Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 09 Oct 2016 15:13:56 +0200
Message-id: <[🔎] 147601883659.21108.9182354146656315165.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 840191@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

X-Debbugs-CC'ed Andreas Metzler.

gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
having a flaw in the OCSP certificate check. This was fixed upstream
and included in unstable with 3.5.3-4 but would not warrant a DSA.

Attached is proposed debdiff for jessie. Would it be acceptable for an
upcoming point release?

Regards,
Salvatore

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog	2016-10-09 14:36:18.000000000 +0200
@@ -1,3 +1,11 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+    (GNUTLS-SA-2016-3)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 09 Oct 2016 14:36:18 +0200
+
 gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
 
   * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	2016-10-09 14:36:18.000000000 +0200
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series	2016-10-09 14:36:18.000000000 +0200
@@ -14,3 +14,4 @@
 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch

Reply to:

Follow-Ups:
- Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
  - From: Andreas Metzler <ametzler@bebt.de>
- Processed: Re: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#836795: jessie-pu: package samba/2:4.1.17+dfsg-2+deb8u2
Next by Date: Bug#813272: marked as done (RM: guile-1.8/1.8.8+1-10)
Previous by thread: Processed: Re: Bug#840188: jessie-pu: package tevent/0.9.25-0+deb8u1
Next by thread: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
Index(es):
- Date
- Thread