[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#783526: marked as done (jessie-pu: package gnutls28/3.3.8-6+deb8u1)

Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <1433592671.2987.12.camel@adam-barratt.org.uk>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #783526,
regarding jessie-pu: package gnutls28/3.3.8-6+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
783526: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783526
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to fix CVE-2015-3308 / #782776 in jessie by re-uploading
3.3.8-7 unchanged (except for version-number / distribution) to
jessie.

 gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium
 .
   * Reupload 3.3.8-7 unchanged for first point release:
     45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
     Pull two patches from upstream to a use-after-free flaw in
     gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
     Closes: #782776

It is not severe enough for a DSA, Moritz asked me to try to fix it in
the point release.

thanks, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/10/71641470893eedfb2ae95761f7a2831487578d.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/3c/00675566a5e060c9ab422431b1f6ace9e3d641.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/40/f65be6b49ba1dd1642c3a70301392728b0fa87.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/59/c0c76a47a76592ba690534af3dd8ed20716910.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/5c/15ca854181b7052a65e0e3c6bb62621e8a4796.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/86/5ba1447f92d3238aaeab5c35384f8d4ddc19f8.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/99/7b28d24819d51167eb04275b0e7781a0553677.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/ad/926b5ff6550801a0e64d7feb12bebb4f19f71b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b8/f5d939008965aa0fec40eb47dea7fbd36412e2.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c4/edae6e65800cadeb0413c787c930f525569125.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d5/6fdefdf070278c961828fef13aa01e98b0ff68.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d8/2b478365792d82cde3c23dbba294f2f73aa6bd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fc/4f758dce13ac4fe7dadc3dc350d84cbe9bfad6.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fe/3a9f524b65ebc37a28595af328de4bb9557359.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/10/655707e8b248d97b072677ec28c377363aced4.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/13/5f3708de9f8bd9a5eaeea7b2a7902944a68d63.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/17/b7d1dfa67ec9ac3eb7569b29e52cbc47248688.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1a/c8aaaf376060e80db75912974b2454473353a7.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/24/c0d3aa5787be23dbb556fd9eeda9aa1064ab08.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/30/4541b84d338019a289b01a0dd537bcde7906e8.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/57/ede90e9a245fcbf2a7d4bd269383d3d0783505.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/90/73d1fe7d52ce09cddc43f2ec434b31f81869ea.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/9f/818d387ca338b648a60f366308fcf64b28df00.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a0/3622962422c45cdc0b9cf963d9d6693108d1b5.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/aa/a11c7e4144249c4a111bcd1ed1da1fc7dd4f37.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b2/b41fd24df64b4ea7a1d88e14a37214fb80ef9d.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c4/4292da922a90ca6a10a2a537a255ee3811d410.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/cb/c40b4e7f316d20607c6d320d6d6902115dd70b.debug

Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-934-] {+891+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-8392-] {+8266+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package guile-gnutls: lines which differ (wdiff format)
------------------------------------------------------------------------
Installed-Size: [-404-] {+357+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package libgnutls-deb0-28: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Installed-Size: [-2095-] {+1942+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libc6 (>= 2.4)
Installed-Size: [-203-] {+172+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package libgnutls28-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6)-] {+3.3.8-6+deb8u1)+}
Installed-Size: [-2366-] {+2275+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libgnutlsxx28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} nettle-dev (>= 2.5), libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev (>= 3.9), libp11-kit-dev, libgnutls-openssl27 (= [-3.3.8-6)-] {+3.3.8-6+deb8u1)+}
Installed-Size: [-2490-] {+2447+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}

Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1)
Installed-Size: [-87-] {+59+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-02-28 14:24:37.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog	2015-04-27 19:40:34.000000000 +0200
@@ -1,3 +1,13 @@
+gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium
+
+  * Reupload 3.3.8-7 unchanged for first point release:
+    45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
+    Pull two patches from upstream to a use-after-free flaw in
+    gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
+    Closes: #782776
+
+ -- Andreas Metzler <ametzler@debian.org>  Mon, 27 Apr 2015 19:38:26 +0200
+
 gnutls28 (3.3.8-6) unstable; urgency=medium
 
   * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
diff -Nru gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff
--- gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff	2015-04-27 19:34:44.000000000 +0200
@@ -0,0 +1,28 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert Święcki.
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ 		gnutls_assert();
+-		gnutls_free(san.data);
+ 		goto cleanup;
+ 	}
+ 
+-- 
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff
--- gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff	2015-04-27 19:34:44.000000000 +0200
@@ -0,0 +1,61 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 	int len, ret;
+ 	uint8_t reasons[2];
+ 	unsigned i, type, rflags, j;
+-	gnutls_datum_t san;
++	gnutls_datum_t san = {NULL, 0};
+ 
+ 	result = asn1_create_element
+ 	    (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	i = 0;
+ 	do {
+-		san.data = NULL;
+-		san.size = 0;
+-
+ 		snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+ 
+ 		len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 		j = 0;
+ 		do {
++			san.data = NULL;
++			san.size = 0;
++
+ 			ret =
+ 			    _gnutls_parse_general_name2(c2, name, j, &san,
+ 							&type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 			ret = crl_dist_points_set(cdp, type, &san, rflags);
+ 			if (ret < 0)
+ 				break;
++			san.data = NULL; /* it is now in cdp */
+ 
+ 			j++;
+ 		} while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ 		gnutls_assert();
++		gnutls_free(san.data);
+ 		goto cleanup;
+ 	}
+ 
+-- 
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-02-28 14:15:51.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series	2015-04-27 19:34:44.000000000 +0200
@@ -7,3 +7,5 @@
 38_testforsanitycheck.diff
 39_check-whether-the-two-signatur.patch
 40_no_more_ssl3.diff
+45_eliminated-double-free.diff
+46_Better-fix-for-the-double-free.diff

--- End Message ---
--- Begin Message --- 
Version: 8.1

Hi,

The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.

Regards,

Adam

--- End Message ---
Reply to: