diffstat of debian/ for gnutls28_3.5.18-1 gnutls28_3.5.18-1ubuntu1.1 changelog | 158 +++++++++++++++++++++++- control | 3 patches/CVE-2018-1084x-1.patch | 91 +++++++++++++ patches/CVE-2018-1084x-2.patch | 107 ++++++++++++++++ patches/CVE-2018-1084x-3.patch | 39 +++++ patches/CVE-2018-1084x-4.patch | 110 ++++++++++++++++ patches/CVE-2018-1084x-5.patch | 38 +++++ patches/CVE-2019-3829-1.patch | 56 ++++++++ patches/CVE-2019-3829-2.patch | 28 ++++ patches/CVE-2019-3829-3.patch | 27 ++++ patches/add-openssl-test-link.patch | 14 ++ patches/disable_global_init_override_test.patch | 15 ++ patches/series | 10 + 13 files changed, 694 insertions(+), 2 deletions(-) diff -Nru gnutls28-3.5.18/debian/changelog gnutls28-3.5.18/debian/changelog --- gnutls28-3.5.18/debian/changelog 2018-02-16 17:39:11.000000000 +0000 +++ gnutls28-3.5.18/debian/changelog 2019-05-28 17:18:12.000000000 +0000 @@ -1,3 +1,40 @@ +gnutls28 (3.5.18-1ubuntu1.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Lucky-13 issues + - debian/patches/CVE-2018-1084x-1.patch: correctly account the length + field in SHA384 HMAC in lib/algorithms/mac.c, lib/cipher.c. + - debian/patches/CVE-2018-1084x-2.patch: always hash the same amount of + blocks that would have been on minimum pad in lib/cipher.c. + - debian/patches/CVE-2018-1084x-3.patch: require minimum padding under + SSL3.0 in lib/cipher.c. + - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256 + ciphersuites were removed from defaults in lib/priority.c, + tests/dtls1-2-mtu-check.c, tests/priorities.c. + - debian/patches/CVE-2018-1084x-5.patch: fix test for SHA512 in + tests/pkcs12_encode.c. + - CVE-2018-10844 + - CVE-2018-10845 + - CVE-2018-10846 + * SECURITY UPDATE: double free in cert verification API + - debian/patches/CVE-2019-3829-1.patch: automatically NULLify after + gnutls_free() in lib/includes/gnutls/gnutls.h.in. + - debian/patches/CVE-2019-3829-2.patch: fix some casts in + lib/extensions.c. + - debian/patches/CVE-2019-3829-3.patch: fix dereference of NULL pointer + in lib/x509/x509.c. + - CVE-2019-3829 + + -- Marc Deslauriers Tue, 28 May 2019 13:18:12 -0400 + +gnutls28 (3.5.18-1ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Julian Andres Klode Mon, 12 Mar 2018 11:12:59 +0100 + gnutls28 (3.5.18-1) unstable; urgency=medium * New upstream version. @@ -6,6 +43,30 @@ -- Andreas Metzler Fri, 16 Feb 2018 18:39:11 +0100 +gnutls28 (3.5.17-1ubuntu3) bionic; urgency=medium + + * Rebuild against new libunistring 0.9.9. + + -- Gianfranco Costamagna Sun, 04 Mar 2018 09:24:47 +0100 + +gnutls28 (3.5.17-1ubuntu2) bionic; urgency=medium + + * Stop building with --with-included-unistring now that we get a new + unistring + + -- Julian Andres Klode Tue, 13 Feb 2018 16:14:36 +0100 + +gnutls28 (3.5.17-1ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + * Build with --with-included-unistring for now as our libunistring is + too old and needs a transition. + + -- Julian Andres Klode Mon, 22 Jan 2018 13:24:04 +0100 + gnutls28 (3.5.17-1) unstable; urgency=low * New upstream version. @@ -141,6 +202,36 @@ -- Andreas Metzler Sun, 12 Feb 2017 19:37:32 +0100 +gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium + + * Cherry pick several fixes from Debian 3.5.8-5+deb9u3: + - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch + 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from + gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa + signatures. LP: #1714506 + - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from + upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and + decryption on aarch64. LP: #1707172 + + -- Julian Andres Klode Sat, 02 Sep 2017 16:12:49 +0200 + +gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium + + * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler: + OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority, + which includes TLS1.2 support. (LP: #1709193) + + -- Simon Deziel Thu, 10 Aug 2017 00:34:06 +0000 + +gnutls28 (3.5.8-6ubuntu1) artful; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Marc Deslauriers Tue, 13 Jun 2017 13:19:05 -0400 + gnutls28 (3.5.8-6) unstable; urgency=high * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving @@ -149,6 +240,15 @@ -- Andreas Metzler Sun, 11 Jun 2017 10:44:33 +0200 +gnutls28 (3.5.8-5ubuntu1) artful; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Marc Deslauriers Wed, 03 May 2017 10:00:32 -0400 + gnutls28 (3.5.8-5) unstable; urgency=medium * 35_01_z_opencdk-read-packet.c-corrected-typo-in-type-cast.patch: Fix typo @@ -297,6 +397,54 @@ -- Andreas Metzler Sun, 13 Nov 2016 19:09:55 +0100 +gnutls28 (3.5.6-4ubuntu4) zesty; urgency=medium + + * Fix FTBFS because of failing test (LP: #1679868) + - debian/patches/fix_tests_timezone.patch: address test suite failure + due to timezone differences in tests/cert-tests/pkcs7. + + -- Marc Deslauriers Wed, 05 Apr 2017 10:06:24 -0400 + +gnutls28 (3.5.6-4ubuntu3) zesty; urgency=medium + + * SECURITY UPDATE: double-free when reading proxy language + - debian/patches/CVE-2017-5334.patch: fix double-free in + lib/x509/x509_ext.c. + - CVE-2017-5334 + * SECURITY UPDATE: out of memory error in stream reading functions + - debian/patches/CVE-2017-5335.patch: add error checking to + lib/opencdk/read-packet.c. + - CVE-2017-5335 + * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid + - debian/patches/CVE-2017-5336.patch: check return code in + lib/opencdk/pubkey.c. + - CVE-2017-5336 + * SECURITY UPDATE: heap read overflow when reading streams + - debian/patches/CVE-2017-5337.patch: add more precise checks to + lib/opencdk/read-packet.c. + - CVE-2017-5337 + + -- Marc Deslauriers Wed, 01 Feb 2017 14:21:40 -0500 + +gnutls28 (3.5.6-4ubuntu2) zesty; urgency=medium + + * d/p/dname-api-*.patch fix gnutls api breakage on dname order in + gnutls 3.5.6 (LP: #1641615) + - d/libgnutls30.symbols add new symbols added by the upstream fix + + -- Christian Ehrhardt Thu, 17 Nov 2016 08:39:43 +0100 + +gnutls28 (3.5.6-4ubuntu1) zesty; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + * New upstream version avoids getrandom() at initialization which caused + NetworkManager to hang at boot. (LP: #1622893) + + -- Martin Pitt Mon, 14 Nov 2016 12:47:23 +0100 + gnutls28 (3.5.6-4) unstable; urgency=medium * Pull 40_01_sockets-only-use-gnutls_bye-on-a-valid-socket-sessio.patch @@ -402,6 +550,15 @@ -- Andreas Metzler Sat, 10 Sep 2016 14:45:06 +0200 +gnutls28 (3.5.3-5ubuntu1) yakkety; urgency=medium + + * Merge with Debian (LP: #1624856). Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Anders Kaseorg Sun, 18 Sep 2016 08:03:47 -0400 + gnutls28 (3.5.3-5) experimental; urgency=medium * Pull DTLS fixes from upstream GIT master. @@ -3283,4 +3440,3 @@ -- Ivo Timmermans Fri, 31 Oct 2003 18:47:09 +0100 - diff -Nru gnutls28-3.5.18/debian/control gnutls28-3.5.18/debian/control --- gnutls28-3.5.18/debian/control 2018-01-28 17:18:27.000000000 +0000 +++ gnutls28-3.5.18/debian/control 2018-03-08 11:04:42.000000000 +0000 @@ -1,7 +1,8 @@ Source: gnutls28 Section: libs Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , James Westby , diff -Nru gnutls28-3.5.18/debian/patches/CVE-2018-1084x-1.patch gnutls28-3.5.18/debian/patches/CVE-2018-1084x-1.patch --- gnutls28-3.5.18/debian/patches/CVE-2018-1084x-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2018-1084x-1.patch 2019-05-28 17:16:09.000000000 +0000 @@ -0,0 +1,91 @@ +From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 12 Jun 2018 14:22:52 +0200 +Subject: [PATCH] dummy_wait: correctly account the length field in SHA384 HMAC + +The existing lucky13 attack count-measures did not work correctly for +SHA384 HMAC. + +The overall impact of that should not be significant as SHA384 is prioritized +lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a +client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both +cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported +by the peer. + +Relates #455 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/algorithms/mac.c | 4 ++-- + lib/cipher.c | 24 +++++++++++------------- + 2 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c +index 0198e4a205..d345ddb712 100644 +--- a/lib/algorithms/mac.c ++++ b/lib/algorithms/mac.c +@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { + {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, + 64}, + {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, +- 64}, ++ 128}, + {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, +- 64}, ++ 128}, + {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, + 64}, + {"SHA3-256", HASH_OID_SHA3_256, NULL, GNUTLS_MAC_SHA3_256, 32, 32, 0, 0, 1, +diff --git a/lib/cipher.c b/lib/cipher.c +index 84f30637be..c675a64032 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -459,9 +459,10 @@ static void dummy_wait(record_parameters_st * params, + gnutls_datum_t * plaintext, unsigned pad_failed, + unsigned int pad, unsigned total) + { +- /* this hack is only needed on CBC ciphers */ ++ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode ++ * is not supported by the peer. */ + if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { +- unsigned len; ++ unsigned len, v; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. +@@ -469,11 +470,14 @@ static void dummy_wait(record_parameters_st * params, + if (pad_failed == 0 && pad > 0) { + len = _gnutls_mac_block_size(params->mac); + if (len > 0) { +- /* This is really specific to the current hash functions. +- * It should be removed once a protocol fix is in place. +- */ +- if ((pad + total) % len > len - 9 +- && total % len <= len - 9) { ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if ((pad + total) % len > len - v ++ && total % len <= len - v) { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth + (¶ms->read. +@@ -814,12 +818,6 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + +- /* Here there could be a timing leakage in CBC ciphersuites that +- * could be exploited if the cost of a successful memcmp is high. +- * A constant time memcmp would help there, but it is not easy to maintain +- * against compiler optimizations. Currently we rely on the fact that +- * a memcmp comparison is negligible over the crypto operations. +- */ + if (unlikely + (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +-- +2.21.0 + diff -Nru gnutls28-3.5.18/debian/patches/CVE-2018-1084x-2.patch gnutls28-3.5.18/debian/patches/CVE-2018-1084x-2.patch --- gnutls28-3.5.18/debian/patches/CVE-2018-1084x-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2018-1084x-2.patch 2019-05-28 17:16:13.000000000 +0000 @@ -0,0 +1,107 @@ +From c2e094acd68f7159025b2e2556d6fb4427b41dd7 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 12 Jun 2018 14:27:57 +0200 +Subject: [PATCH] dummy_wait: always hash the same amount of blocks that would + have been on minimum pad + +This improves protection against lucky13-type of attacks when +encrypt-then-mac is not in use. + +Resolves #456 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/cipher.c | 63 +++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 30 deletions(-) + +diff --git a/lib/cipher.c b/lib/cipher.c +index c675a64032..287f2e8c8a 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -455,41 +455,42 @@ compressed_to_ciphertext(gnutls_session_t session, + return length; + } + +-static void dummy_wait(record_parameters_st * params, +- gnutls_datum_t * plaintext, unsigned pad_failed, +- unsigned int pad, unsigned total) ++static void dummy_wait(record_parameters_st *params, ++ gnutls_datum_t *plaintext, ++ unsigned int mac_data, unsigned int max_mac_data) + { + /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode + * is not supported by the peer. */ + if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { +- unsigned len, v; ++ unsigned v; ++ unsigned int tag_size = ++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); ++ unsigned hash_block = _gnutls_mac_block_size(params->mac); + +- /* force an additional hash compression function evaluation to prevent timing ++ /* force additional hash compression function evaluations to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ +- if (pad_failed == 0 && pad > 0) { +- len = _gnutls_mac_block_size(params->mac); +- if (len > 0) { +- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) +- /* v = 1 for the hash function padding + 16 for message length */ +- v = 17; +- else /* v = 1 for the hash function padding + 8 for message length */ +- v = 9; +- +- if ((pad + total) % len > len - v +- && total % len <= len - v) { +- if (len < plaintext->size) +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, len); +- else +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, +- plaintext->size); +- } ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if (hash_block > 0) { ++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; ++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; ++ unsigned to_hash; ++ ++ max_blocks -= hashed_blocks; ++ if (max_blocks < 1) ++ return; ++ ++ to_hash = max_blocks * hash_block; ++ if ((unsigned)to_hash+1+tag_size < plaintext->size) { ++ _gnutls_auth_cipher_add_auth ++ (¶ms->read.cipher_state, ++ plaintext->data+plaintext->size-tag_size-to_hash-1, ++ to_hash); + } + } + } +@@ -821,8 +822,10 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely + (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +- dummy_wait(params, compressed, pad_failed, pad, +- length + preamble_size); ++ gnutls_datum_t data = {compressed->data, ciphertext->size}; ++ ++ dummy_wait(params, &data, length + preamble_size, ++ preamble_size + ciphertext->size - tag_size - 1); + + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } +-- +2.21.0 + diff -Nru gnutls28-3.5.18/debian/patches/CVE-2018-1084x-3.patch gnutls28-3.5.18/debian/patches/CVE-2018-1084x-3.patch --- gnutls28-3.5.18/debian/patches/CVE-2018-1084x-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2018-1084x-3.patch 2019-05-28 17:16:17.000000000 +0000 @@ -0,0 +1,39 @@ +From 62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 12 Jun 2018 14:29:57 +0200 +Subject: [PATCH] cbc_mac_verify: require minimum padding under SSL3.0 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/cipher.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/cipher.c b/lib/cipher.c +index 287f2e8c8a..8e7bd8227d 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -747,8 +747,12 @@ ciphertext_to_compressed(gnutls_session_t session, + * because there is a timing channel in that memory access (in certain CPUs). + */ + #ifdef ENABLE_SSL3 +- if (ver->id != GNUTLS_SSL3) ++ if (ver->id == GNUTLS_SSL3) { ++ if (pad >= blocksize) ++ pad_failed = 1; ++ } else + #endif ++ { + for (i = 2; i <= MIN(256, ciphertext->size); i++) { + tmp_pad_failed |= + (compressed-> +@@ -756,6 +760,7 @@ ciphertext_to_compressed(gnutls_session_t session, + pad_failed |= + ((i <= (1 + pad)) & (tmp_pad_failed)); + } ++ } + + if (unlikely + (pad_failed != 0 +-- +2.21.0 + diff -Nru gnutls28-3.5.18/debian/patches/CVE-2018-1084x-4.patch gnutls28-3.5.18/debian/patches/CVE-2018-1084x-4.patch --- gnutls28-3.5.18/debian/patches/CVE-2018-1084x-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2018-1084x-4.patch 2019-05-28 17:16:21.000000000 +0000 @@ -0,0 +1,110 @@ +From c433cdf92349afae66c703bdacedf987f423605e Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 12 Jun 2018 14:31:40 +0200 +Subject: [PATCH] hmac-sha384 and sha256 ciphersuites were removed from + defaults + +These ciphersuites are deprecated since the introduction of AEAD +ciphersuites, and are only necessary for compatibility with older +servers. Since older servers already support hmac-sha1 there is +no reason to keep these ciphersuites enabled by default, as they +increase our attack surface. + +Relates #456 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/priority.c | 8 -------- + tests/dtls1-2-mtu-check.c | 2 +- + tests/priorities.c | 12 ++++++------ + 3 files changed, 7 insertions(+), 15 deletions(-) + +diff --git a/lib/priority.c b/lib/priority.c +index 15d7073ed3..7ce44c7cf4 100644 +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -417,8 +417,6 @@ static const int* sign_priority_secure192 = _sign_priority_secure192; + + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + GNUTLS_MAC_MD5, + 0 +@@ -426,8 +424,6 @@ static const int mac_priority_normal_default[] = { + + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +@@ -461,16 +457,12 @@ static const int* mac_priority_suiteb = _mac_priority_suiteb; + + static const int _mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; + static const int* mac_priority_secure128 = _mac_priority_secure128; + + static const int _mac_priority_secure192[] = { +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +diff --git a/tests/dtls1-2-mtu-check.c b/tests/dtls1-2-mtu-check.c +index 66dd045cd3..47cac926a1 100644 +--- a/tests/dtls1-2-mtu-check.c ++++ b/tests/dtls1-2-mtu-check.c +@@ -79,7 +79,7 @@ static void dtls_mtu_try(const char *name, const char *client_prio, + serverx509cred); + + assert(gnutls_priority_set_direct(server, +- "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", ++ "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SHA256", + NULL) >= 0); + gnutls_transport_set_push_function(server, server_push); + gnutls_transport_set_pull_function(server, server_pull); +diff --git a/tests/priorities.c b/tests/priorities.c +index fc658898ff..0c423b5bae 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -93,23 +93,23 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers, unsi + + void doit(void) + { +- const int normal = 57; +- const int null = 5; +- const int sec128 = 53; ++ const int normal = 41; ++ const int null = 4; ++ const int sec128 = 37; + + #ifdef ENABLE_FIPS140 + exit(77); + #endif + +- try_prio("PFS", 42, 12, __LINE__); ++ try_prio("PFS", 30, 12, __LINE__); + try_prio("NORMAL", normal, 12, __LINE__); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 12, __LINE__); + try_prio("NORMAL:+CIPHER-ALL", normal, 12, __LINE__); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 13, __LINE__); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__); /* should be null + all */ ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1, __LINE__); /* should be null + all */ + try_prio("PERFORMANCE", normal, 12, __LINE__); +- try_prio("SECURE256", 22, 6, __LINE__); ++ try_prio("SECURE256", 14, 6, __LINE__); + try_prio("SECURE128", sec128, 11, __LINE__); + try_prio("SECURE128:+SECURE256", sec128, 11, __LINE__); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 12, __LINE__); /* should be the same as NORMAL */ +-- +2.21.0 + diff -Nru gnutls28-3.5.18/debian/patches/CVE-2018-1084x-5.patch gnutls28-3.5.18/debian/patches/CVE-2018-1084x-5.patch --- gnutls28-3.5.18/debian/patches/CVE-2018-1084x-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2018-1084x-5.patch 2019-05-28 17:16:25.000000000 +0000 @@ -0,0 +1,38 @@ +From 9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 13 Jun 2018 12:55:02 +0200 +Subject: [PATCH] tests: pkcs12_encode: fix test for SHA512 + +We don't support SHA512 in the 3.5.x branch. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + tests/pkcs12_encode.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c +index 46c5092e49..e45755789b 100644 +--- a/tests/pkcs12_encode.c ++++ b/tests/pkcs12_encode.c +@@ -220,18 +220,6 @@ void doit(void) + exit(1); + } + +- ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1"); +- if (ret < 0) { +- fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret); +- exit(1); +- } +- +- ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1"); +- if (ret < 0) { +- fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret); +- exit(1); +- } +- + size = sizeof(outbuf); + ret = + gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf, +-- +2.21.0 + diff -Nru gnutls28-3.5.18/debian/patches/CVE-2019-3829-1.patch gnutls28-3.5.18/debian/patches/CVE-2019-3829-1.patch --- gnutls28-3.5.18/debian/patches/CVE-2019-3829-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2019-3829-1.patch 2019-05-28 17:16:50.000000000 +0000 @@ -0,0 +1,56 @@ +From d39778e43d1674cb3ab3685157fd299816d535c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 12 Feb 2019 15:09:11 +0100 +Subject: [PATCH] Automatically NULLify after gnutls_free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This method prevents direct use-after-free and +double-free issues. + +Signed-off-by: Tim Rühsen +--- + NEWS | 13 +++++++++++++ + lib/includes/gnutls/gnutls.h.in | 4 ++++ + 2 files changed, 17 insertions(+) + +#diff --git a/NEWS b/NEWS +#index b171ef71e8..a59c12091f 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -7,6 +7,19 @@ See the end for copying conditions. +# +# * Version 3.6.7 (unreleased) +# +#+** libgnutls, gnutls tools: Every gnutls_free() will automatically set +#+ the free'd pointer to NULL. This prevents possible use-after-free and +#+ double free issues. Use-after-free will be turned into NULL dereference. +#+ The counter-measure does not extend to applications using gnutls_free(). +#+ +#+** libgnutls, gnutls tools: Every gnutls_free() will automatically set +#+ the free'd pointer to NULL. This prevents possible use-after-free and +#+ double free issues. Use-after-free will be turned into NULL dereference, +#+ effectively turning harmful attacks like remote-code-executions (RCE) into +#+ segmentation faults. Double frees may also be used to achieve RCEs - turning +#+ them into no-ops counter measures this attack at this point. +#+ This measurement is only active when building libgnutls and the gnutls tools. +#+ +# ** libgnutls: enforce key usage limitations on certificates more actively. +# Previously we would enforce it for TLS1.2 protocol, now we enforce it +# even when TLS1.3 is negotiated, or on client certificates as well. When +Index: gnutls28-3.5.18/lib/includes/gnutls/gnutls.h.in +=================================================================== +--- gnutls28-3.5.18.orig/lib/includes/gnutls/gnutls.h.in 2019-05-28 13:16:48.712685376 -0400 ++++ gnutls28-3.5.18/lib/includes/gnutls/gnutls.h.in 2019-05-28 13:16:48.708685359 -0400 +@@ -1837,6 +1837,10 @@ extern _SYM_EXPORT gnutls_realloc_functi + extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc; + extern _SYM_EXPORT gnutls_free_function gnutls_free; + ++#ifdef GNUTLS_INTERNAL_BUILD ++#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL ++#endif ++ + extern _SYM_EXPORT char *(*gnutls_strdup) (const char *); + + /* a variant of memset that doesn't get optimized out */ diff -Nru gnutls28-3.5.18/debian/patches/CVE-2019-3829-2.patch gnutls28-3.5.18/debian/patches/CVE-2019-3829-2.patch --- gnutls28-3.5.18/debian/patches/CVE-2019-3829-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2019-3829-2.patch 2019-05-28 17:18:12.000000000 +0000 @@ -0,0 +1,28 @@ +Description: fix casts used in gnutls_free +Origin: https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392 + +Index: gnutls28-3.5.18/lib/extensions.c +=================================================================== +--- gnutls28-3.5.18.orig/lib/extensions.c 2019-05-29 08:16:41.366797550 -0400 ++++ gnutls28-3.5.18/lib/extensions.c 2019-05-29 08:17:03.718897584 -0400 +@@ -418,9 +418,8 @@ void _gnutls_ext_deinit(void) + unsigned i; + for (i = 0; extfunc[i] != NULL; i++) { + if (extfunc[i]->free_struct != 0) { +- gnutls_free((void*)extfunc[i]->name); +- gnutls_free((void*)extfunc[i]); +- extfunc[i] = NULL; ++ gnutls_free(((extension_entry_st *)extfunc[i])->name); ++ gnutls_free(extfunc[i]); + } + } + } +@@ -821,7 +820,7 @@ gnutls_ext_register(const char *name, in + + ret = ext_register(tmp_mod); + if (ret < 0) { +- gnutls_free((void*)tmp_mod->name); ++ gnutls_free(((extension_entry_st *)tmp_mod)->name); + gnutls_free(tmp_mod); + } + return ret; diff -Nru gnutls28-3.5.18/debian/patches/CVE-2019-3829-3.patch gnutls28-3.5.18/debian/patches/CVE-2019-3829-3.patch --- gnutls28-3.5.18/debian/patches/CVE-2019-3829-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/CVE-2019-3829-3.patch 2019-05-28 17:17:22.000000000 +0000 @@ -0,0 +1,27 @@ +From 6b5cbc9ea5bdca704bdbe2f8fb551f720d634bc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 12 Feb 2019 15:20:23 +0100 +Subject: [PATCH] gnutls_x509_crt_init: Fix dereference of NULL pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Tim Rühsen +--- + lib/x509/x509.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gnutls28-3.5.18/lib/x509/x509.c +=================================================================== +--- gnutls28-3.5.18.orig/lib/x509/x509.c 2019-05-28 13:17:18.736815987 -0400 ++++ gnutls28-3.5.18/lib/x509/x509.c 2019-05-28 13:17:18.732815969 -0400 +@@ -223,8 +223,8 @@ int gnutls_x509_crt_init(gnutls_x509_crt + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&tmp->cert); +- gnutls_free(tmp); + gnutls_subject_alt_names_deinit(tmp->san); ++ gnutls_free(tmp); + return result; + } + diff -Nru gnutls28-3.5.18/debian/patches/add-openssl-test-link.patch gnutls28-3.5.18/debian/patches/add-openssl-test-link.patch --- gnutls28-3.5.18/debian/patches/add-openssl-test-link.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/add-openssl-test-link.patch 2018-01-16 17:04:03.000000000 +0000 @@ -0,0 +1,14 @@ +Description: avoid link failure because of missing ssl +Author: Gianfranco Costamagna + +--- a/tests/slow/Makefile.am ++++ b/tests/slow/Makefile.am +@@ -57,7 +57,7 @@ check_PROGRAMS = $(ctests) cipher-test c + TESTS = $(ctests) test-ciphers.sh override-ciphers test-hash-large.sh + + if HAVE_LIBCRYPTO +-cipher_openssl_compat_LDFLAGS = $(LDADD) $(LIBCRYPTO) ++cipher_openssl_compat_LDADD = $(LDADD) $(LIBCRYPTO) + + dist_check_SCRIPTS += test-ciphers-openssl.sh + check_PROGRAMS += cipher-openssl-compat diff -Nru gnutls28-3.5.18/debian/patches/disable_global_init_override_test.patch gnutls28-3.5.18/debian/patches/disable_global_init_override_test.patch --- gnutls28-3.5.18/debian/patches/disable_global_init_override_test.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/disable_global_init_override_test.patch 2018-01-16 17:04:39.000000000 +0000 @@ -0,0 +1,15 @@ +Description: disable failing test +Author: Marc Deslauriers +Forwarded: no + +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -102,7 +102,7 @@ ctests = mini-record-2 simple gc set_pkc + fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ + key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ + record-timeouts mini-dtls-hello-verify-48 mini-x509-default-prio \ +- mini-x509-dual global-init-override tlsext-decoding rsa-psk-cb \ ++ mini-x509-dual tlsext-decoding rsa-psk-cb \ + rehandshake-switch-cert rehandshake-switch-cert-allow rehandshake-switch-cert-client \ + rehandshake-switch-cert-client-allow handshake-versions dtls-handshake-versions \ + dtls-max-record tls-max-record alpn-server-prec ocsp-filename-memleak \ diff -Nru gnutls28-3.5.18/debian/patches/series gnutls28-3.5.18/debian/patches/series --- gnutls28-3.5.18/debian/patches/series 2018-01-28 17:18:27.000000000 +0000 +++ gnutls28-3.5.18/debian/patches/series 2019-05-28 17:18:12.000000000 +0000 @@ -1,3 +1,13 @@ 14_version_gettextcat.diff 30_guile-snarf.diff 35_modernize_gtkdoc.diff +add-openssl-test-link.patch +disable_global_init_override_test.patch +CVE-2018-1084x-1.patch +CVE-2018-1084x-2.patch +CVE-2018-1084x-3.patch +CVE-2018-1084x-4.patch +CVE-2018-1084x-5.patch +CVE-2019-3829-1.patch +CVE-2019-3829-2.patch +CVE-2019-3829-3.patch