Bug#779791: marked as done (unblock: gnutls28/3.3.8-6)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 04 Mar 2015 19:49:28 +0000
with message-id <1425498568.2596.0.camel@adam-barratt.org.uk>
and subject line Re: Bug#779791: unblock: gnutls28/3.3.8-6
has caused the Debian Bug report #779791,
regarding unblock: gnutls28/3.3.8-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779791
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: gnutls28/3.3.8-6
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Wed, 04 Mar 2015 20:35:11 +0100
• Message-id: <[🔎] 20150304193511.4965.94732.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gnutls28. It fixes CVE-2015-0294.

unblock gnutls28/3.3.8-6

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2014-11-20 19:25:24.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog	2015-02-28 14:24:37.000000000 +0100
@@ -1,3 +1,12 @@
+gnutls28 (3.3.8-6) unstable; urgency=medium
+
+  * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
+    6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
+    certificate import check whether the two signature algorithms match.
+    CVE-2015-0294. Closes: #779428
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Feb 2015 14:17:21 +0100
+
 gnutls28 (3.3.8-5) unstable; urgency=medium
 
   * Remove SSL 3.0 from default priorities list.
diff -Nru gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch
--- gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/39_check-whether-the-two-signatur.patch	2015-02-28 14:23:21.000000000 +0100
@@ -0,0 +1,46 @@
+From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 19 Jan 2015 09:29:31 +0100
+Subject: [PATCH] on certificate import check whether the two signature
+ algorithms match
+ .
+ Manually unfuzzed for 3.3.8.
+
+---
+ lib/x509/x509.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -186,6 +186,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ 		       gnutls_x509_crt_fmt_t format)
+ {
+ 	int result = 0;
++	int s2;
+ 
+ 	if (cert == NULL) {
+ 		gnutls_assert();
+@@ -246,6 +247,23 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
+ 		goto cleanup;
+ 	}
+ 
++	result = _gnutls_x509_get_signature_algorithm(cert->cert,
++						      "signatureAlgorithm.algorithm");
++	if (result < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	s2 = _gnutls_x509_get_signature_algorithm(cert->cert,
++						  "tbsCertificate.signature.algorithm");
++	if (result != s2) {
++		_gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n",
++			gnutls_sign_get_name(result), gnutls_sign_get_name(s2));
++		gnutls_assert();
++		result = GNUTLS_E_CERTIFICATE_ERROR;
++		goto cleanup;
++	}
++
+ 	result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der,
+ 					  "tbsCertificate.issuer.rdnSequence",
+ 					  &cert->raw_issuer_dn);
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2014-11-20 19:20:49.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series	2015-02-28 14:15:51.000000000 +0100
@@ -5,4 +5,5 @@
 36_less_refresh-rnd-state.diff
 37_X9.63_sanity_check.diff
 38_testforsanitycheck.diff
+39_check-whether-the-two-signatur.patch
 40_no_more_ssl3.diff


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: Moritz Muehlenhoff <jmm@debian.org>, 779791-done@bugs.debian.org
• Subject: Re: Bug#779791: unblock: gnutls28/3.3.8-6
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Wed, 04 Mar 2015 19:49:28 +0000
• Message-id: <1425498568.2596.0.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 20150304193511.4965.94732.reportbug@pisco.westfalen.local>
• References: <[🔎] 20150304193511.4965.94732.reportbug@pisco.westfalen.local>

On Wed, 2015-03-04 at 20:35 +0100, Moritz Muehlenhoff wrote:
> Please unblock package gnutls28. It fixes CVE-2015-0294.

Unblocked, thanks.

Regards,

Adam

--- End Message ---