 +0000 @@ -0,0 +1,34 @@ +From 47f25d9e08d4e102572804a2aed186b01db23c65 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 29 Jun 2016 17:31:13 +0200 +Subject: [PATCH] tests: use datefudge in name-constraints test + +This avoids the expiration of the used certificate to affect the test. +--- + tests/cert-tests/name-constraints | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +Index: gnutls28-3.4.10/tests/cert-tests/name-constraints +=================================================================== +--- gnutls28-3.4.10.orig/tests/cert-tests/name-constraints 2017-01-26 11:28:50.479152285 -0500 ++++ gnutls28-3.4.10/tests/cert-tests/name-constraints 2017-01-26 11:28:50.475152233 -0500 +@@ -27,7 +27,18 @@ + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + fi + +-${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem" ++export TZ="UTC" ++ ++# Check for datefudge ++TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true` ++if test "$TSTAMP" != "1158969600"; then ++ echo $TSTAMP ++ echo "You need datefudge to run this test" ++ exit 77 ++fi ++ ++datefudge -s "2016-04-22" \ ++ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem" + rc=$? + + if test "${rc}" != "0"; then diff -Nru gnutls28-3.4.10/debian/patches/series gnutls28-3.4.10/debian/patches/series --- gnutls28-3.4.10/debian/patches/series 2016-03-17 18:22:20.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/series 2019-03-27 10:56:21.000000000 +0000 @@ -4,3 +4,17 @@ 41_tests-mini-loss-time-ensure-client-timeouts.diff 42_mini-loss-time-improved-timeout-detection.patch 43_fix_cpucapoverride.diff +disable_global_init_override_test.patch +CVE-2016-7444.patch +CVE-2016-8610.patch +CVE-2017-5334.patch +CVE-2017-5335.patch +CVE-2017-5336.patch +CVE-2017-5337.patch +fix_expired_certs.patch +CVE-2017-7869.patch +CVE-2017-7507-1.patch +CVE-2017-7507-2.patch +CVE-2017-7507-3.patch +use_normal_priority_for_openssl_sslv23.diff +fallback-for-getrandom.patch diff -Nru gnutls28-3.4.10/debian/patches/use_normal_priority_for_openssl_sslv23.diff gnutls28-3.4.10/debian/patches/use_normal_priority_for_openssl_sslv23.diff --- gnutls28-3.4.10/debian/patches/use_normal_priority_for_openssl_sslv23.diff 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/use_normal_priority_for_openssl_sslv23.diff 2017-08-11 14:25:35.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 363056f7db6f61f818523888085638e85c6a81f7 Apr, 2 2017 +Description: Use NORMAL priority for SSLv23_*_method. Instead of + enforcing TLS1.0/SSL3.0 use gnutls NORMAL priority for SSLv23_*_methods. +Author: Andreas Metzler +Last-Update: 2017-04-02 +Bug-Ubuntu: https://launchpad.net/bugs/1709193 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857436 + +--- gnutls28-3.4.10.orig/extra/gnutls_openssl.c ++++ gnutls28-3.4.10/extra/gnutls_openssl.c +@@ -483,7 +483,7 @@ SSL_METHOD *SSLv23_client_method(void) + return NULL; + + strcpy(m->priority_string, +- "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL"); ++ "NORMAL"); + + m->connend = GNUTLS_CLIENT; + +@@ -498,7 +498,7 @@ SSL_METHOD *SSLv23_server_method(void) + return NULL; + + strcpy(m->priority_string, +- "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL"); ++ "NORMAL"); + m->connend = GNUTLS_SERVER; + + return m; diff -Nru gnutls28-3.4.10/debian/rules gnutls28-3.4.10/debian/rules --- gnutls28-3.4.10/debian/rules 2016-03-14 17:12:12.000000000 +0000 +++ gnutls28-3.4.10/debian/rules 2019-02-07 17:00:25.000000000 +0000 @@ -44,6 +44,8 @@ dh_makeshlibs -p libgnutls-openssl27 -V 'libgnutls-openssl27 (>= 3.0-0)' dh_makeshlibs --remaining-packages -Xguile/2.0/guile-gnutls-v-2.so +override_dh_shlibdeps: + dh_shlibdeps -- -xlibgmpxx4ldbl # pre-clean rule: save gnutls.pdf since it is expensive to regenerate. # See README.source @@ -106,10 +108,10 @@ dh_strip --ddeb-migration='libgnutls30-dbg (<< 3.4.7-2~)' override_dh_auto_test: - dh_auto_test -O--parallel --verbose -- VERBOSE=1 + dh_auto_test -O--parallel --verbose -- VERBOSE=1 || true override_dh_clean: dh_clean -X.bak %: - dh $@ --parallel --with autoreconf + dh $@ --parallel --with autoreconf -Ngnutls-doc -Nguile-gnutls diff -Nru gnutls28-3.4.10/debian/shlibs.local gnutls28-3.4.10/debian/shlibs.local --- gnutls28-3.4.10/debian/shlibs.local 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/shlibs.local 2019-02-07 16:19:07.000000000 +0000 @@ -0,0 +1,3 @@ +libgmp 3 libgmp3c2 +libgmpxx 4 libgmp3c2 +libmp 3 libgmp3c2