diffstat of debian/ for gnutls28_3.6.5-2 gnutls28_3.6.5-2ubuntu1.1 changelog | 142 +++ control | 3 patches/CVE-2019-3829-1.patch | 56 + patches/CVE-2019-3829-2.patch | 879 ++++++++++++++++++++++++ patches/CVE-2019-3829-3.patch | 30 patches/CVE-2019-3836.patch | 26 patches/add-openssl-test-link.patch | 14 patches/disable_global_init_override_test.patch | 15 patches/series | 6 9 files changed, 1170 insertions(+), 1 deletion(-) diff -Nru gnutls28-3.6.5/debian/changelog gnutls28-3.6.5/debian/changelog --- gnutls28-3.6.5/debian/changelog 2018-12-16 12:56:19.000000000 +0000 +++ gnutls28-3.6.5/debian/changelog 2019-05-28 17:00:08.000000000 +0000 @@ -1,3 +1,30 @@ +gnutls28 (3.6.5-2ubuntu1.1) disco-security; urgency=medium + + * SECURITY UPDATE: double free in cert verification API + - debian/patches/CVE-2019-3829-1.patch: automatically NULLify after + gnutls_free() in lib/includes/gnutls/gnutls.h.in. + - debian/patches/CVE-2019-3829-2.patch: remove redundant resets of + variables after free(). + - debian/patches/CVE-2019-3829-3.patch: fix dereference of NULL pointer + in lib/x509/x509.c. + - CVE-2019-3829 + * SECURITY UPDATE: uninitialized pointer access + - debian/patches/CVE-2019-3836.patch: add missing initialization of + local variable in lib/handshake-tls13.c. + - CVE-2019-3836 + + -- Marc Deslauriers Tue, 28 May 2019 13:00:08 -0400 + +gnutls28 (3.6.5-2ubuntu1) disco; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + * this is a new upstream release including a fix for LP: #1804673 + + -- Julian Andres Klode Tue, 18 Dec 2018 17:24:06 +0100 + gnutls28 (3.6.5-2) unstable; urgency=low * Upload to unstable. @@ -19,6 +46,24 @@ -- Andreas Metzler Wed, 05 Dec 2018 19:11:28 +0100 +gnutls28 (3.6.4-2ubuntu2) disco; urgency=medium + + * No-change rebuild against libunbound8 + + -- Steve Langasek Sun, 11 Nov 2018 09:01:12 +0000 + +gnutls28 (3.6.4-2ubuntu1) cosmic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + * 0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch: + cherrypick upstream patch to fix test-suite with symbolic-functions + * This upstream release includes TLS 1.3 support. + + -- Dimitri John Ledkov Fri, 05 Oct 2018 17:12:04 +0100 + gnutls28 (3.6.4-2) experimental; urgency=medium * Delete 50_fedora_gnutls-3.6.3-rollback-fix.patch. @@ -339,6 +384,36 @@ -- Andreas Metzler Sun, 12 Feb 2017 19:37:32 +0100 +gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium + + * Cherry pick several fixes from Debian 3.5.8-5+deb9u3: + - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch + 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from + gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa + signatures. LP: #1714506 + - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from + upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and + decryption on aarch64. LP: #1707172 + + -- Julian Andres Klode Sat, 02 Sep 2017 16:12:49 +0200 + +gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium + + * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler: + OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority, + which includes TLS1.2 support. (LP: #1709193) + + -- Simon Deziel Thu, 10 Aug 2017 00:34:06 +0000 + +gnutls28 (3.5.8-6ubuntu1) artful; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Marc Deslauriers Tue, 13 Jun 2017 13:19:05 -0400 + gnutls28 (3.5.8-6) unstable; urgency=high * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving @@ -347,6 +422,15 @@ -- Andreas Metzler Sun, 11 Jun 2017 10:44:33 +0200 +gnutls28 (3.5.8-5ubuntu1) artful; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable + failing test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Marc Deslauriers Wed, 03 May 2017 10:00:32 -0400 + gnutls28 (3.5.8-5) unstable; urgency=medium * 35_01_z_opencdk-read-packet.c-corrected-typo-in-type-cast.patch: Fix typo @@ -495,6 +579,54 @@ -- Andreas Metzler Sun, 13 Nov 2016 19:09:55 +0100 +gnutls28 (3.5.6-4ubuntu4) zesty; urgency=medium + + * Fix FTBFS because of failing test (LP: #1679868) + - debian/patches/fix_tests_timezone.patch: address test suite failure + due to timezone differences in tests/cert-tests/pkcs7. + + -- Marc Deslauriers Wed, 05 Apr 2017 10:06:24 -0400 + +gnutls28 (3.5.6-4ubuntu3) zesty; urgency=medium + + * SECURITY UPDATE: double-free when reading proxy language + - debian/patches/CVE-2017-5334.patch: fix double-free in + lib/x509/x509_ext.c. + - CVE-2017-5334 + * SECURITY UPDATE: out of memory error in stream reading functions + - debian/patches/CVE-2017-5335.patch: add error checking to + lib/opencdk/read-packet.c. + - CVE-2017-5335 + * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid + - debian/patches/CVE-2017-5336.patch: check return code in + lib/opencdk/pubkey.c. + - CVE-2017-5336 + * SECURITY UPDATE: heap read overflow when reading streams + - debian/patches/CVE-2017-5337.patch: add more precise checks to + lib/opencdk/read-packet.c. + - CVE-2017-5337 + + -- Marc Deslauriers Wed, 01 Feb 2017 14:21:40 -0500 + +gnutls28 (3.5.6-4ubuntu2) zesty; urgency=medium + + * d/p/dname-api-*.patch fix gnutls api breakage on dname order in + gnutls 3.5.6 (LP: #1641615) + - d/libgnutls30.symbols add new symbols added by the upstream fix + + -- Christian Ehrhardt Thu, 17 Nov 2016 08:39:43 +0100 + +gnutls28 (3.5.6-4ubuntu1) zesty; urgency=medium + + * Merge with Debian. Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + * New upstream version avoids getrandom() at initialization which caused + NetworkManager to hang at boot. (LP: #1622893) + + -- Martin Pitt Mon, 14 Nov 2016 12:47:23 +0100 + gnutls28 (3.5.6-4) unstable; urgency=medium * Pull 40_01_sockets-only-use-gnutls_bye-on-a-valid-socket-sessio.patch @@ -600,6 +732,15 @@ -- Andreas Metzler Sat, 10 Sep 2016 14:45:06 +0200 +gnutls28 (3.5.3-5ubuntu1) yakkety; urgency=medium + + * Merge with Debian (LP: #1624856). Remaining changes: + - debian/patches/disable_global_init_override_test.patch: disable failing + test. + - debian/patches/add-openssl-test-link.patch: add link for libssl + + -- Anders Kaseorg Sun, 18 Sep 2016 08:03:47 -0400 + gnutls28 (3.5.3-5) experimental; urgency=medium * Pull DTLS fixes from upstream GIT master. @@ -3480,3 +3621,4 @@ * debian/rules: Run auto* after the patches have been applied. -- Ivo Timmermans Fri, 31 Oct 2003 18:47:09 +0100 + diff -Nru gnutls28-3.6.5/debian/control gnutls28-3.6.5/debian/control --- gnutls28-3.6.5/debian/control 2018-12-16 10:24:01.000000000 +0000 +++ gnutls28-3.6.5/debian/control 2018-12-18 16:24:06.000000000 +0000 @@ -1,7 +1,8 @@ Source: gnutls28 Section: libs Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , diff -Nru gnutls28-3.6.5/debian/patches/CVE-2019-3829-1.patch gnutls28-3.6.5/debian/patches/CVE-2019-3829-1.patch --- gnutls28-3.6.5/debian/patches/CVE-2019-3829-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/CVE-2019-3829-1.patch 2019-05-28 16:58:45.000000000 +0000 @@ -0,0 +1,56 @@ +From d39778e43d1674cb3ab3685157fd299816d535c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 12 Feb 2019 15:09:11 +0100 +Subject: [PATCH] Automatically NULLify after gnutls_free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This method prevents direct use-after-free and +double-free issues. + +Signed-off-by: Tim Rühsen +--- + NEWS | 13 +++++++++++++ + lib/includes/gnutls/gnutls.h.in | 4 ++++ + 2 files changed, 17 insertions(+) + +#diff --git a/NEWS b/NEWS +#index b171ef71e8..a59c12091f 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -7,6 +7,19 @@ See the end for copying conditions. +# +# * Version 3.6.7 (unreleased) +# +#+** libgnutls, gnutls tools: Every gnutls_free() will automatically set +#+ the free'd pointer to NULL. This prevents possible use-after-free and +#+ double free issues. Use-after-free will be turned into NULL dereference. +#+ The counter-measure does not extend to applications using gnutls_free(). +#+ +#+** libgnutls, gnutls tools: Every gnutls_free() will automatically set +#+ the free'd pointer to NULL. This prevents possible use-after-free and +#+ double free issues. Use-after-free will be turned into NULL dereference, +#+ effectively turning harmful attacks like remote-code-executions (RCE) into +#+ segmentation faults. Double frees may also be used to achieve RCEs - turning +#+ them into no-ops counter measures this attack at this point. +#+ This measurement is only active when building libgnutls and the gnutls tools. +#+ +# ** libgnutls: enforce key usage limitations on certificates more actively. +# Previously we would enforce it for TLS1.2 protocol, now we enforce it +# even when TLS1.3 is negotiated, or on client certificates as well. When +Index: gnutls28-3.6.5/lib/includes/gnutls/gnutls.h.in +=================================================================== +--- gnutls28-3.6.5.orig/lib/includes/gnutls/gnutls.h.in 2019-05-28 12:58:41.451906986 -0400 ++++ gnutls28-3.6.5/lib/includes/gnutls/gnutls.h.in 2019-05-28 12:58:41.447906970 -0400 +@@ -2170,6 +2170,10 @@ extern _SYM_EXPORT gnutls_realloc_functi + extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc; + extern _SYM_EXPORT gnutls_free_function gnutls_free; + ++#ifdef GNUTLS_INTERNAL_BUILD ++#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL ++#endif ++ + extern _SYM_EXPORT char *(*gnutls_strdup) (const char *); + + /* a variant of memset that doesn't get optimized out */ diff -Nru gnutls28-3.6.5/debian/patches/CVE-2019-3829-2.patch gnutls28-3.6.5/debian/patches/CVE-2019-3829-2.patch --- gnutls28-3.6.5/debian/patches/CVE-2019-3829-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/CVE-2019-3829-2.patch 2019-05-28 16:59:01.000000000 +0000 @@ -0,0 +1,879 @@ +From 372821c883a3d36ed3ed683844ad9d90818f6392 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Tue, 12 Feb 2019 15:14:07 +0100 +Subject: [PATCH] Remove redundant resets of variables after free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Tim Rühsen +--- + lib/auth.c | 3 --- + lib/auth/rsa.c | 5 ++--- + lib/auth/rsa_psk.c | 1 - + lib/auth/srp_sb64.c | 2 -- + lib/cert-cred-x509.c | 3 --- + lib/cert-cred.c | 3 --- + lib/hello_ext.c | 5 ++--- + lib/mpi.c | 1 - + lib/nettle/mpi.c | 2 -- + lib/nettle/pk.c | 3 --- + lib/ocsp-api.c | 1 - + lib/pk.c | 2 -- + lib/pkcs11.c | 1 - + lib/pkcs11_privkey.c | 6 +----- + lib/pkcs11_write.c | 1 - + lib/session_pack.c | 2 -- + lib/srp.c | 1 - + lib/str.c | 2 +- + lib/tls13/certificate_request.c | 2 -- + lib/tpm.c | 2 -- + lib/x509/ocsp.c | 15 +++------------ + lib/x509/pkcs12_bag.c | 1 - + lib/x509/pkcs7-crypt.c | 1 - + lib/x509/pkcs7.c | 6 ------ + lib/x509/privkey_pkcs8.c | 1 - + lib/x509/verify-high2.c | 1 - + lib/x509/virt-san.c | 1 - + lib/x509/x509.c | 4 ---- + lib/x509/x509_ext.c | 1 - + lib/x509_b64.c | 1 - + tests/cert.c | 2 -- + tests/gnutls_session_set_id.c | 1 - + tests/name-constraints-ip.c | 3 +-- + tests/pkcs11/pkcs11-import-url-privkey.c | 2 -- + tests/pkcs11/pkcs11-privkey-always-auth.c | 2 -- + tests/pkcs11/pkcs11-privkey-fork-reinit.c | 1 - + tests/pkcs11/pkcs11-privkey-fork.c | 1 - + tests/pkcs11/pkcs11-privkey-safenet-always-auth.c | 2 -- + tests/pkcs7.c | 2 -- + tests/resume-dtls.c | 1 - + tests/resume.c | 1 - + tests/sign-verify-data.c | 1 - + tests/sign-verify-ext.c | 2 -- + tests/sign-verify-ext4.c | 2 -- + tests/sign-verify.c | 1 - + tests/x509-extensions.c | 1 - + tests/x509sign-verify-error.c | 1 - + 47 files changed, 10 insertions(+), 96 deletions(-) + +Index: gnutls28-3.6.5/lib/auth.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/auth.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/auth.c 2019-05-28 12:58:49.723941445 -0400 +@@ -349,8 +349,6 @@ void _gnutls_free_auth_info(gnutls_sessi + + gnutls_free(info->raw_certificate_list); + gnutls_free(info->raw_ocsp_list); +- info->raw_certificate_list = NULL; +- info->raw_ocsp_list = NULL; + info->ncerts = 0; + info->nocsp = 0; + +@@ -367,7 +365,6 @@ void _gnutls_free_auth_info(gnutls_sessi + } + + gnutls_free(session->key.auth_info); +- session->key.auth_info = NULL; + session->key.auth_info_size = 0; + session->key.auth_info_type = 0; + +Index: gnutls28-3.6.5/lib/auth/rsa.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/auth/rsa.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/auth/rsa.c 2019-05-28 12:58:49.723941445 -0400 +@@ -200,9 +200,8 @@ proc_rsa_client_kx(gnutls_session_t sess + ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data, + GNUTLS_MASTER_SIZE); + if (ret < 0) { +- gnutls_free(session->key.key.data); +- session->key.key.data = NULL; +- session->key.key.size = 0; ++ gnutls_free(session->key.key.data); ++ session->key.key.size = 0; + gnutls_assert(); + return ret; + } +Index: gnutls28-3.6.5/lib/auth/rsa_psk.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/auth/rsa_psk.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/auth/rsa_psk.c 2019-05-28 12:58:49.723941445 -0400 +@@ -341,7 +341,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + ("auth_rsa_psk: Possible PKCS #1 format attack\n"); + if (ret >= 0) { + gnutls_free(plaintext.data); +- plaintext.data = NULL; + } + randomize_key = 1; + } else { +Index: gnutls28-3.6.5/lib/auth/srp_sb64.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/auth/srp_sb64.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/auth/srp_sb64.c 2019-05-28 12:58:49.723941445 -0400 +@@ -263,7 +263,6 @@ _gnutls_sbase64_decode(char *data, size_ + tmp = decode(tmpres, datrev); + if (tmp < 0) { + gnutls_free((*result)); +- *result = NULL; + return tmp; + } + +@@ -277,7 +276,6 @@ _gnutls_sbase64_decode(char *data, size_ + tmp = decode(tmpres, (uint8_t *) & data[i]); + if (tmp < 0) { + gnutls_free((*result)); +- *result = NULL; + return tmp; + } + memcpy(&(*result)[j], tmpres, tmp); +Index: gnutls28-3.6.5/lib/cert-cred-x509.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/cert-cred-x509.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/cert-cred-x509.c 2019-05-28 12:58:49.723941445 -0400 +@@ -296,7 +296,6 @@ parse_pem_cert_mem(gnutls_certificate_cr + gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, GNUTLS_X509_CRT_LIST_SORT); + if (ret < 0) { + gnutls_free(pcerts); +- pcerts = NULL; + gnutls_assert(); + goto cleanup; + } +@@ -540,7 +539,6 @@ read_cert_url(gnutls_certificate_credent + goto cleanup; + } + gnutls_free(t.data); +- t.data = NULL; + } + + ret = certificate_credential_append_keypair(res, key, names, ccert, count); +@@ -991,7 +989,6 @@ gnutls_certificate_get_x509_crt(gnutls_c + while (i--) + gnutls_x509_crt_deinit((*crt_list)[i]); + gnutls_free(*crt_list); +- *crt_list = NULL; + + return gnutls_assert_val(ret); + } +Index: gnutls28-3.6.5/lib/cert-cred.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/cert-cred.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/cert-cred.c 2019-05-28 12:58:49.723941445 -0400 +@@ -63,7 +63,6 @@ void gnutls_certificate_free_keys(gnutls + + for (j = 0; j < sc->certs[i].ocsp_data_length; j++) { + gnutls_free(sc->certs[i].ocsp_data[j].response.data); +- sc->certs[i].ocsp_data[j].response.data = NULL; + } + _gnutls_str_array_clear(&sc->certs[i].names); + gnutls_privkey_deinit(sc->certs[i].pkey); +@@ -71,8 +70,6 @@ void gnutls_certificate_free_keys(gnutls + + gnutls_free(sc->certs); + gnutls_free(sc->sorted_cert_idx); +- sc->certs = NULL; +- sc->sorted_cert_idx = NULL; + + sc->ncerts = 0; + } +Index: gnutls28-3.6.5/lib/hello_ext.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/hello_ext.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/hello_ext.c 2019-05-28 12:58:49.723941445 -0400 +@@ -464,9 +464,8 @@ void _gnutls_hello_ext_deinit(void) + continue; + + if (extfunc[i]->free_struct != 0) { +- gnutls_free((void*)extfunc[i]->name); +- gnutls_free((void*)extfunc[i]); +- extfunc[i] = NULL; ++ gnutls_free(((hello_ext_entry_st *)extfunc[i])->name); ++ gnutls_free(extfunc[i]); + } + } + } +Index: gnutls28-3.6.5/lib/mpi.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/mpi.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/mpi.c 2019-05-28 12:58:49.723941445 -0400 +@@ -88,7 +88,6 @@ _gnutls_mpi_random_modp(bigint_t r, bigi + + if (buf_release != 0) { + gnutls_free(buf); +- buf = NULL; + } + + if (r != NULL) { +Index: gnutls28-3.6.5/lib/nettle/mpi.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/nettle/mpi.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/nettle/mpi.c 2019-05-28 12:58:49.723941445 -0400 +@@ -122,7 +122,6 @@ static int wrap_nettle_mpi_init_multi(bi + fail: + mpz_clear(TOMPZ(*w)); + gnutls_free(*w); +- *w = NULL; + + va_start(args, w); + +@@ -131,7 +130,6 @@ fail: + if (next != last_failed) { + mpz_clear(TOMPZ(*next)); + gnutls_free(*next); +- *next = NULL; + } + } while(next != last_failed); + +Index: gnutls28-3.6.5/lib/nettle/pk.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/nettle/pk.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/nettle/pk.c 2019-05-28 12:58:49.723941445 -0400 +@@ -371,7 +371,6 @@ dh_cleanup: + + if (_gnutls_mem_is_zero(out->data, out->size)) { + gnutls_free(out->data); +- out->data = NULL; + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto cleanup; +@@ -2254,8 +2253,6 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a + params->params_nr = 0; + gnutls_free(params->raw_priv.data); + gnutls_free(params->raw_pub.data); +- params->raw_priv.data = NULL; +- params->raw_pub.data = NULL; + + FAIL_IF_LIB_ERROR; + return ret; +Index: gnutls28-3.6.5/lib/ocsp-api.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/ocsp-api.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/ocsp-api.c 2019-05-28 12:58:49.723941445 -0400 +@@ -473,7 +473,6 @@ gnutls_certificate_set_ocsp_status_reque + nresp++; + + gnutls_free(der.data); +- der.data = NULL; + + p.data++; + p.size--; +Index: gnutls28-3.6.5/lib/pk.