[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4



Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

X-Debbugs-CC'ed Andreas Metzler.

gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
having a flaw in the OCSP certificate check. This was fixed upstream
and included in unstable with 3.5.3-4 but would not warrant a DSA.

Attached is proposed debdiff for jessie. Would it be acceptable for an
upcoming point release?

Regards,
Salvatore
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog	2016-10-09 14:36:18.000000000 +0200
@@ -1,3 +1,11 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+    (GNUTLS-SA-2016-3)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 09 Oct 2016 14:36:18 +0200
+
 gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
 
   * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	2016-10-09 14:36:18.000000000 +0200
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series	2016-10-09 14:36:18.000000000 +0200
@@ -14,3 +14,4 @@
 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch

Reply to: