Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hello,
I would like to fix CVE-2015-3308 / #782776 in jessie by re-uploading
3.3.8-7 unchanged (except for version-number / distribution) to
jessie.
gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium
.
* Reupload 3.3.8-7 unchanged for first point release:
45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
Pull two patches from upstream to a use-after-free flaw in
gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
Closes: #782776
It is not severe enough for a DSA, Moritz asked me to try to fix it in
the point release.
thanks, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/10/71641470893eedfb2ae95761f7a2831487578d.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/3c/00675566a5e060c9ab422431b1f6ace9e3d641.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/40/f65be6b49ba1dd1642c3a70301392728b0fa87.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/59/c0c76a47a76592ba690534af3dd8ed20716910.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/5c/15ca854181b7052a65e0e3c6bb62621e8a4796.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/86/5ba1447f92d3238aaeab5c35384f8d4ddc19f8.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/99/7b28d24819d51167eb04275b0e7781a0553677.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/ad/926b5ff6550801a0e64d7feb12bebb4f19f71b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b8/f5d939008965aa0fec40eb47dea7fbd36412e2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c4/edae6e65800cadeb0413c787c930f525569125.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d5/6fdefdf070278c961828fef13aa01e98b0ff68.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d8/2b478365792d82cde3c23dbba294f2f73aa6bd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fc/4f758dce13ac4fe7dadc3dc350d84cbe9bfad6.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fe/3a9f524b65ebc37a28595af328de4bb9557359.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/10/655707e8b248d97b072677ec28c377363aced4.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/13/5f3708de9f8bd9a5eaeea7b2a7902944a68d63.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/17/b7d1dfa67ec9ac3eb7569b29e52cbc47248688.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/1a/c8aaaf376060e80db75912974b2454473353a7.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/24/c0d3aa5787be23dbb556fd9eeda9aa1064ab08.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/30/4541b84d338019a289b01a0dd537bcde7906e8.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/57/ede90e9a245fcbf2a7d4bd269383d3d0783505.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/90/73d1fe7d52ce09cddc43f2ec434b31f81869ea.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/9f/818d387ca338b648a60f366308fcf64b28df00.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a0/3622962422c45cdc0b9cf963d9d6693108d1b5.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/aa/a11c7e4144249c4a111bcd1ed1da1fc7dd4f37.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b2/b41fd24df64b4ea7a1d88e14a37214fb80ef9d.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c4/4292da922a90ca6a10a2a537a255ee3811d410.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/cb/c40b4e7f316d20607c6d320d6d6902115dd70b.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-934-] {+891+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-8392-] {+8266+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package guile-gnutls: lines which differ (wdiff format)
------------------------------------------------------------------------
Installed-Size: [-404-] {+357+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package libgnutls-deb0-28: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Installed-Size: [-2095-] {+1942+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libc6 (>= 2.4)
Installed-Size: [-203-] {+172+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package libgnutls28-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6)-] {+3.3.8-6+deb8u1)+}
Installed-Size: [-2366-] {+2275+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libgnutlsxx28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} nettle-dev (>= 2.5), libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev (>= 3.9), libp11-kit-dev, libgnutls-openssl27 (= [-3.3.8-6)-] {+3.3.8-6+deb8u1)+}
Installed-Size: [-2490-] {+2447+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls-deb0-28 (= [-3.3.8-6),-] {+3.3.8-6+deb8u1),+} libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1)
Installed-Size: [-87-] {+59+}
Version: [-3.3.8-6-] {+3.3.8-6+deb8u1+}
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2015-02-28 14:24:37.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog 2015-04-27 19:40:34.000000000 +0200
@@ -1,3 +1,13 @@
+gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium
+
+ * Reupload 3.3.8-7 unchanged for first point release:
+ 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
+ Pull two patches from upstream to a use-after-free flaw in
+ gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
+ Closes: #782776
+
+ -- Andreas Metzler <ametz...@debian.org> Mon, 27 Apr 2015 19:38:26 +0200
+
gnutls28 (3.3.8-6) unstable; urgency=medium
* 39_check-whether-the-two-signatur.patch: Pull and unfuzz
diff -Nru gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff
--- gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/45_eliminated-double-free.diff 2015-04-27 19:34:44.000000000 +0200
@@ -0,0 +1,28 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert Święcki.
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ gnutls_assert();
+- gnutls_free(san.data);
+ goto cleanup;
+ }
+
+--
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff
--- gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/46_Better-fix-for-the-double-free.diff 2015-04-27 19:34:44.000000000 +0200
@@ -0,0 +1,61 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ int len, ret;
+ uint8_t reasons[2];
+ unsigned i, type, rflags, j;
+- gnutls_datum_t san;
++ gnutls_datum_t san = {NULL, 0};
+
+ result = asn1_create_element
+ (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ i = 0;
+ do {
+- san.data = NULL;
+- san.size = 0;
+-
+ snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+
+ len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ j = 0;
+ do {
++ san.data = NULL;
++ san.size = 0;
++
+ ret =
+ _gnutls_parse_general_name2(c2, name, j, &san,
+ &type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ ret = crl_dist_points_set(cdp, type, &san, rflags);
+ if (ret < 0)
+ break;
++ san.data = NULL; /* it is now in cdp */
+
+ j++;
+ } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ gnutls_assert();
++ gnutls_free(san.data);
+ goto cleanup;
+ }
+
+--
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2015-02-28 14:15:51.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series 2015-04-27 19:34:44.000000000 +0200
@@ -7,3 +7,5 @@
38_testforsanitycheck.diff
39_check-whether-the-two-signatur.patch
40_no_more_ssl3.diff
+45_eliminated-double-free.diff
+46_Better-fix-for-the-double-free.diff
