[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#945925: marked as done (buster-pu: package gnutls28/3.6.7-4+deb10u1)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #945925,
regarding buster-pu: package gnutls28/3.6.7-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
945925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945925
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Good morning,

I would like to see #933538 fixed in buster, which is a interoperability
problem with old (2.x, that is wheezy) versions of gnutls.

cu Andreas

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1a/591272a07d9e6d0140db75455b9b4bcc8eeddd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1c/a9574531f2bffce01464c8a654b2e0c2ed894b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/5e/61e31c2ae39982eeb14ae1c8f66aff43e1083a.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/74/0d1a42bc21c173d6a991375b0d8ddb934ec0bd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/8b/c687d446ade64a2f7c29950e17eda1a2e91e11.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b1/7a60f0701c7de3d7e5e921305846b5efbc3c91.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b8/bd0e5aecb48c352850674891129476d08d016a.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/be/692a24b17141539bbe9fe246bbde637669ecff.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c0/fe9421f82709abe4e7d487af28fd7402ffbb53.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/cb/6160515c1e9b0c02a1d6751325e360b590b83e.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f3/e7c24dbf4184d814468b89270b4c40cb205b8c.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f8/818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fa/92b545084722f485080b95a6eca92571ece25f.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/0f/f0796530c37d210935e7808160fd89b3303092.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/11/06d4483482f51e9f04c4fffbf164e0348ba5d3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/13/874b86eafc2b2965ff1853c87ee6df7987c581.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/4d/66d28cd2e7537e1e1d2905595b260226b22ad2.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/55/58da73c3d0c1fae464c8c1c206dea6279aa5b2.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/70/0562a775625daa6f3892bbd4bfdf2478537723.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b2/ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b4/d85fa0bcde4dd34ea2de34f8bac96e9244b058.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c4/444a7b5a7906fc1eeca540d1d91064c4a92a3e.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d1/9c1bb870c8ec979ea276b8f584cddc80e2da61.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d3/28298de34135fca5f236357f2f2dd56cb109f3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d7/52158b357b5875ebc8680001b57a886b94a1a4.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fe/4c3c0c38af44779c38ae5d1e187b6250f7afe0.debug

Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-1587-] {+1588+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-0ff0796530c37d210935e7808160fd89b3303092 1106d4483482f51e9f04c4fffbf164e0348ba5d3 13874b86eafc2b2965ff1853c87ee6df7987c581 5558da73c3d0c1fae464c8c1c206dea6279aa5b2 700562a775625daa6f3892bbd4bfdf2478537723 b2ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e b4d85fa0bcde4dd34ea2de34f8bac96e9244b058 c4444a7b5a7906fc1eeca540d1d91064c4a92a3e d19c1bb870c8ec979ea276b8f584cddc80e2da61-] {+1a591272a07d9e6d0140db75455b9b4bcc8eeddd 740d1a42bc21c173d6a991375b0d8ddb934ec0bd 8bc687d446ade64a2f7c29950e17eda1a2e91e11 be692a24b17141539bbe9fe246bbde637669ecff c0fe9421f82709abe4e7d487af28fd7402ffbb53 cb6160515c1e9b0c02a1d6751325e360b590b83e f3e7c24dbf4184d814468b89270b4c40cb205b8c f8818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b fa92b545084722f485080b95a6eca92571ece25f+}
Depends: gnutls-bin (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-7334-] {+7335+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libunbound8 (>= 1.8.0)
Installed-Size: [-369-] {+370+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-d328298de34135fca5f236357f2f2dd56cb109f3-] {+b17a60f0701c7de3d7e5e921305846b5efbc3c91+}
Depends: libgnutls-dane0 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14)
Installed-Size: [-372-] {+373+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-fe4c3c0c38af44779c38ae5d1e187b6250f7afe0-] {+5e61e31c2ae39982eeb14ae1c8f66aff43e1083a+}
Depends: libgnutls-openssl27 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls-openssl27 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutlsxx28 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1)
Installed-Size: [-4313-] {+4314+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-2643-] {+2644+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-4d66d28cd2e7537e1e1d2905595b260226b22ad2-] {+1ca9574531f2bffce01464c8a654b2e0c2ed894b+}
Depends: libgnutls30 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}

Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-d752158b357b5875ebc8680001b57a886b94a1a4-] {+b8bd0e5aecb48c352850674891129476d08d016a+}
Depends: libgnutlsxx28 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}



diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2019-06-12 19:21:23.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2019-11-30 13:41:59.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium
+
+  * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
+    from 3.6.10: Fix interop problems with gnutls 2.x. Closes: #933538
+    (Thanks, Hanno Stock!)
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 30 Nov 2019 13:41:59 +0100
+
 gnutls28 (3.6.7-4) unstable; urgency=medium
 
   * Cherry-pick important bug-fixes from 3.6.8:
diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
--- gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch	2019-11-30 13:41:59.000000000 +0100
@@ -0,0 +1,63 @@
+From daa49b9e455d262a1a2bc1b641e72dc004e2cb3e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 3 Aug 2019 21:51:58 +0200
+Subject: [PATCH] _gnutls_epoch_set_keys: do not forbid random padding in
+ TLS1.x CBC ciphersuites
+
+Since some point in 3.6.x we updated the calculation of maximum record size,
+however that did not include the possibility of random record padding available
+for CBC ciphersuites which exceeds the maximum. This commit allows for larger
+sizes for these ciphersuites to account for random padding as applied by
+gnutls 2.12.x.
+
+Resolves: #811
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ NEWS           |  4 ++++
+ lib/constate.c | 11 +++++++++--
+ lib/record.c   |  4 ++--
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/constate.c b/lib/constate.c
+index 51a4eca30..4c6ca0fd0 100644
+--- a/lib/constate.c
++++ b/lib/constate.c
+@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t
+ 			return gnutls_assert_val(ret);
+ 	}
+ 
+-	if (ver->tls13_sem) {
++	/* The TLS1.3 limit of 256 additional bytes is also enforced under CBC
++	 * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding
++	 * data exceeding the maximum. */
++	if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+ 		session->internals.max_recv_size = 256;
+ 	} else {
+-		session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
++		session->internals.max_recv_size = 0;
++	}
++
++	if (!ver->tls13_sem) {
++		session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
+ 		if (session->internals.allow_large_records != 0)
+ 			session->internals.max_recv_size += EXTRA_COMP_SIZE;
+ 	}
+diff --git a/lib/record.c b/lib/record.c
+index 39d2a16be..7c7e36561 100644
+--- a/lib/record.c
++++ b/lib/record.c
+@@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session,
+ 
+ 	if (record->length == 0 || record->length > max_record_recv_size(session)) {
+ 		_gnutls_audit_log
+-		    (session, "Received packet with illegal length: %u\n",
+-		     (unsigned int) record->length);
++		    (session, "Received packet with illegal length: %u (max: %u)\n",
++		     (unsigned int) record->length, (unsigned)max_record_recv_size(session));
+ 
+ 		if (record->length == 0) {
+ 			/* Empty, unencrypted records are always unexpected. */
+-- 
+2.24.0
+
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2019-06-12 19:21:15.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series	2019-11-30 13:41:59.000000000 +0100
@@ -5,3 +5,4 @@
 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: