Hello community, here is the log from the commit of package gnutls.3193 for openSUSE:12.3:Update checked in at 2014-11-21 09:28:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/gnutls.3193 (Old) and /work/SRC/openSUSE:12.3:Update/.gnutls.3193.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnutls.3193" Changes: -------- New Changes file: --- /dev/null 2014-11-17 01:44:14.624034255 +0100 +++ /work/SRC/openSUSE:12.3:Update/.gnutls.3193.new/gnutls.changes 2014-11-21 09:28:38.000000000 +0100 @@ -0,0 +1,1284 @@ +------------------------------------------------------------------- +Wed Nov 12 17:41:30 UTC 2014 - meissner@suse.com + +- gnutls-CVE-2014-8564.patch: Fixed parsing problem in elliptic + curve blobs over TLS that could lead to remote crashes. + (bnc#904603 CVE-2014-8564) + +------------------------------------------------------------------- +Tue Jun 3 05:40:14 UTC 2014 - shchang@suse.com + +- Fixed bug[ bnc#880910], gnutls affected by libtasn1 vulnerabilities + Add patch files: CVE-2014-3467.patch, CVE-2014-3468.patch, CVE-2014-3469.patch + +------------------------------------------------------------------- +Mon Jun 2 05:24:26 UTC 2014 - citypw@gmail.com + +- Fixed bug[ bnc#880730], CVE-2014-3466: gnutls: Possible memory corruption during connect +- Fixed bug[ bnc#880733], CVE-2014-3465: gnutls: gnutls_x509_dn_oid_name NULL pointer dereference + Add patch files: CVE-2014-3466.patch, CVE-2014-3465.patch + +------------------------------------------------------------------- +Mon Mar 31 07:24:25 UTC 2014 - shchang@suse.com + +- Fix bug [ bnc#870551] 870551 - gnutls cannot access www.bsi.de + Add patch file: gnutls-3.2.10-supported-ecc.patch + +------------------------------------------------------------------- +Mon Mar 3 10:31:34 UTC 2014 - shchang@suse.com + +- Fixed bug [ bnc#865804] gnutls: CVE-2014-0092, insufficient X.509 certificate verification + Add patch file: CVE-2014-0092.patch + +------------------------------------------------------------------- +Tue Feb 5 17:03:26 UTC 2013 - meissner@suse.com + +- Updated to GnuTLS 3.0.28 + - libgnutls: Fixes in server side of DTLS-0.9. + - libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD + ciphers (i.e., AES-GCM). + - libgnutls: Fixes in record padding parsing to prevent a timing + attack. Issue reported by Kenny Patterson and Nadhem Alfardan. + bnc#802184 + - libgnutls: DN variable 'T' was expanded to 'title'. + +------------------------------------------------------------------- +Thu Jan 24 10:14:13 UTC 2013 - meissner@suse.com + +- Updated to GnuTLS 3.0.27 + - libgnutls: Fixed record padding parsing issue. + - libgnutls: Stricter RSA PKCS #1 1.5 encoding. + - libgnutls-guile: Fixed parallel compilation issue. + - API and ABI modifications: No changes since last version. + +------------------------------------------------------------------- +Tue Nov 27 20:31:26 UTC 2012 - crrodriguez@opensuse.org + +- Test suite breaks on qemu-arm some calls not implemented. + +------------------------------------------------------------------- +Sun Nov 25 10:52:46 UTC 2012 - andreas.stieger@gmx.de + +- include LGPL-3.0+ text in COPYING.LESSER +- run regression tests, but move "make check" to %check section +- add gnutls-3.0.26-skip-test-fwrite.patch to skip a failing test +- no longer manipulate doc/examples tree in %install section, the + deletion of Makefiles breaks "make check" in %check +- install documentation, reference and examples in %install section + to fetch them for the package without unneccessary files + +------------------------------------------------------------------- +Fri Nov 16 23:30:09 UTC 2012 - andreas.stieger@gmx.de + +- updated to GnuTLS 3.0.26: + - libgnutls: Always tolerate key usage violation errors from the + side of the peer, but also notify via an audit message. + - libgnutls: gnutls_x509_crl_verify() includes time checks. + - libgnutls: Increased maximum password length in the PKCS #12 + functions. + - API and ABI modifications: + GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added + GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added + +- includes changes from 3.0.25: + - libgnutls: Fixed the receipt of session tickets during session + resumption. + - libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the + OCSP response corresponds to the given certificate. + - libgnutls: Several updates in the OpenPGP code. The generating code + is fully RFC6091 compliant and RFC5081 support is only supported in + client mode. + - API and ABI modifications: + gnutls_ocsp_resp_check_crt: Added + +- includes changes form version 3.0.24: + - libgnutls: The %COMPAT keyword, if specified, will tolerate + key usage violation errors (they are far too common to ignore). + - libgnutls: Corrected bug in OpenPGP subpacket encoding. + - libgnutls: Added X.509 certificate verification flag + - GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. This flag allows the verification + of unsorted certificate chains and is enabled by default for + TLS certificate verification (if gnutls_certificate_set_verify_flags() + does not override it). + - libgnutls: Correctly restore gnutls_record_recv() in DTLS mode + if interrupted during the retrasmition of handshake data. + - libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(), + which provides a tool to counter compression-related attacks where + parts of the data are controlled by the attacker _and_ are placed in + separate records (use with care - do not use compression if not sure). + - libgnutls: Depends on libtasn1 2.14 or later. + +- includes changes from version 3.0.23: + - gnutls-serv: Listens on IPv6 + - libgnutls: Be tolerant in ECDSA signature violations (e.g. using + SHA256 with a SECP384 curve instead of SHA-384), to interoperate with + openssl. +- libgnutls: Fixed DSA and ECDSA signature generation in smart cards. + +- includes changes from version 3.0.22 + - libgnutls: When verifying a certificate chain make sure it is chain. + If the chain is wronly interrupted at some point then truncate it, + and only try to verify the correct part. Patch by David Woodhouse + - libgnutls: Restored the behavior of gnutls_x509_privkey_import_pkcs8() + which now may (again) accept a NULL password. + - certtool: Allow the user to choose the hash algorithm + when signing certificate request or certificate revocation list. + +- Refresh gnutls-implement-trust-store-dir.diff, some parts are in + upstream sources + +------------------------------------------------------------------- +Mon Jul 16 06:00:52 UTC 2012 - gjhe@suse.com + +- update to latest stable version 3.0.21: + libgnutls: fixed bug in gnutls_x509_privkey_import() + that prevented the loading of EC private keys when DER + encoded. Reported by David Woodhouse. + + libgnutls: In DTLS larger to mtu records result to + GNUTLS_E_LARGE_PACKET instead of being truncated. + + libgnutls: gnutls_dtls_get_data_mtu() is more precise. Based + on patch by David Woodhouse. + + libgnutls: Fixed memory leak in PKCS #8 key import. + + libgnutls: Added support for an old version of the DTLS protocol + used by openconnect vpn client for compatibility with Cisco's AnyConnect + SSL VPN. It is marked as GNUTLS_DTLS0_9. Do not use it for newer protocols + as it has issues. + + libgnutls: Corrected bug that prevented resolving PKCS #11 URLs + if only the label is specified. Patch by David Woodhouse. + + libgnutls: When EMSGSIZE errno is seen then GNUTLS_E_LARGE_PACKET + is returned. + + API and ABI modifications: + gnutls_dtls_set_data_mtu: Added + gnutls_session_set_premaster: Added + +------------------------------------------------------------------- +Sun Jul 1 20:00:33 UTC 2012 - coolo@suse.com + +- merge am-1.12 patches into 1 + +------------------------------------------------------------------- +Sat Jun 30 17:24:48 UTC 2012 - i@marguerite.su + +- fix 12.2 builds. + * replace depreciated am_prog_mkdir_p with ac_prog_mkdir_p. + +------------------------------------------------------------------- +Thu Jun 21 08:02:43 UTC 2012 - meissner@suse.com + +- Updated to version 3.0.20: + libgnutls: Corrected bug which prevented the parsing of + handshake packets spanning multiple records. + + libgnutls: Check key identifiers when checking for an issuer. + + libgnutls: Added gnutls_pubkey_verify_hash2() + + libgnutls: Added gnutls_certificate_set_x509_system_trust() + that loads the trusted CA certificates from system locations + (e.g. trusted storage in windows and CA bundle files in other systems). + + certtool: Added support for the URI subject alternative + name type in certtool. + + certtool: Increase to 128 the maximum number of distinct options + (e.g. dns_names) allowed. + + gnutls-cli: If --print-cert is given, print the certificate, + even on verification failure. + + ** API and ABI modifications: + gnutls_pk_to_sign: Added ++++ 1087 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.gnutls.3193.new/gnutls.changes New: ---- CVE-2014-0092.patch CVE-2014-3465.patch CVE-2014-3466.patch CVE-2014-3467.patch CVE-2014-3468.patch CVE-2014-3469.patch automake-1.12.patch baselibs.conf gnutls-3.0.26-skip-test-fwrite.patch gnutls-3.0.28.tar.xz gnutls-3.2.10-supported-ecc.patch gnutls-CVE-2014-8564.patch gnutls-implement-trust-store-dir.diff gnutls.changes gnutls.