--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package lynx-cur/2.8.9dev1-2+deb8u1
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Thu, 18 Jun 2015 20:37:50 +0200
- Message-id: <20150618183750.GA1337@downhill.g.la>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to fix 784430 in jessie:
* lynx-cur is using a buggy GnuTLS priority string.
* After fixing GNUTLS-SA-2015-2 (a minor issue) GnuTLS is more strict
when applying the priority string. Combining lynx-cur/jessie
with a fixed GnuTLS therefore results in major SSL/TLS breakage.
According to the security-tracker GNUTLS-SA-2015-2 will not be fixed
by a dedicated DSA, however it is labeled as "Minor issue; Can be
fixed along with a future DSA"
Suggested patch attached. The respective changes was uploaded to sid in
2.8.9dev6-3 on May 16.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -u lynx-cur-2.8.9dev1/debian/changelog lynx-cur-2.8.9dev1/debian/changelog
--- lynx-cur-2.8.9dev1/debian/changelog
+++ lynx-cur-2.8.9dev1/debian/changelog
@@ -1,3 +1,13 @@
+lynx-cur (2.8.9dev1-2+deb8u1) jessie; urgency=medium
+
+ * gnutls_set_default_priority.diff: Use gnutls_set_default_priority()
+ instead of a custom priority string. The fix for the GnuTLS issue
+ GNUTLS-SA-2015-2 combined with a buggy GnuTLS priority string in lynx
+ breaks lynx SSL support. Preemptively apply the fix to lynx before the
+ GnuTLS issue is fixed in stable. Closes: #784430
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 05 Jun 2015 13:30:14 +0200
+
lynx-cur (2.8.9dev1-2) unstable; urgency=medium
* Fixed B-D by adding libgcrypt20-dev. libgnutls-dev installs automatically
diff -u lynx-cur-2.8.9dev1/debian/patches/series lynx-cur-2.8.9dev1/debian/patches/series
--- lynx-cur-2.8.9dev1/debian/patches/series
+++ lynx-cur-2.8.9dev1/debian/patches/series
@@ -3,0 +4 @@
+gnutls_set_default_priority.diff
only in patch2:
unchanged:
--- lynx-cur-2.8.9dev1.orig/debian/patches/gnutls_set_default_priority.diff
+++ lynx-cur-2.8.9dev1/debian/patches/gnutls_set_default_priority.diff
@@ -0,0 +1,36 @@
+Description: Use gnutls_set_default_priority() instead of a custom
+ priority string.
+ This is a minimal patch, leaving the now unused functions alone.
+Author: Andreas Metzler <ametzler@debian.org>
+Origin: vendor
+Forwarded: http://mid.gmane.org/20150512175429.GB1321%40downhill.g.la
+Last-Update: 2015-05-13
+Bug-Debian: http://bugs.debian.org/784430
+
+diff --git a/src/tidy_tls.c b/src/tidy_tls.c
+index f6dea81..df8efb4 100644
+--- a/src/tidy_tls.c
++++ b/src/tidy_tls.c
+@@ -542,21 +542,7 @@ SSL *SSL_new(SSL_CTX * ctx)
+ ssl->ctx = ctx;
+
+ gnutls_init(&ssl->gnutls_state, ctx->method->connend);
+-
+-#if USE_SET_DIRECT
+- UpdatePriority(ssl);
+-#else
+- gnutls_protocol_set_priority(ssl->gnutls_state,
+- ctx->method->priority.protocol);
+- gnutls_cipher_set_priority(ssl->gnutls_state,
+- ctx->method->priority.encrypts);
+- gnutls_compression_set_priority(ssl->gnutls_state,
+- ctx->method->priority.compress);
+- gnutls_kx_set_priority(ssl->gnutls_state,
+- ctx->method->priority.key_xchg);
+- gnutls_mac_set_priority(ssl->gnutls_state,
+- ctx->method->priority.msg_code);
+-#endif
++ gnutls_set_default_priority(ssl->gnutls_state);
+
+ gnutls_credentials_set(ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
+ ssl->gnutls_cred);
--- End Message ---