Bug#860072: botan1.10: diff for NMU version 1.10.15-1.1

Sun, 28 May 2017 05:30:25 -0700 

Control: tags 860072 + pending

Dear maintainer, hi Ondrej

I've prepared an NMU for botan1.10 (versioned as 1.10.15-1.1) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru botan1.10-1.10.15/debian/changelog botan1.10-1.10.15/debian/changelog
--- botan1.10-1.10.15/debian/changelog	2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.15/debian/changelog	2017-05-28 14:14:46.000000000 +0200
@@ -1,3 +1,14 @@
+botan1.10 (1.10.15-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add fix for CVE-2017-2801.
+    Fix a bug in X509 DN string comparisons that could result in out of
+    bound reads. This could result in information leakage, denial of
+    service, or potentially incorrect certificate validation results.
+    (Closes: #860072)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 28 May 2017 14:14:46 +0200
+
 botan1.10 (1.10.15-1) unstable; urgency=medium
 
   * New upstream version 1.10.15
diff -Nru botan1.10-1.10.15/debian/patches/0005-Add-fix-for-CVE-2017-2801.patch botan1.10-1.10.15/debian/patches/0005-Add-fix-for-CVE-2017-2801.patch
--- botan1.10-1.10.15/debian/patches/0005-Add-fix-for-CVE-2017-2801.patch	1970-01-01 01:00:00.000000000 +0100
+++ botan1.10-1.10.15/debian/patches/0005-Add-fix-for-CVE-2017-2801.patch	2017-05-28 14:14:46.000000000 +0200
@@ -0,0 +1,25 @@
+From c927101675e5f63fc0bdd93c5a4825adc54323b4 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <j...@randombit.net>
+Date: Tue, 4 Apr 2017 16:18:27 -0400
+Subject: [PATCH] Add fix for CVE-2017-2801
+
+---
+ src/utils/parsing.cpp |  2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/utils/parsing.cpp b/src/utils/parsing.cpp
+index 9ec00040c..fc7e96328 100644
+--- a/src/utils/parsing.cpp
++++ b/src/utils/parsing.cpp
+@@ -230,6 +230,8 @@ bool x500_name_cmp(const std::string& name1, const std::string& name2)
+ 
+          if(p1 == name1.end() && p2 == name2.end())
+             return true;
++         if(p1 == name1.end() || p2 == name2.end())
++            return false;
+          }
+ 
+       if(!Charset::caseless_cmp(*p1, *p2))
+-- 
+2.11.0
+
diff -Nru botan1.10-1.10.15/debian/patches/series botan1.10-1.10.15/debian/patches/series
--- botan1.10-1.10.15/debian/patches/series	2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.15/debian/patches/series	2017-05-28 14:14:46.000000000 +0200
@@ -2,3 +2,4 @@
 0002-add-powerpc64le-support.patch
 0003-add-arm64-support.patch.patch
 0004-add-or1k-support.patch
+0005-Add-fix-for-CVE-2017-2801.patch

Reply via email to