Package: gnutls28 / 3.5.8-5+deb9u5
Metadata
Package | Version | Patches format |
---|---|---|
gnutls28 | 3.5.8-5+deb9u5 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
14_version_gettextcat.diff | (download) |
po/Makevars |
2 1 + 1 - 0 ! |
version filename of locale data (gnutls28.mo instead of gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28 co-installable. |
30_guile snarf.diff | (download) |
guile/src/Makefile.am |
2 2 + 0 - 0 ! |
work around guile-snarf hardcoding the at-build default compiler which breaks when it changes ion Debian. |
35_01_opencdk improved error code checking in the stream r.patch | (download) |
lib/opencdk/read-packet.c |
5 3 + 2 - 0 ! |
[patch] opencdk: improved error code checking in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_01_z_opencdk read packet.c corrected typo in type cast.patch | (download) |
lib/opencdk/read-packet.c |
2 1 + 1 - 0 ! |
[patch] opencdk/read-packet.c: corrected typo in type cast Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_02_Disable AVX support when it is not supported by the .patch | (download) |
lib/accelerated/x86/x86-common.c |
33 31 + 2 - 0 ! |
[patch] disable avx support when it is not supported by the cpu This mostly affects virtual systems. Reported by Frank Chen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
35_03_Address test suite failure due to timezone differenc.patch | (download) |
tests/cert-tests/pkcs7 |
2 1 + 1 - 0 ! |
[patch] address test suite failure due to timezone differences. Reported by Thorsten Glaser and Andreas Metzler. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_04_gnutls_pkcs11_obj_list_import_url4 always return an .patch | (download) |
lib/pkcs11.c |
1 1 + 0 - 0 ! |
[patch] gnutls_pkcs11_obj_list_import_url4: always return an initialized pointer When returning success, but no elements, gnutls_pkcs11_obj_list_import_url4, could have returned zero number of elements with a pointer that was uninitialized. Ensure that an initialized (i.e., null in that case), pointer is always returned. Reported by Jeremy Harris. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_05_cdk_pkt_read enforce packet limits.patch | (download) |
lib/opencdk/read-packet.c |
9 9 + 0 - 0 ! |
[patch] cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent calculations. Resolves the oss-fuzz found bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_05_opencdk read_attribute account buffer size.patch | (download) |
lib/opencdk/read-packet.c |
2 1 + 1 - 0 ! |
[patch] opencdk: read_attribute: account buffer size That ensures that there is no read past the end of buffer. Resolves the oss-fuzz found bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
35_06_opencdk do not parse any secret keys in packet when .patch | (download) |
lib/opencdk/kbnode.c |
6 4 + 2 - 0 ! |
[patch] opencdk: do not parse any secret keys in packet when reading a certificate This reduces the attack surface on the parsers, and prevents any bugs in the secret key parser to be exploitable by inserting secret key sub-packets into an openpgp certificate. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
35_07_Enforce the max packet length for OpenPGP subpackets.patch | (download) |
lib/opencdk/read-packet.c |
9 7 + 2 - 0 ! |
[patch] enforce the max packet length for openpgp subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com> |
36_CVE 2017 7507_1 ext status_request ensure response IDs are properly .patch | (download) |
lib/ext/status_request.c |
17 11 + 6 - 0 ! |
[patch 1/3] ext/status_request: ensure response ids are properly deinitialized That is, do not attempt to loop through the array if there is no array allocated. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
36_CVE 2017 7507_2 ext status_request Removed the parsing of responder .patch | (download) |
lib/ext/status_request.c |
68 16 + 52 - 0 ! |
[patch 2/3] ext/status_request: removed the parsing of responder ids from client extension These values were never used by gnutls, nor were accessible to applications, and as such there is not reason to parse them. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
36_CVE 2017 7507_3 gnutls_ocsp_status_request_enable_client documented .patch | (download) |
lib/ext/status_request.c |
12 9 + 3 - 0 ! |
[patch 3/3] gnutls_ocsp_status_request_enable_client: documented requirements for parameters That is, the fact that extensions and responder_id parameters must be allocated, and are assigned to the session. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
37_aarch64 fix AES GCM in place encryption and decrypti.patch | (download) |
lib/accelerated/aarch64/aes-gcm-aarch64.c |
24 24 + 0 - 0 ! |
[patch] aarch64: fix aes-gcm in-place encryption and decryption Resolves #204 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
38_01 OCSP check the subject public key identifier field t.patch | (download) |
lib/x509/ocsp.c |
17 16 + 1 - 0 ! |
[patch 1/2] ocsp: check the subject public key identifier field to figure issuer Normally when attempting to match the 'Responder Key ID' in an OCSP response against the issuer certificate we check (according to RFC6960) against the hash of the SPKI field. However, in few certificates (see commit: "added ECDSA OCSP response verification"), that may not be the case. In that certificate, that value matches the Subject Public Key identifier field but not the hash. To account for these certificates, we enhance the matching to also consider the Subject Public Key identifier field. Relates: #223 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
38_02 OCSP find_signercert improved DER length calculation.patch | (download) |
lib/x509/ocsp.c |
30 24 + 6 - 0 ! |
[patch 2/2] ocsp: find_signercert: improved der length calculation Previously we were assuming a fixed amount of length bytes which is not correct for all possible lengths. Use libtasn1 to decode the length field. Resolves: #223 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
39_01 dummy_wait correctly account the length field in SHA.patch | (download) |
lib/algorithms/mac.c |
4 2 + 2 - 0 ! |
[patch 1/5] dummy_wait: correctly account the length field in sha384 HMAC The existing lucky13 attack count-measures did not work correctly for SHA384 HMAC. The overall impact of that should not be significant as SHA384 is prioritized lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported by the peer. Relates #455 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
39_02 dummy_wait always hash the same amount of blocks tha.patch | (download) |
lib/cipher.c |
63 33 + 30 - 0 ! |
[patch 2/5] dummy_wait: always hash the same amount of blocks that would have been on minimum pad This improves protection against lucky13-type of attacks when encrypt-then-mac is not in use. Resolves #456 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
39_03 cbc_mac_verify require minimum padding under SSL3.0.patch | (download) |
lib/cipher.c |
7 6 + 1 - 0 ! |
[patch 3/5] cbc_mac_verify: require minimum padding under ssl3.0 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
39_04 hmac sha384 and sha256 ciphersuites were removed fro.patch | (download) |
lib/priority.c |
8 0 + 8 - 0 ! |
[patch 4/5] hmac-sha384 and sha256 ciphersuites were removed from defaults These ciphersuites are deprecated since the introduction of AEAD ciphersuites, and are only necessary for compatibility with older servers. Since older servers already support hmac-sha1 there is no reason to keep these ciphersuites enabled by default, as they increase our attack surface. Relates #456 ## Unfuzzed for Debian 3.5.8. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
39_05 tests pkcs12_encode fix test for SHA512.patch | (download) |
tests/pkcs12_encode.c |
12 0 + 12 - 0 ! |
[patch 5/5] tests: pkcs12_encode: fix test for sha512 We don't support SHA512 in the 3.5.x branch. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
40_casts_related_to_fix_CVE 2019 3829.patch | (download) |
lib/extensions.c |
6 3 + 3 - 0 ! |
fix casts used in gnutls_free Pulled from Ubuntu 3.5.18-1ubuntu1.1 |
40_rel3.6.7_01 Automatically NULLify after gnutls_free.patch | (download) |
lib/includes/gnutls/gnutls.h.in |
4 4 + 0 - 0 ! |
[patch 1/3] automatically nullify after gnutls_free() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This method prevents direct use-after-free and double-free issues. Signed-off-by: Tim Rhsen <tim.ruehsen@gmx.de> |
40_rel3.6.7_01 fuzz added fuzzer for certificate verification.patch | (download) |
tests/cert-tests/Makefile.am |
1 1 + 0 - 0 ! |
[patch] fuzz: added fuzzer for certificate verification This also adds a reproducer for CVE-2019-3829. Resolves: #694 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
41_use_datefudge_to_trigger_CVE 2019 3829_testcase.diff | (download) |
tests/cert-tests/invalid-sig |
3 2 + 1 - 0 ! |
use datefudge to make test work. The test cert has experid and does not trigger the error anymore |
43_rel3.6.13_10 session_pack fix leak in error path.patch | (download) |
lib/session_pack.c |
3 2 + 1 - 0 ! |
[patch] session_pack: fix leak in error path If called at the wrong time, it allocates the buffer sb and forgets to clear it. Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org> |
44_rel3.6.14_10 Update session_ticket.c to add support for zero leng.patch | (download) |
lib/ext/session_ticket.c |
16 9 + 7 - 0 ! |
[patch] update session_ticket.c to add support for zero length session tickets returned from the server check that ticket_len > 0 prior to calling gnutls_realloc_fast Signed-off-by: Rod Rivers <5981058-rrivers2@users.noreply.gitlab.com> |