[SRM] Fixing #648441 (CVE-2011-4128) in stable

To: debian-release@lists.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 648441@bugs.debian.org
Subject: [SRM] Fixing #648441 (CVE-2011-4128) in stable
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Thu, 22 Dec 2011 18:53:06 +0100
Message-id: <[🔎] 20111222175306.GL2048@downhill.g.la>
Mail-followup-to: debian-release@lists.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, 648441@bugs.debian.org
In-reply-to: <20111222164455.GC5888@inutil.org>
References: <20111111151044.17148.86299.reportbug@vurm.knut.univention.de> <1321025756.24727.3.camel@latte.josefsson.org> <20111222164455.GC5888@inutil.org>

On 2011-12-22 Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Fri, Nov 11, 2011 at 04:35:56PM +0100, Simon Josefsson wrote:
[...] 
> > As far as I understand, the client also has to be written in a
> > vulnerable way.  The example code doesn't, and likely there are few
> > clients like that around.  More investigation is warranted...

> Andreas, can you fix this for the upcoming stable point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

> Although it's minor it would be nice to fix it up in stable.


Hello,

I would like to upload gnutls26_2.8.6-1+squeeze1 to stable. 
---------------------------
* Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
  git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
  20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
---------------------------

diff to 2.8.6-1 attached.

thanks, cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

File lists identical on package level (after any substitutions)

Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}

Control files of package guile-gnutls: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}

Control files of package libgnutls-dev: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.8.6-1),-] {+2.8.6-1+squeeze1),+} libgcrypt11-dev (>= 1.3.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4)
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}

Control files of package libgnutls26: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-1268-] {+1264+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}

Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.8.6-1)-] {+2.8.6-1+squeeze1)+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
 changelog                           |    8 ++++++
 patches/20_CVE-2011-4128.part1.diff |   44 ++++++++++++++++++++++++++++++++++++
 patches/20_CVE-2011-4128.part2.diff |   24 +++++++++++++++++++
 patches/series                      |    2 +
 4 files changed, 78 insertions(+)
diff -Nru gnutls26-2.8.6/debian/changelog gnutls26-2.8.6/debian/changelog
--- gnutls26-2.8.6/debian/changelog	2010-03-20 16:06:34.000000000 +0100
+++ gnutls26-2.8.6/debian/changelog	2011-12-22 18:19:27.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls26 (2.8.6-1+squeeze1) stable; urgency=low
+
+  * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
+    git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
+    20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 22 Dec 2011 18:07:26 +0100
+
 gnutls26 (2.8.6-1) unstable; urgency=low
 
   * Use dh_lintian.
diff -Nru gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff
--- gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff	2011-12-22 18:17:52.000000000 +0100
@@ -0,0 +1,44 @@
+From 190cef6eed37d0e73a73c1e205eb31d45ab60a3c Mon Sep 17 00:00:00 2001
+From: Alban Crequy <alban.crequy@collabora.co.uk>
+Date: Mon, 7 Nov 2011 18:51:27 +0000
+Subject: [PATCH] gnutls_session_get_data: fix possible buffer overflow
+
+The test to avoid the buffer overflow was always false because
+session_data_size was set at the wrong place. This problem has been introduced
+by this commit:
+
+|commit ad4ed44c65e753e6d3a00104c049dd81826ccbf3
+|Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+|Date:   Mon Nov 7 22:24:48 2005 +0000
+|
+|    This is the initial commit in the 1.3 branch. Ported from the PSK branch:
+|    * PSK ciphersuites have been added.
+|    * The session resumption data are now system independent.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ lib/gnutls_session.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
+index 8028d5a..418a2ba 100644
+--- a/lib/gnutls_session.c
++++ b/lib/gnutls_session.c
+@@ -63,13 +63,13 @@ gnutls_session_get_data (gnutls_session_t session,
+       gnutls_assert ();
+       return ret;
+     }
+-  *session_data_size = psession.size;
+ 
+   if (psession.size > *session_data_size)
+     {
+       ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+       goto error;
+     }
++  *session_data_size = psession.size;
+ 
+   if (session_data != NULL)
+     memcpy (session_data, psession.data, psession.size);
+-- 
+1.7.2.5
+
diff -Nru gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff
--- gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff	2011-12-22 18:18:08.000000000 +0100
@@ -0,0 +1,24 @@
+From e82ef4545e9e98cbcb032f55d7c750b81e3a0450 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Tue, 8 Nov 2011 07:52:56 +0100
+Subject: [PATCH] bug fix in gnutls_session_get_data().
+
+---
+ lib/gnutls_session.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
+index 418a2ba..fd012fe 100644
+--- a/lib/gnutls_session.c
++++ b/lib/gnutls_session.c
+@@ -66,6 +66,7 @@ gnutls_session_get_data (gnutls_session_t session,
+ 
+   if (psession.size > *session_data_size)
+     {
++      *session_data_size = psession.size;
+       ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+       goto error;
+     }
+-- 
+1.7.2.5
+
diff -Nru gnutls26-2.8.6/debian/patches/series gnutls26-2.8.6/debian/patches/series
--- gnutls26-2.8.6/debian/patches/series	2010-03-20 16:02:18.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/series	2011-12-22 18:18:58.000000000 +0100
@@ -1,3 +1,5 @@
 14_version_gettextcat.diff
 15_fixgnutlspc.diff
 16_unnecessarydep.diff
+20_CVE-2011-4128.part1.diff
+20_CVE-2011-4128.part2.diff

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SRM] Fixing #648441 (CVE-2011-4128) in stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Request to upload linux-2.6 (various suites)
Next by Date: [SRM] rpm/CVE-2011-3378
Previous by thread: Re: Request to upload linux-2.6 (various suites)
Next by thread: Re: [SRM] Fixing #648441 (CVE-2011-4128) in stable
Index(es):
- Date
- Thread