[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update modifies (inofficial) ABI and hidden API

Hi Joey,

On Sat, Feb 11, 2006 at 09:02:37PM +0100, Martin Schulze wrote:
> We could use some advice and help with the GnuTLS / libasn1 update
> that would fix the vulnerabilities reported recently.

> The fix for libasn1 adds arguments to exported function.  However,
> these functions are named _asn_* and should not be used outside of
> this library.

> Unfortunately GnuTLS is doing exactly this, using these functions.

> Other packages "should" not be affected.

> GnuTLS is also problematic as it seems to use both its internal copy
> of libasn and is linked about the libasn package.

> The officially supported ABI+API hasn't been changed by the security
> update.

> We'll have to update libasn and GnuTLS at the same time anyway.

> However, does the security update need to bump the soname as well?  If
> so, is somebody willing to dig into its packaging and bump it?

> What about GnuTLS?

Does GNUTLS get the prototypes for these "internal" functions from public
headers in libtasn1-2-dev?  If so, it sounds like a complete audit of all
reverse-deps would be needed. :(  If not, and upstream says that gnutls is
the only package that should be using them, I think it should be ok to
rebuild without changing the package name -- just adding a conflicts w/ old
versions of libgnutls11.

<rummage, rummage>

Yes, the _asn1_* functions aren't exported in the libtasn1.h header, so I
would say it's ok to make this change without renaming the package.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: