On 2020-06-25 Andreas Metzler <ametz...@bebt.de> wrote:
[...]
> * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694].
> + 40_casts_related_to_fix_CVE-2019-3829.patch
> + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch
> + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch
> + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff
> * More important fixes:
> + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch
> [One-line-fix for memleak]
> + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
> Handle zero length session tickets, fixing connection errors on TLS1.2
> sessions to some big hosting providers. (See LP 1876286)
> [Fixes connections to e.g. verizon popserver.]
[...]
Here is the missing debdiff.
cu Andreas
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files only in first set of .debs, found in package gnutls-bin-dbgsym
--------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/0e/df33e82a82671f7e361a8ffa83b02400337604.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/1d/b976be2d75d79dfd97e68dba3ee84babe5a3cc.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/64/414524cec63b3a8334146aa0c4dab71fae4080.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/6f/0012f94a9f80ef7e652dacc713347841f66907.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/98/eef0a29dcce526336be09fbbb0eccb3ece9f17.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a5/c92e78a7d0a175b524703387c994518830abfa.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/ad/42bf08cf713e4a18ed1dd04dcc200a1cdafe94.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c0/cf4951b3020f4fdf0b30c32934e922348e3660.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f7/a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1.debug
Files only in first set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/1c/399494f95f5e9ff28fcbd0243e96639fad69d3.debug
Files only in first set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/51/a6d9549543590e69584a2dd9df4e919cd62918.debug
Files only in first set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/1c/1bc93c559cfe2ebd1b5676fa4b355118edf38e.debug
Files only in first set of .debs, found in package libgnutlsxx28-dbgsym
-----------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/f4/43a08baf0b78f1286c82e9d3e085c83734d37b.debug
New files in second set of .debs, found in package gnutls-bin-dbgsym
--------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/41/3e7554b4f2cfebbd3c79dbdc11815b1a8ce65b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/4a/7b934e15748037c09f179e902c900edd8f645e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/84/79ca3705d519462b64cafa740069f5257a1799.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/96/f89b1b2de8078f07e1dceb9a1c9570ce2fefe8.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/9c/a5be6ce0e2ad9359bcc4fa67713fb35451eb4f.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d9/a524219c966f40c7f8862e5141f95e747ffa87.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/ea/4ce0554a6816fbe557433397e8a3f211063cb0.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f0/bb902cc0ca2f32c8dbfc88908486ac7a52ca09.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f0/c69abf17ada32042b18f4b6b240c76965fe456.debug
New files in second set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/a2/c2822b8a615e4e750944c36cfa27e4c39d5448.debug
New files in second set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/2a/a940233375f7c77955565715aa6404a4334c07.debug
New files in second set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/b6/c9dec4e163583c6c1f2ea1b1ef75b1db2e6a0c.debug
New files in second set of .debs, found in package libgnutlsxx28-dbgsym
-----------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/e2/00ca7e603a3c2ea4f81f9542ab13919b24b73e.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-0edf33e82a82671f7e361a8ffa83b02400337604 1db976be2d75d79dfd97e68dba3ee84babe5a3cc 64414524cec63b3a8334146aa0c4dab71fae4080 6f0012f94a9f80ef7e652dacc713347841f66907 98eef0a29dcce526336be09fbbb0eccb3ece9f17 a5c92e78a7d0a175b524703387c994518830abfa ad42bf08cf713e4a18ed1dd04dcc200a1cdafe94 c0cf4951b3020f4fdf0b30c32934e922348e3660 f7a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1-] {+413e7554b4f2cfebbd3c79dbdc11815b1a8ce65b 4a7b934e15748037c09f179e902c900edd8f645e 8479ca3705d519462b64cafa740069f5257a1799 96f89b1b2de8078f07e1dceb9a1c9570ce2fefe8 9ca5be6ce0e2ad9359bcc4fa67713fb35451eb4f d9a524219c966f40c7f8862e5141f95e747ffa87 ea4ce0554a6816fbe557433397e8a3f211063cb0 f0bb902cc0ca2f32c8dbfc88908486ac7a52ca09 f0c69abf17ada32042b18f4b6b240c76965fe456+}
Depends: gnutls-bin (= [-3.5.8-5+deb9u4)-] {+3.5.8-5+deb9u5)+}
Installed-Size: [-992-] {+991+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-9325-] {+9327+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1)
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-1c399494f95f5e9ff28fcbd0243e96639fad69d3-] {+a2c2822b8a615e4e750944c36cfa27e4c39d5448+}
Depends: libgnutls-dane0 (= [-3.5.8-5+deb9u4)-] {+3.5.8-5+deb9u5)+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libc6 (>= 2.14)
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-51a6d9549543590e69584a2dd9df4e919cd62918-] {+2aa940233375f7c77955565715aa6404a4334c07+}
Depends: libgnutls-openssl27 (= [-3.5.8-5+deb9u4)-] {+3.5.8-5+deb9u5)+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libgnutls-openssl27 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libgnutlsxx28 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libgnutls-dane0 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31)
Installed-Size: [-3951-] {+3953+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-1c1bc93c559cfe2ebd1b5676fa4b355118edf38e-] {+b6c9dec4e163583c6c1f2ea1b1ef75b1db2e6a0c+}
Depends: libgnutls30 (= [-3.5.8-5+deb9u4)-] {+3.5.8-5+deb9u5)+}
Installed-Size: [-2882-] {+2883+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u4),-] {+3.5.8-5+deb9u5),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-f443a08baf0b78f1286c82e9d3e085c83734d37b-] {+e200ca7e603a3c2ea4f81f9542ab13919b24b73e+}
Depends: libgnutlsxx28 (= [-3.5.8-5+deb9u4)-] {+3.5.8-5+deb9u5)+}
Version: [-3.5.8-5+deb9u4-] {+3.5.8-5+deb9u5+}
diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog
--- gnutls28-3.5.8/debian/changelog 2018-10-06 14:06:18.000000000 +0200
+++ gnutls28-3.5.8/debian/changelog 2020-06-14 18:22:20.000000000 +0200
@@ -1,3 +1,18 @@
+gnutls28 (3.5.8-5+deb9u5) stretch; urgency=medium
+
+ * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694].
+ + 40_casts_related_to_fix_CVE-2019-3829.patch
+ + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch
+ + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch
+ + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff
+ * More important fixes:
+ + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch
+ + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
+ Handle zero length session tickets, fixing connection errors on TLS1.2
+ sessions to some big hosting providers. (See LP 1876286)
+
+ -- Andreas Metzler <ametz...@debian.org> Sun, 14 Jun 2020 18:22:20 +0200
+
gnutls28 (3.5.8-5+deb9u4) stretch; urgency=medium
* Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19
diff -Nru gnutls28-3.5.8/debian/patches/40_casts_related_to_fix_CVE-2019-3829.patch gnutls28-3.5.8/debian/patches/40_casts_related_to_fix_CVE-2019-3829.patch
--- gnutls28-3.5.8/debian/patches/40_casts_related_to_fix_CVE-2019-3829.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/40_casts_related_to_fix_CVE-2019-3829.patch 2020-06-11 14:47:12.000000000 +0200
@@ -0,0 +1,27 @@
+Description: fix casts used in gnutls_free
+ Pulled from Ubuntu 3.5.18-1ubuntu1.1
+Origin: https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392
+
+
+--- a/lib/extensions.c
++++ b/lib/extensions.c
+@@ -418,8 +418,8 @@ void _gnutls_ext_deinit(void)
+ unsigned i;
+ for (i = 0; extfunc[i] != NULL; i++) {
+ if (extfunc[i]->free_struct != 0) {
+- gnutls_free((void*)extfunc[i]->name);
+- gnutls_free((void*)extfunc[i]);
++ gnutls_free(((extension_entry_st *)extfunc[i])->name);
++ gnutls_free(extfunc[i]);
+ extfunc[i] = NULL;
+ }
+ }
+@@ -821,7 +821,7 @@ gnutls_ext_register(const char *name, in
+
+ ret = ext_register(tmp_mod);
+ if (ret < 0) {
+- gnutls_free((void*)tmp_mod->name);
++ gnutls_free(((extension_entry_st *)tmp_mod)->name);
+ gnutls_free(tmp_mod);
+ }
+ return ret;
diff -Nru gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch
--- gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch 2020-06-11 14:47:12.000000000 +0200
@@ -0,0 +1,49 @@
+From d39778e43d1674cb3ab3685157fd299816d535c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de>
+Date: Tue, 12 Feb 2019 15:09:11 +0100
+Subject: [PATCH 1/3] Automatically NULLify after gnutls_free()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This method prevents direct use-after-free and
+double-free issues.
+
+Signed-off-by: Tim Rühsen <tim.rueh...@gmx.de>
+---
+ NEWS | 13 +++++++++++++
+ lib/includes/gnutls/gnutls.h.in | 4 ++++
+ 2 files changed, 17 insertions(+)
+
+
+** libgnutls, gnutls tools: Every gnutls_free() will automatically set
+ the free'd pointer to NULL. This prevents possible use-after-free and
+ double free issues. Use-after-free will be turned into NULL dereference.
+ The counter-measure does not extend to applications using gnutls_free().
+
+** libgnutls, gnutls tools: Every gnutls_free() will automatically set
+ the free'd pointer to NULL. This prevents possible use-after-free and
+ double free issues. Use-after-free will be turned into NULL dereference,
+ effectively turning harmful attacks like remote-code-executions (RCE) into
+ segmentation faults. Double frees may also be used to achieve RCEs - turning
+ them into no-ops counter measures this attack at this point.
+ This measurement is only active when building libgnutls and the gnutls tools.
+
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 296588966..eb808e40b 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -2194,6 +2194,10 @@ extern _SYM_EXPORT gnutls_realloc_function gnutls_realloc;
+ extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc;
+ extern _SYM_EXPORT gnutls_free_function gnutls_free;
+
++#ifdef GNUTLS_INTERNAL_BUILD
++#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL
++#endif
++
+ extern _SYM_EXPORT char *(*gnutls_strdup) (const char *);
+
+ /* a variant of memset that doesn't get optimized out */
+--
+2.26.2
+
diff -Nru gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch
--- gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch 2020-06-11 14:47:12.000000000 +0200
@@ -0,0 +1,133 @@
+From ad27713bef613e6c4600a0fb83ae48c6d390ff5b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Mon, 25 Mar 2019 15:47:51 +0100
+Subject: [PATCH] fuzz: added fuzzer for certificate verification
+
+This also adds a reproducer for CVE-2019-3829.
+
+Resolves: #694
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ fuzz/Makefile.am | 2 +
+ fuzz/gnutls_x509_verify_fuzzer.c | 201 ++++++++++++++++++
+ .../005eb5cbad48e22a4b0c36cd97f1c0225f3eed7f | 1 +
+ .../c2632449b011340199af11389c073d2d380b2e1e | Bin 0 -> 1394 bytes
+ .../cacdb69aaf394120d761291f43983336d15c7be3 | Bin 0 -> 1394 bytes
+ tests/cert-tests/Makefile.am | 2 +-
+ tests/cert-tests/data/cve-2019-3829.pem | 66 ++++++
+ tests/cert-tests/invalid-sig | 16 +-
+ 8 files changed, 286 insertions(+), 2 deletions(-)
+ create mode 100644 fuzz/gnutls_x509_verify_fuzzer.c
+ create mode 100644 fuzz/gnutls_x509_verify_fuzzer.in/005eb5cbad48e22a4b0c36cd97f1c0225f3eed7f
+ create mode 100644 fuzz/gnutls_x509_verify_fuzzer.in/c2632449b011340199af11389c073d2d380b2e1e
+ create mode 100644 fuzz/gnutls_x509_verify_fuzzer.repro/cacdb69aaf394120d761291f43983336d15c7be3
+ create mode 100644 tests/cert-tests/data/cve-2019-3829.pem
+
+--- a/tests/cert-tests/Makefile.am
++++ b/tests/cert-tests/Makefile.am
+@@ -62,6 +62,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data
+ data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem \
+ data/pkcs7-cat-ca.pem data/pkcs7-cat.p7 data/openssl.p7b data/openssl.p7b.out \
+ data/openssl-keyid.p7b data/openssl-keyid.p7b.out data/openssl.p12 \
++ data/key-rsa-pss.pem data/cve-2019-3829.pem \
+ data/openpgp-invalid1.pub data/openpgp-invalid2.pub data/openpgp-invalid3.pub
+
+ dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
+--- /dev/null
++++ b/tests/cert-tests/data/cve-2019-3829.pem
+@@ -0,0 +1,66 @@
++-----BEGIN CERTIFICATE-----
++MIIFbjCCBFagAwIBAgIQPBKFvactgik351RXZ5opvTANBgkqhkiG9w0BAQUFADCB
++tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
++ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
++YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
++VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA4MTcw
++MDAwMDBaFw0xNTA5MDkyMzU5NTlaMIGxMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
++Q2FsaWZvcm5pYTETMBEGA1UEBxMKTWVubG8gUGFyazEbMBkGA1UEChQSUk9CTE9Y
++IENvcnBvcmF0aW9uMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNy
++b3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEbMBkGA1UEAxQSUk9CTE9YIENv
++cnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9Vg9Z0ee
++4Tg3pwyw9CcQCINfJEWLhhvrB88pcnyMKxbB7v3qwwfi9VhL0fRM/AusgONWrQuW
++2gftlw9ZtQMAWRkLvPHM3hXz5ch1XpvTmNqPQrSGfn9te7T9018ORa+WVuUCKzhL
++xMSxG+VEpSRZsSdhq/chwA3fqhdUdq7fdxo6H3v/RV8bDUz1vRow+ygtAMneh8/x
++kvnnyGZrW7BzJH6odOq4ASbx08czrKzqxnnoiFDmPuBTjv5wCLz0yHboHRQ/aC25
++GKXNioEVAGY/nWxVetFgJG8SwiIBR9C4KHaUqLHpPDU40WW7jGvybDaEGWXBQfTr
++e1Dj/B3JY6SGhwIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC
++B4AwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNp
++Z24uY29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAq
++MCgGCCsGAQUFBwIBFhybdHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1Ud
++JQQMMAoGCCsGAQUFBwMDMHEGCCsGAQVLBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0
++cDovL29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0y
++MDEwLWFpYS52ZXJpc2lnbnhjb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgFBt
++48zqeyb0S8mOj9fwBSbv49KnnTARBglgIEgBhvhCAQEEBAMCBBAwFgYKKwYBBAGC
++NwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBeCwxl3jzuZqItKl531TN
++TCCx3yoOfpZnGd7acfLyfeX8xDy7wakiOyC1nxv1FL7+H//Mku+F3Ne/A0HmnHx0
++sD9F1fYxweF8ubSoRqwUCXSMB4YZuwRAfUILon6YvyHU1kgPYwr0bsYu28l0liQY
++YC7ALFbwO2ecxOYgg38mho+XRRXPd/PtOfmZ23yeKvrD0Hm499jC1OloFX+8G4ly
++mz9Y8aoDBzkEYcXWn3Rz1p6EQJnWJzI/jSxMKIuI2/Ge+oIFZpEGK3Hec3sYqLs4
++EUOfWI4bNm1W+eU0E2bwuWmjddgTdOWHaYm7jMlCzkZw9qg2/IE2fTu7P7UuNOvw
++av0=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIIF4jCCBMqgAwIBAgIQJ1P4Bv6RNzIvW0CfHDGHXDANBgkqhkiG9w0BAQUFADCB
++yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
++ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
++U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
++ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
++aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
++MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
++ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
++aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
++aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
++ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
++jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
++vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
+++uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
++GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAdYwggHS
++MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
++MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
++AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
++BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
++BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
++cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
++cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMCgGA1UdEQQhMB+kHTAbMRkwFwYD
++VQQDExBWZXJpU2lnbk1QS0ktMi04MB0GA1UdDgQWBBTPmanqeyb0S8mOj9fwBSbv
++49KnnTArBgNVHSUEJDAiBggrBgEFBQcDAgYIKwYBBQUHAwMGDCqGOgABg4+JDQEB
++ATAfBgNVHSMEGDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzANBgkqhkiG9w0BAQUF
++AAOCAQEAW46f07q+qa8aPmWBt8Fk9qJ460yABjqsIm6MK7xdhX/AjxAqysStliQB
++aP9ltdEULCql2kmWr+nU/3GckwlKamH0S9HLtl8p/GgR5XL/Rg82KZlDnrPZrEeT
++e+/E62aGp9aJVD6Umw2R8NIjasANN85G35WupGXGGL+kaXM/6IXQSH0o7/NfsAG0
++dbTRU0v0b/aki2a273g5xYgrZzIa70DAlPa30ouEoCZvikvF2NxU7uJKVqq8cuWT
++5j+23m1seyVbAexvKWS38y4j9h+uES3GurnrCGCxLRsrnr6FdAodLipSkRgg18my
++l4SPFiwyyhgSqsUgWcr7bTcy48WjhA==
++-----END CERTIFICATE-----
+--- a/tests/cert-tests/invalid-sig
++++ b/tests/cert-tests/invalid-sig
+@@ -29,6 +29,10 @@ if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+ fi
+
++if ! test -x "${CERTTOOL}"; then
++ exit 77
++fi
++
+ #check whether a different PKCS #1 signature than the advertized in certificate is tolerated
+ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem"
+ rc=$?
+@@ -59,4 +63,14 @@ if test "${rc}" = "0"; then
+ exit ${rc}
+ fi
+
++#this was causing a double free; verify that we receive the expected error code
++${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
++rc=$?
++
++# We're done.
++if test "${rc}" != "1"; then
++ echo "Verification of invalid signature (4) failed"
++ exit ${rc}
++fi
++
+ exit 0
diff -Nru gnutls28-3.5.8/debian/patches/41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff gnutls28-3.5.8/debian/patches/41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff
--- gnutls28-3.5.8/debian/patches/41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff 2020-06-11 14:47:12.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Use datefudge to make test work.
+ The test cert has experid and does not trigger the error anymore
+Author: Andreas Metzler <ametz...@debian.org>
+Origin: vendor
+Last-Update: 2020-06-07
+
+--- gnutls28-3.5.8.orig/tests/cert-tests/invalid-sig
++++ gnutls28-3.5.8/tests/cert-tests/invalid-sig
+@@ -64,7 +64,8 @@ if test "${rc}" = "0"; then
+ fi
+
+ #this was causing a double free; verify that we receive the expected error code
+-${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
++datefudge -s 2020-01-01 \
++ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
+ rc=$?
+
+ # We're done.
diff -Nru gnutls28-3.5.8/debian/patches/43_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch gnutls28-3.5.8/debian/patches/43_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch
--- gnutls28-3.5.8/debian/patches/43_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/43_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch 2020-06-11 14:54:38.000000000 +0200
@@ -0,0 +1,30 @@
+From 05ace838b3f67836a29a53282ec5a9b3cffd5680 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanz...@gnome.org>
+Date: Sun, 2 Feb 2020 09:47:25 -0600
+Subject: [PATCH] session_pack: fix leak in error path
+
+If called at the wrong time, it allocates the buffer sb and forgets to
+clear it.
+
+Signed-off-by: Michael Catanzaro <mcatanz...@gnome.org>
+---
+ lib/session_pack.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/session_pack.c b/lib/session_pack.c
+index b655b7128..e5c21f24b 100644
+--- a/lib/session_pack.c
++++ b/lib/session_pack.c
+@@ -143,7 +143,8 @@ _gnutls_session_pack(gnutls_session_t session,
+ }
+ break;
+ default:
+- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++ goto fail;
+
+ }
+
+--
+2.26.2
+
diff -Nru gnutls28-3.5.8/debian/patches/44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch gnutls28-3.5.8/debian/patches/44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
--- gnutls28-3.5.8/debian/patches/44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch 2020-06-13 19:18:30.000000000 +0200
@@ -0,0 +1,39 @@
+From 1d4615aa650dad1c01452d46396c0307304b0245 Mon Sep 17 00:00:00 2001
+From: rrivers2 <5981058-rrive...@users.noreply.gitlab.com>
+Date: Sun, 24 May 2020 23:11:01 +0000
+Subject: [PATCH] Update session_ticket.c to add support for zero length
+ session tickets returned from the server
+
+check that ticket_len > 0 prior to calling gnutls_realloc_fast
+
+Signed-off-by: Rod Rivers <5981058-rrive...@users.noreply.gitlab.com>
+---
+ lib/ext/session_ticket.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/lib/ext/session_ticket.c
++++ b/lib/ext/session_ticket.c
+@@ -741,14 +741,16 @@ int _gnutls_recv_new_session_ticket(gnut
+ DECR_LENGTH_COM(data_size, ticket_len, ret =
+ GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ goto error);
+- priv->session_ticket =
+- gnutls_realloc_fast(priv->session_ticket, ticket_len);
+- if (!priv->session_ticket) {
+- gnutls_assert();
+- ret = GNUTLS_E_MEMORY_ERROR;
+- goto error;
++ if (ticket_len > 0) {
++ priv->session_ticket =
++ gnutls_realloc_fast(priv->session_ticket, ticket_len);
++ if (!priv->session_ticket) {
++ gnutls_assert();
++ ret = GNUTLS_E_MEMORY_ERROR;
++ goto error;
++ }
++ memcpy(priv->session_ticket, p, ticket_len);
+ }
+- memcpy(priv->session_ticket, p, ticket_len);
+ priv->session_ticket_len = ticket_len;
+
+ /* Discard the current session ID. (RFC5077 3.4) */
diff -Nru gnutls28-3.5.8/debian/patches/series gnutls28-3.5.8/debian/patches/series
--- gnutls28-3.5.8/debian/patches/series 2018-10-06 13:53:23.000000000 +0200
+++ gnutls28-3.5.8/debian/patches/series 2020-06-14 18:21:45.000000000 +0200
@@ -20,3 +20,9 @@
39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
+40_casts_related_to_fix_CVE-2019-3829.patch
+40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch
+40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch
+41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff
+43_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch
+44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
