Bug#779791: unblock: gnutls28/3.3.8-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package gnutls28. It fixes CVE-2015-0294.
unblock gnutls28/3.3.8-6
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2014-11-20 19:25:24.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog 2015-02-28 14:24:37.000000000 +0100
@@ -1,3 +1,12 @@
+gnutls28 (3.3.8-6) unstable; urgency=medium
+
+ * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
+ 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
+ certificate import check whether the two signature algorithms match.
+ CVE-2015-0294. Closes: #779428
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 28 Feb 2015 14:17:21 +0100
+
gnutls28 (3.3.8-5) unstable; urgency=medium
* Remove SSL 3.0 from default priorities list.
diff -Nru gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch
--- gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch 2015-02-28 14:23:21.000000000 +0100
@@ -0,0 +1,46 @@
+From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 19 Jan 2015 09:29:31 +0100
+Subject: [PATCH] on certificate import check whether the two signature
+ algorithms match
+ .
+ Manually unfuzzed for 3.3.8.
+
+---
+ lib/x509/x509.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -186,6 +186,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ gnutls_x509_crt_fmt_t format)
+ {
+ int result = 0;
++ int s2;
+
+ if (cert == NULL) {
+ gnutls_assert();
+@@ -246,6 +247,23 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ goto cleanup;
+ }
+
++ result = _gnutls_x509_get_signature_algorithm(cert->cert,
++ "signatureAlgorithm.algorithm");
++ if (result < 0) {
++ gnutls_assert();
++ goto cleanup;
++ }
++
++ s2 = _gnutls_x509_get_signature_algorithm(cert->cert,
++ "tbsCertificate.signature.algorithm");
++ if (result != s2) {
++ _gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n",
++ gnutls_sign_get_name(result), gnutls_sign_get_name(s2));
++ gnutls_assert();
++ result = GNUTLS_E_CERTIFICATE_ERROR;
++ goto cleanup;
++ }
++
+ result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der,
+ "tbsCertificate.issuer.rdnSequence",
+ &cert->raw_issuer_dn);
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2014-11-20 19:20:49.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series 2015-02-28 14:15:51.000000000 +0100
@@ -5,4 +5,5 @@
36_less_refresh-rnd-state.diff
37_X9.63_sanity_check.diff
38_testforsanitycheck.diff
+39_check-whether-the-two-signatur.patch
40_no_more_ssl3.diff
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: