[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779791: unblock: gnutls28/3.3.8-6



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gnutls28. It fixes CVE-2015-0294.

unblock gnutls28/3.3.8-6

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2014-11-20 19:25:24.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog	2015-02-28 14:24:37.000000000 +0100
@@ -1,3 +1,12 @@
+gnutls28 (3.3.8-6) unstable; urgency=medium
+
+  * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
+    6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
+    certificate import check whether the two signature algorithms match.
+    CVE-2015-0294. Closes: #779428
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Feb 2015 14:17:21 +0100
+
 gnutls28 (3.3.8-5) unstable; urgency=medium
 
   * Remove SSL 3.0 from default priorities list.
diff -Nru gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch
--- gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch	2015-02-28 14:23:21.000000000 +0100
@@ -0,0 +1,46 @@
+From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 19 Jan 2015 09:29:31 +0100
+Subject: [PATCH] on certificate import check whether the two signature
+ algorithms match
+ .
+ Manually unfuzzed for 3.3.8.
+
+---
+ lib/x509/x509.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -186,6 +186,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ 		       gnutls_x509_crt_fmt_t format)
+ {
+ 	int result = 0;
++	int s2;
+ 
+ 	if (cert == NULL) {
+ 		gnutls_assert();
+@@ -246,6 +247,23 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ 		goto cleanup;
+ 	}
+ 
++	result = _gnutls_x509_get_signature_algorithm(cert->cert,
++						      "signatureAlgorithm.algorithm");
++	if (result < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	s2 = _gnutls_x509_get_signature_algorithm(cert->cert,
++						  "tbsCertificate.signature.algorithm");
++	if (result != s2) {
++		_gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n",
++			gnutls_sign_get_name(result), gnutls_sign_get_name(s2));
++		gnutls_assert();
++		result = GNUTLS_E_CERTIFICATE_ERROR;
++		goto cleanup;
++	}
++
+ 	result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der,
+ 					  "tbsCertificate.issuer.rdnSequence",
+ 					  &cert->raw_issuer_dn);
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2014-11-20 19:20:49.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series	2015-02-28 14:15:51.000000000 +0100
@@ -5,4 +5,5 @@
 36_less_refresh-rnd-state.diff
 37_X9.63_sanity_check.diff
 38_testforsanitycheck.diff
+39_check-whether-the-two-signatur.patch
 40_no_more_ssl3.diff


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


Reply to: