Bug#1054446: marked as done (bookworm-pu: package wolfssl/5.5.4-2+deb12u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1054446: marked as done (bookworm-pu: package wolfssl/5.5.4-2+deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:15:06 +0000
Message-id: <[🔎] handler.1054446.D1054446.1707570683683580.ackdone@bugs.debian.org>
Reply-to: 1054446@bugs.debian.org
References: <E1rYn8Z-002yYL-Jx@coccia.debian.org> <03f3d94a-8dbe-430b-9075-1755b7850fae@debian.org>

Your message dated Sat, 10 Feb 2024 13:11:19 +0000
with message-id <E1rYn8Z-002yYL-Jx@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1054446,
regarding bookworm-pu: package wolfssl/5.5.4-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1054446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054446
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit <submit@bugs.debian.org>
Subject: bookworm-pu: package wolfssl/5.5.4-2+deb12u1
From: Bastian Germann <bage@debian.org>
Date: Mon, 23 Oct 2023 21:48:45 +0200
Message-id: <03f3d94a-8dbe-430b-9075-1755b7850fae@debian.org>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: sirkilamole@msn.com

Hi,

I am including a fix for wolfssl's CVE-2023-3724.
The vulnerability is tracked by the Security Team in #1041699 and is fixed in unstable.
Aside from the changelog, this is exactly the same debdiff as provided by 5.5.4-2.1.
The new patch is taken from upstream as suggested by Jacob Barthelmeh.

Thanks,
Bastian

diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog	2023-02-06 14:41:53.000000000 +0000
+++ wolfssl-5.5.4/debian/changelog	2023-10-23 17:46:16.000000000 +0000
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
+
+  * Stable update to address the following vulnerabilities:
+    - Fix CVE-2023-3724.
+
+ -- Bastian Germann <bage@debian.org>  Mon, 23 Oct 2023 17:46:16 +0000
+
 wolfssl (5.5.4-2) unstable; urgency=medium
 
   * Clarify in README.Debian and in the package descriptions that wolfssl is
diff -Nru wolfssl-5.5.4/debian/patches/cve-2023-3724.patch wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
--- wolfssl-5.5.4/debian/patches/cve-2023-3724.patch	1970-01-01 00:00:00.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/cve-2023-3724.patch	2023-10-23 17:46:16.000000000 +0000
@@ -0,0 +1,47 @@
+Origin: backport, 00f1eddee429ff51390b20caadd2eb6afe51e1aa
+From: Jacob Barthelmeh <jacob@wolfssl.com>
+Date: Mon, 15 May 2023 15:49:44 -0700
+Subject: add tls extension sanity check
+
+---
+ src/tls.c   |  3 +++
+ src/tls13.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/tls.c b/src/tls.c
+index bced9f9b13f..9bbabfb14e2 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -8475,6 +8475,9 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
+         if (!WOLFSSL_NAMED_GROUP_IS_PQC(group))
+ #endif
+             ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
++
++        if (ret == 0)
++            ssl->session->namedGroup = ssl->namedGroup = group;
+     }
+     else {
+         /* Not a message type that is allowed to have this extension. */
+diff --git a/src/tls13.c b/src/tls13.c
+index e5360790b3b..0f1bbc1aad1 100644
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5236,8 +5236,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
+         }
+ #endif
+ 
++        /* sanity check on PSK / KSE */
++        if (
++    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
++            ssl->options.pskNegotiated == 0 &&
++    #endif
++            ssl->session->namedGroup == 0) {
++            return EXT_MISSING;
++        }
++
+         ssl->keys.encryptionOn = 1;
+         ssl->options.serverState = SERVER_HELLO_COMPLETE;
++
+     }
+     else {
+         ssl->options.tls1_3 = 1;
diff -Nru wolfssl-5.5.4/debian/patches/series wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series	2022-11-07 17:38:12.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/series	2023-10-23 17:46:16.000000000 +0000
@@ -4,3 +4,4 @@
 fix-hurd-i386-flags.patch
 disable-crl-monitor.patch
 disable-jobserver.patch
+cve-2023-3724.patch

--- End Message ---

--- Begin Message ---

To: 1054446-done@bugs.debian.org

Subject: Released with 12.5

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:11:19 +0000

Message-id: <E1rYn8Z-002yYL-Jx@coccia.debian.org>
Version: 12.5

The upload requested in this bug has been released as part of 12.5.
--- End Message ---

Reply to:

Prev by Date: Bug#1054386: marked as done (bookworm-pu: package fssync/1.6-1.1+deb12u1)
Next by Date: Bug#1054466: marked as done (bookworm-pu: package localslackirc/1.17-1.1)
Previous by thread: Bug#1054386: marked as done (bookworm-pu: package fssync/1.6-1.1+deb12u1)
Next by thread: Bug#1054466: marked as done (bookworm-pu: package localslackirc/1.17-1.1)
Index(es):
- Date
- Thread