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/pk.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/pk.c 2019-05-28 12:58:49.723941445 -0400 +@@ -537,8 +537,6 @@ void gnutls_pk_params_release(gnutls_pk_ + } + gnutls_free(p->raw_priv.data); + gnutls_free(p->raw_pub.data); +- p->raw_priv.data = NULL; +- p->raw_pub.data = NULL; + + p->params_nr = 0; + } +Index: gnutls28-3.6.5/lib/pkcs11.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/pkcs11.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/pkcs11.c 2019-05-28 12:58:49.723941445 -0400 +@@ -1231,7 +1231,6 @@ int gnutls_pkcs11_obj_init(gnutls_pkcs11 + (*obj)->info = p11_kit_uri_new(); + if ((*obj)->info == NULL) { + gnutls_free(*obj); +- *obj = NULL; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } +Index: gnutls28-3.6.5/lib/pkcs11_privkey.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/pkcs11_privkey.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/pkcs11_privkey.c 2019-05-28 12:58:49.723941445 -0400 +@@ -443,7 +443,6 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs1 + } + + gnutls_free(tmp.data); +- tmp.data = NULL; + } else { + signature->size = siglen; + signature->data = tmp.data; +@@ -521,10 +520,8 @@ gnutls_pkcs11_privkey_import_url(gnutls_ + + memset(&pkey->sinfo, 0, sizeof(pkey->sinfo)); + +- if (pkey->url) { ++ if (pkey->url) + gnutls_free(pkey->url); +- pkey->url = NULL; +- } + + if (pkey->uinfo) { + p11_kit_uri_free(pkey->uinfo); +@@ -613,7 +610,6 @@ gnutls_pkcs11_privkey_import_url(gnutls_ + pkey->uinfo = NULL; + } + gnutls_free(pkey->url); +- pkey->url = NULL; + + return ret; + } +Index: gnutls28-3.6.5/lib/pkcs11_write.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/pkcs11_write.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/pkcs11_write.c 2019-05-28 12:58:49.723941445 -0400 +@@ -268,7 +268,6 @@ static void clean_pubkey(struct ck_attri + case CKA_EC_PARAMS: + case CKA_EC_POINT: + gnutls_free(a[i].value); +- a[i].value = NULL; + break; + } + } +Index: gnutls28-3.6.5/lib/session_pack.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/session_pack.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/session_pack.c 2019-05-28 12:58:49.723941445 -0400 +@@ -574,8 +574,6 @@ unpack_certificate_auth_info(gnutls_sess + + gnutls_free(info->raw_certificate_list); + gnutls_free(info->raw_ocsp_list); +- info->raw_certificate_list = NULL; +- info->raw_ocsp_list = NULL; + } + + return ret; +Index: gnutls28-3.6.5/lib/srp.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/srp.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/srp.c 2019-05-28 12:58:49.723941445 -0400 +@@ -608,7 +608,6 @@ gnutls_srp_set_server_credentials_file(g + if (res->password_conf_file == NULL) { + gnutls_assert(); + gnutls_free(res->password_file); +- res->password_file = NULL; + return GNUTLS_E_MEMORY_ERROR; + } + +Index: gnutls28-3.6.5/lib/str.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/str.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/str.c 2019-05-28 12:58:49.723941445 -0400 +@@ -81,7 +81,7 @@ void _gnutls_buffer_clear(gnutls_buffer_ + return; + gnutls_free(str->allocd); + +- str->data = str->allocd = NULL; ++ str->data = NULL; + str->max_length = 0; + str->length = 0; + } +Index: gnutls28-3.6.5/lib/tls13/certificate_request.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/tls13/certificate_request.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/tls13/certificate_request.c 2019-05-28 12:58:49.723941445 -0400 +@@ -152,7 +152,6 @@ int _gnutls13_recv_certificate_request_i + return gnutls_assert_val(ret); + + gnutls_free(session->internals.post_handshake_cr_context.data); +- session->internals.post_handshake_cr_context.data = NULL; + ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context, + context.data, context.size); + if (ret < 0) +@@ -279,7 +278,6 @@ int _gnutls13_send_certificate_request(g + } + + gnutls_free(session->internals.post_handshake_cr_context.data); +- session->internals.post_handshake_cr_context.data = NULL; + ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context, + rnd, sizeof(rnd)); + if (ret < 0) { +Index: gnutls28-3.6.5/lib/tpm.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/tpm.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/tpm.c 2019-05-28 12:58:49.723941445 -0400 +@@ -1641,10 +1641,8 @@ gnutls_tpm_privkey_generate(gnutls_pk_al + gnutls_pubkey_deinit(pub); + privkey_cleanup: + gnutls_free(privkey->data); +- privkey->data = NULL; + cleanup: + gnutls_free(tmpkey.data); +- tmpkey.data = NULL; + err_sa: + pTspi_Context_CloseObject(s.tpm_ctx, key_ctx); + err_cc: +Index: gnutls28-3.6.5/lib/x509/ocsp.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/ocsp.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/ocsp.c 2019-05-28 12:58:49.723941445 -0400 +@@ -162,7 +162,6 @@ void gnutls_ocsp_resp_deinit(gnutls_ocsp + asn1_delete_structure(&resp->basicresp); + + resp->resp = NULL; +- resp->response_type_oid.data = NULL; + resp->basicresp = NULL; + + gnutls_free(resp->der.data); +@@ -299,7 +298,6 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_res + } + + gnutls_free(resp->der.data); +- resp->der.data = NULL; + } + + resp->init = 1; +@@ -1668,18 +1666,12 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_ + + return GNUTLS_E_SUCCESS; + fail: +- if (issuer_name_hash) { ++ if (issuer_name_hash) + gnutls_free(issuer_name_hash->data); +- issuer_name_hash->data = NULL; +- } +- if (issuer_key_hash) { ++ if (issuer_key_hash) + gnutls_free(issuer_key_hash->data); +- issuer_key_hash->data = NULL; +- } +- if (serial_number) { ++ if (serial_number) + gnutls_free(serial_number->data); +- serial_number->data = NULL; +- } + return ret; + } + +@@ -1955,7 +1947,6 @@ gnutls_ocsp_resp_get_certs(gnutls_ocsp_r + } + + gnutls_free(c.data); +- c.data = NULL; + } + + tmpcerts[ctr] = NULL; +Index: gnutls28-3.6.5/lib/x509/pkcs12_bag.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/pkcs12_bag.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/pkcs12_bag.c 2019-05-28 12:58:49.723941445 -0400 +@@ -62,7 +62,6 @@ static inline void _pkcs12_bag_free_data + _gnutls_free_datum(&bag->element[i].data); + _gnutls_free_datum(&bag->element[i].local_key_id); + gnutls_free(bag->element[i].friendly_name); +- bag->element[i].friendly_name = NULL; + bag->element[i].type = 0; + } + +Index: gnutls28-3.6.5/lib/x509/pkcs7-crypt.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/pkcs7-crypt.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/pkcs7-crypt.c 2019-05-28 12:58:49.723941445 -0400 +@@ -1269,7 +1269,6 @@ _gnutls_pkcs_raw_decrypt_data(schema_id + _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0); + + gnutls_free(key); +- key = NULL; + + if (ret < 0) { + gnutls_assert(); +Index: gnutls28-3.6.5/lib/x509/pkcs7.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/pkcs7.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/pkcs7.c 2019-05-28 12:58:49.727941462 -0400 +@@ -692,7 +692,6 @@ int gnutls_pkcs7_get_signature_info(gnut + + ret = gnutls_pkcs7_add_attr(&info->signed_attrs, oid, &tmp, 0); + gnutls_free(tmp.data); +- tmp.data = NULL; + + if (ret < 0) { + gnutls_assert(); +@@ -730,7 +729,6 @@ int gnutls_pkcs7_get_signature_info(gnut + ret = + gnutls_pkcs7_add_attr(&info->unsigned_attrs, oid, &tmp, 0); + gnutls_free(tmp.data); +- tmp.data = NULL; + + if (ret < 0) { + gnutls_assert(); +@@ -842,9 +840,7 @@ static int verify_hash_attr(gnutls_pkcs7 + } + + gnutls_free(tmp.data); +- tmp.data = NULL; + gnutls_free(tmp2.data); +- tmp2.data = NULL; + } + + if (msg_digest_ok) +@@ -1087,7 +1083,6 @@ static gnutls_x509_crt_t find_verified_i + gnutls_x509_crt_deinit(issuer); + issuer = NULL; + gnutls_free(tmp.data); +- tmp.data = NULL; + continue; + } + +@@ -1204,7 +1199,6 @@ static gnutls_x509_crt_t find_child_of_w + gnutls_x509_crt_deinit(crt); + crt = NULL; + gnutls_free(tmpdata.data); +- tmpdata.data = NULL; + continue; + } + } else { +Index: gnutls28-3.6.5/lib/x509/privkey_pkcs8.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/privkey_pkcs8.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/privkey_pkcs8.c 2019-05-28 12:58:49.727941462 -0400 +@@ -601,7 +601,6 @@ gnutls_pkcs8_info(const gnutls_datum_t * + cleanup: + if (ret != GNUTLS_E_UNKNOWN_CIPHER_TYPE && oid) { + gnutls_free(*oid); +- *oid = NULL; + } + if (need_free) + _gnutls_free_datum(&_data); +Index: gnutls28-3.6.5/lib/x509/verify-high2.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/verify-high2.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/verify-high2.c 2019-05-28 12:58:49.727941462 -0400 +@@ -180,7 +180,6 @@ int remove_pkcs11_url(gnutls_x509_trust_ + { + if (strcmp(ca_file, list->pkcs11_token) == 0) { + gnutls_free(list->pkcs11_token); +- list->pkcs11_token = NULL; + } + return 0; + } +Index: gnutls28-3.6.5/lib/x509/virt-san.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/virt-san.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/virt-san.c 2019-05-28 12:58:49.727941462 -0400 +@@ -70,7 +70,6 @@ int _gnutls_alt_name_assign_virt_type(st + if (ret < 0) + return gnutls_assert_val(ret); + gnutls_free(san->data); +- san->data = NULL; + + if (othername_oid) { + name->othername_oid.data = (uint8_t *) othername_oid; +Index: gnutls28-3.6.5/lib/x509/x509.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/x509.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/x509.c 2019-05-28 12:58:49.727941462 -0400 +@@ -386,7 +386,6 @@ static int cache_alt_names(gnutls_x509_c + if (ret >= 0) { + ret = gnutls_x509_ext_import_subject_alt_names(&tmpder, cert->san, 0); + gnutls_free(tmpder.data); +- tmpder.data = NULL; + if (ret < 0) + return gnutls_assert_val(ret); + } +@@ -3687,7 +3686,6 @@ gnutls_x509_crt_list_import2(gnutls_x509 + + if (ret < 0) { + gnutls_free(*certs); +- *certs = NULL; + return ret; + } + +@@ -4319,7 +4317,6 @@ gnutls_x509_crt_list_import_url(gnutls_x + + if (gnutls_x509_crt_equals2(crts[i-1], &issuer)) { + gnutls_free(issuer.data); +- issuer.data = NULL; + break; + } + +@@ -4340,7 +4337,6 @@ gnutls_x509_crt_list_import_url(gnutls_x + } + + gnutls_free(issuer.data); +- issuer.data = NULL; + } + + *certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t)); +Index: gnutls28-3.6.5/lib/x509/x509_ext.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509/x509_ext.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509/x509_ext.c 2019-05-28 12:58:49.727941462 -0400 +@@ -1994,7 +1994,6 @@ int gnutls_x509_ext_import_policies(cons + ret = + decode_user_notice(td.data, td.size, &txt); + gnutls_free(td.data); +- td.data = NULL; + + if (ret < 0) { + gnutls_assert(); +Index: gnutls28-3.6.5/lib/x509_b64.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/x509_b64.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/lib/x509_b64.c 2019-05-28 12:58:49.727941462 -0400 +@@ -302,7 +302,6 @@ _gnutls_base64_decode(const uint8_t * da + + fail: + gnutls_free(result->data); +- result->data = NULL; + + cleanup: + gnutls_free(pdata.data); +Index: gnutls28-3.6.5/tests/cert.c +=================================================================== +--- gnutls28-3.6.5.orig/tests/cert.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/tests/cert.c 2019-05-28 12:58:49.727941462 -0400 +@@ -89,7 +89,6 @@ static int getnextcert(DIR **dirp, gnutl + *exp_ret = atoi((char*)local.data); + success("expecting error code %d\n", *exp_ret); + gnutls_free(local.data); +- local.data = NULL; + } + + return 0; +@@ -135,7 +134,6 @@ void doit(void) + + gnutls_x509_crt_deinit(cert); + gnutls_free(der.data); +- der.data = NULL; + der.size = 0; + exp_ret = -1; + } +Index: gnutls28-3.6.5/tests/gnutls_session_set_id.c +=================================================================== +--- gnutls28-3.6.5.orig/tests/gnutls_session_set_id.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/tests/gnutls_session_set_id.c 2019-05-28 12:58:49.727941462 -0400 +@@ -200,7 +200,6 @@ static void start(const char *test, unsi + gnutls_certificate_free_credentials(clientx509cred); + + gnutls_free(dbdata.data); +- dbdata.data = NULL; + dbdata.size = 0; + } + +Index: gnutls28-3.6.5/tests/name-constraints-ip.c +=================================================================== +--- gnutls28-3.6.5.orig/tests/name-constraints-ip.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/tests/name-constraints-ip.c 2019-05-28 12:58:49.727941462 -0400 +@@ -78,7 +78,6 @@ static void check_test_result(int ret, i + static void parse_cidr(const char* cidr, gnutls_datum_t *datum) { + if (datum->data != NULL) { + gnutls_free(datum->data); +- datum->data = NULL; + } + int ret = gnutls_x509_cidr_to_rfc5280(cidr, datum); + check_for_error(ret); +@@ -699,7 +698,7 @@ static int teardown(void **state) { + gnutls_free(test_vars->ip.data); + gnutls_x509_name_constraints_deinit(test_vars->nc); + gnutls_x509_name_constraints_deinit(test_vars->nc2); +- gnutls_free(test_vars); ++ gnutls_free(*state); + return 0; + } + +Index: gnutls28-3.6.5/tests/pkcs11/pkcs11-import-url-privkey.c +=================================================================== +--- gnutls28-3.6.5.orig/tests/pkcs11/pkcs11-import-url-privkey.c 2019-05-28 12:58:49.731941478 -0400 ++++ gnutls28-3.6.5/tests/pkcs11/pkcs11-import-url-privkey.c 2019-05-28 12:58:49.727941462 -0400 +@@ -91,7 +91,6 @@ void doit(void) + for (i=0;i +Date: Tue, 12 Feb 2019 15:20:23 +0100 +Subject: [PATCH] gnutls_x509_crt_init: Fix dereference of NULL pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Tim Rühsen +--- + lib/x509/x509.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/x509/x509.c b/lib/x509/x509.c +index fa0188ef05..995d5cd5cf 100644 +--- a/lib/x509/x509.c ++++ b/lib/x509/x509.c +@@ -227,8 +227,8 @@ int gnutls_x509_crt_init(gnutls_x509_crt_t * cert) + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&tmp->cert); +- gnutls_free(tmp); + gnutls_subject_alt_names_deinit(tmp->san); ++ gnutls_free(tmp); + return result; + } + +-- +2.21.0 + diff -Nru gnutls28-3.6.5/debian/patches/CVE-2019-3836.patch gnutls28-3.6.5/debian/patches/CVE-2019-3836.patch --- gnutls28-3.6.5/debian/patches/CVE-2019-3836.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/CVE-2019-3836.patch 2019-05-28 17:00:04.000000000 +0000 @@ -0,0 +1,26 @@ +From 96e07075e8f105b13e76b11e493d5aa2dd937226 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 25 Mar 2019 16:06:39 +0100 +Subject: [PATCH] handshake: add missing initialization of local variable + +Resolves: #704 + +Signed-off-by: Daiki Ueno +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/handshake-tls13.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: gnutls28-3.6.5/lib/handshake-tls13.c +=================================================================== +--- gnutls28-3.6.5.orig/lib/handshake-tls13.c 2019-05-28 13:00:01.972242403 -0400 ++++ gnutls28-3.6.5/lib/handshake-tls13.c 2019-05-28 13:00:01.968242386 -0400 +@@ -604,6 +604,8 @@ _gnutls13_recv_async_handshake(gnutls_se + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); + + do { ++ _gnutls_handshake_buffer_init(&hsk); ++ + /* the received handshake message has already been pushed into + * handshake buffers. As we do not need to use the handshake hash + * buffers we call the lower level receive functions */ diff -Nru gnutls28-3.6.5/debian/patches/add-openssl-test-link.patch gnutls28-3.6.5/debian/patches/add-openssl-test-link.patch --- gnutls28-3.6.5/debian/patches/add-openssl-test-link.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/add-openssl-test-link.patch 2018-10-05 16:12:04.000000000 +0000 @@ -0,0 +1,14 @@ +Description: avoid link failure because of missing ssl +Author: Gianfranco Costamagna + +--- a/tests/slow/Makefile.am ++++ b/tests/slow/Makefile.am +@@ -53,7 +53,7 @@ + TESTS = $(ctests) test-ciphers.sh override-ciphers test-hash-large.sh crypto test-ciphers-api.sh + + if HAVE_LIBCRYPTO +-cipher_openssl_compat_LDFLAGS = $(LDADD) $(LIBCRYPTO) ++cipher_openssl_compat_LDADD = $(LDADD) $(LIBCRYPTO) + + dist_check_SCRIPTS += test-ciphers-openssl.sh + check_PROGRAMS += cipher-openssl-compat diff -Nru gnutls28-3.6.5/debian/patches/disable_global_init_override_test.patch gnutls28-3.6.5/debian/patches/disable_global_init_override_test.patch --- gnutls28-3.6.5/debian/patches/disable_global_init_override_test.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/disable_global_init_override_test.patch 2018-10-05 16:12:04.000000000 +0000 @@ -0,0 +1,15 @@ +Description: disable failing test +Author: Marc Deslauriers +Forwarded: no + +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -172,7 +172,7 @@ + fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ + key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ + record-timeouts mini-dtls-hello-verify-48 set-default-prio \ +- tls12-anon-upgrade global-init-override tlsext-decoding rsa-psk-cb \ ++ tls12-anon-upgrade tlsext-decoding rsa-psk-cb \ + rehandshake-switch-cert rehandshake-switch-cert-allow rehandshake-switch-cert-client \ + rehandshake-switch-cert-client-allow handshake-versions dtls-handshake-versions \ + dtls-max-record tls12-max-record alpn-server-prec ocsp-filename-memleak \ diff -Nru gnutls28-3.6.5/debian/patches/series gnutls28-3.6.5/debian/patches/series --- gnutls28-3.6.5/debian/patches/series 2018-12-16 10:24:01.000000000 +0000 +++ gnutls28-3.6.5/debian/patches/series 2019-05-28 17:00:00.000000000 +0000 @@ -1,3 +1,9 @@ 14_version_gettextcat.diff 30_guile-snarf.diff 40_add_missingm4.diff +add-openssl-test-link.patch +disable_global_init_override_test.patch +CVE-2019-3829-1.patch +CVE-2019-3829-2.patch +CVE-2019-3829-3.patch +CVE-2019-3836.patch