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ # # spec file for package gnutls # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 Name: gnutls Version: 3.0.28 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/%{name}-%{version}.tar.xz Source1: baselibs.conf # suse specific, add support for certificate directories -- lnussel Patch1: gnutls-implement-trust-store-dir.diff Patch2: automake-1.12.patch # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch Patch4: CVE-2014-0092.patch Patch5: gnutls-3.2.10-supported-ecc.patch Patch6: CVE-2014-3466.patch Patch7: CVE-2014-3465.patch Patch8: CVE-2014-3467.patch Patch9: CVE-2014-3468.patch Patch10: CVE-2014-3469.patch Patch11: gnutls-CVE-2014-8564.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.2 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool BuildRequires: p11-kit-devel >= 0.11 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: gnutls-64bit %endif %description The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library License: GPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls-openssl%{gnutls_ossl_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for gnutls License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %package -n libgnutlsxx-devel Summary: Development package for gnutls License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel %description -n libgnutlsxx-devel Files needed for software development using gnutls. %package -n libgnutls-openssl-devel Summary: Development package for gnutls License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} %description -n libgnutls-openssl-devel Files needed for software development using gnutls. %prep %setup -q %patch1 %patch2 -p1 %patch3 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 echo %{_includedir}/%{name}/abstract.h %build autoreconf -if %configure \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/etc/ssl/certs \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files rm -f %{buildroot}%{_libdir}/*.la # install docs %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ %__cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference %__cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples %__cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ %find_lang libgnutls --all-name %check %if ! 0%{?qemu_user_space_build} %__make check %endif %clean rm -rf %{buildroot} %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %install_info --info-dir=%{_infodir} %{_infodir}/pkcs11-vision.png.gz %postun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %install_info_delete --info-dir=%{_infodir} %{_infodir}/pkcs11-vision.png.gz %files -f libgnutls.lang %defattr(-, root, root) %doc THANKS README NEWS ChangeLog COPYING COPYING.LESSER AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/crywrap %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %defattr(-, root, root) %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h %{_libdir}/libgnutls.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* %doc %{_docdir}/libgnutls-devel %files -n libgnutlsxx-devel %defattr(-, root, root) %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %files -n libgnutls-openssl-devel %defattr(-, root, root) %{_libdir}/libgnutls-openssl.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/openssl.h %changelog ++++++ CVE-2014-0092.patch ++++++ Index: gnutls-3.0.28/lib/x509/verify.c =================================================================== --- gnutls-3.0.28.orig/lib/x509/verify.c +++ gnutls-3.0.28/lib/x509/verify.c @@ -132,7 +132,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -149,7 +149,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -157,7 +157,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } /* If the subject certificate is the same as the issuer @@ -197,6 +197,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu else gnutls_assert (); +fail: result = 0; cleanup: @@ -397,7 +398,7 @@ _gnutls_verify_certificate2 (gnutls_x509 gnutls_datum_t cert_signed_data = { NULL, 0 }; gnutls_datum_t cert_signature = { NULL, 0 }; gnutls_x509_crt_t issuer = NULL; - int issuer_version, result, hash_algo; + int issuer_version, result = 0, hash_algo; unsigned int out = 0; if (output) @@ -435,14 +436,15 @@ _gnutls_verify_certificate2 (gnutls_x509 if (issuer_version < 0) { gnutls_assert (); - return issuer_version; + result = 0; + goto cleanup; } if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version != 1)) { - if (check_if_ca (cert, issuer, flags) == 0) + if (check_if_ca (cert, issuer, flags) != 1) { gnutls_assert (); out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; @@ -459,6 +461,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -467,6 +470,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -474,6 +478,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -494,6 +499,7 @@ _gnutls_verify_certificate2 (gnutls_x509 else if (result < 0) { gnutls_assert(); + result = 0; goto cleanup; } @@ -665,7 +671,7 @@ _gnutls_x509_verify_certificate (const g ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1], trusted_cas, tcas_size, flags, &output, &issuer, now, func); - if (ret == 0) + if (ret != 1) { /* if the last certificate in the certificate * list is invalid, then the certificate is not @@ -693,7 +699,7 @@ _gnutls_x509_verify_certificate (const g if ((ret = _gnutls_verify_certificate2 (certificate_list[i - 1], &certificate_list[i], 1, flags, - &output, NULL, now, func)) == 0) + &output, NULL, now, func)) != 1) { status |= output; status |= GNUTLS_CERT_INVALID; ++++++ CVE-2014-3465.patch ++++++ Index: gnutls-3.0.28/lib/x509/common.c =================================================================== --- gnutls-3.0.28.orig/lib/x509/common.c +++ gnutls-3.0.28/lib/x509/common.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003-2012 Free Software Foundation, Inc. + * Copyright (C) 2003-2014 Free Software Foundation, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -192,7 +192,8 @@ gnutls_x509_dn_oid_name (const char *oid do { - if (strcmp (_oid2str[i].oid, oid) == 0) + + if (strcmp (_oid2str[i].oid, oid) == 0 && _oid2str[i].ldap_desc != NULL) return _oid2str[i].ldap_desc; i++; } ++++++ CVE-2014-3466.patch ++++++ Index: gnutls-3.0.28/lib/gnutls_handshake.c =================================================================== --- gnutls-3.0.28.orig/lib/gnutls_handshake.c +++ gnutls-3.0.28/lib/gnutls_handshake.c @@ -1605,7 +1605,8 @@ _gnutls_read_server_hello (gnutls_sessio DECR_LEN (len, 1); session_id_len = data[pos++]; - if (len < session_id_len) + + if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) { gnutls_assert (); return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; ++++++ CVE-2014-3467.patch ++++++ Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c +++ gnutls-3.2.4/lib/minitasn1/decoding.c @@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *d /* Long form */ punt = 1; ris = 0; - while (punt <= der_len && der[punt] & 128) + while (punt < der_len && der[punt] & 128) { last = ris; @@ -259,7 +259,7 @@ _asn1_get_time_der (const unsigned char if (der_len <= 0 || str == NULL) return ASN1_DER_ERROR; str_len = asn1_get_length_der (der, der_len, &len_len); - if (str_len < 0 || str_size < str_len) + if (str_len <= 0 || str_size < str_len) return ASN1_DER_ERROR; memcpy (str, der + len_len, str_len); str[str_len] = 0; @@ -285,7 +285,7 @@ _asn1_get_objectid_der (const unsigned c return ASN1_GENERIC_ERROR; len = asn1_get_length_der (der, der_len, &len_len); - if (len < 0 || len > der_len || len_len > der_len) + if (len <= 0 || len > der_len || len_len > der_len) return ASN1_DER_ERROR; val1 = der[len_len] / 40; ++++++ CVE-2014-3468.patch ++++++ Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c +++ gnutls-3.2.4/lib/minitasn1/decoding.c @@ -226,7 +226,7 @@ asn1_get_octet_der (const unsigned char int *ret_len, unsigned char *str, int str_size, int *str_len) { - int len_len; + int len_len = 0; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -347,7 +347,7 @@ asn1_get_bit_der (const unsigned char *d int *ret_len, unsigned char *str, int str_size, int *bit_len) { - int len_len, len_byte; + int len_len = 0, len_byte; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -358,6 +358,9 @@ asn1_get_bit_der (const unsigned char *d *ret_len = len_byte + len_len + 1; *bit_len = len_byte * 8 - der[len_len]; + if (*bit_len <= 0) + return ASN1_DER_ERROR; + if (str_size >= len_byte) memcpy (str, der + len_len + 1, len_byte); else ++++++ CVE-2014-3469.patch ++++++ Index: gnutls-3.0.28/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.0.28.orig/lib/minitasn1/decoding.c +++ gnutls-3.0.28/lib/minitasn1/decoding.c @@ -231,7 +231,6 @@ asn1_get_octet_der (const unsigned char if (der_len <= 0) return ASN1_GENERIC_ERROR; - /* if(str==NULL) return ASN1_SUCCESS; */ *str_len = asn1_get_length_der (der, der_len, &len_len); if (*str_len < 0) @@ -239,7 +238,10 @@ asn1_get_octet_der (const unsigned char *ret_len = *str_len + len_len; if (str_size >= *str_len) - memcpy (str, der + len_len, *str_len); + { + if (*str_len > 0 && str != NULL) + memcpy (str, der + len_len, *str_len); + } else { return ASN1_MEM_ERROR; @@ -358,11 +360,15 @@ asn1_get_bit_der (const unsigned char *d *ret_len = len_byte + len_len + 1; *bit_len = len_byte * 8 - der[len_len]; + if (*bit_len <= 0) return ASN1_DER_ERROR; if (str_size >= len_byte) - memcpy (str, der + len_len + 1, len_byte); + { + if (len_byte > 0 && str) + memcpy (str, der + len_len + 1, len_byte); + } else { return ASN1_MEM_ERROR; Index: gnutls-3.0.28/lib/minitasn1/element.c =================================================================== --- gnutls-3.0.28.orig/lib/minitasn1/element.c +++ gnutls-3.0.28/lib/minitasn1/element.c @@ -112,8 +112,11 @@ _asn1_convert_integer (const unsigned ch /* VALUE_OUT is too short to contain the value conversion */ return ASN1_MEM_ERROR; - for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) - value_out[k2 - k] = val[k2]; + if (value_out != NULL) + { + for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) + value_out[k2 - k] = val[k2]; + } #if 0 printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); @@ -611,7 +614,8 @@ asn1_write_value (asn1_node node_root, c if (ptr_size < data_size) { \ return ASN1_MEM_ERROR; \ } else { \ - memcpy( ptr, data, data_size); \ + if (ptr && data_size > 0) \ + memcpy( ptr, data, data_size); \ } #define PUT_STR_VALUE( ptr, ptr_size, data) \ @@ -620,16 +624,19 @@ asn1_write_value (asn1_node node_root, c return ASN1_MEM_ERROR; \ } else { \ /* this strcpy is checked */ \ - _asn1_strcpy(ptr, data); \ + if (ptr) { \ + _asn1_strcpy(ptr, data); \ + } \ } #define ADD_STR_VALUE( ptr, ptr_size, data) \ - *len = (int) _asn1_strlen(data) + 1; \ - if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \ + *len += _asn1_strlen(data); \ + if (ptr_size < (int) *len) { \ + (*len)++; \ return ASN1_MEM_ERROR; \ } else { \ /* this strcat is checked */ \ - _asn1_strcat(ptr, data); \ + if (ptr) _asn1_strcat (ptr, data); \ } /** @@ -786,7 +793,9 @@ asn1_read_value (asn1_node root, const c case TYPE_OBJECT_ID: if (node->type & CONST_ASSIGN) { - value[0] = 0; + *len = 0; + if (value) + value[0] = 0; p = node->down; while (p) { @@ -800,7 +809,7 @@ asn1_read_value (asn1_node root, const c } p = p->right; } - *len = _asn1_strlen (value) + 1; + (*len)++; } else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) { ++++++ automake-1.12.patch ++++++ Index: gnutls-3.0.20/configure.ac =================================================================== --- gnutls-3.0.20.orig/configure.ac 2012-07-01 21:50:17.000000000 +0200 +++ gnutls-3.0.20/configure.ac 2012-07-01 21:50:17.977499968 +0200 @@ -37,6 +37,7 @@ dnl Checks for programs. AC_PROG_CC AM_PROG_AS AC_PROG_CXX +AM_PROG_AR gl_EARLY # For includes/gnutls/gnutls.h.in. Index: gnutls-3.0.20/aclocal.m4 =================================================================== --- gnutls-3.0.20.orig/aclocal.m4 2012-06-05 19:10:14.000000000 +0200 +++ gnutls-3.0.20/aclocal.m4 2012-07-01 21:53:42.821893323 +0200 @@ -529,7 +529,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl -AC_REQUIRE([AM_PROG_MKDIR_P])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl @@ -773,10 +773,10 @@ fi # serial 1 -# AM_PROG_MKDIR_P +# AC_PROG_MKDIR_P # --------------- # Check for `mkdir -p'. -AC_DEFUN([AM_PROG_MKDIR_P], +AC_DEFUN([AC_PROG_MKDIR_P], [AC_PREREQ([2.60])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, Index: gnutls-3.0.20/gl/m4/gnulib-common.m4 =================================================================== --- gnutls-3.0.20.orig/gl/m4/gnulib-common.m4 2012-06-05 19:07:51.000000000 +0200 +++ gnutls-3.0.20/gl/m4/gnulib-common.m4 2012-07-01 21:53:42.821893323 +0200 @@ -301,7 +301,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ AC_SUBST([MKDIR_P])])], [ dnl For autoconf < 2.60: Backport of AC_PROG_MKDIR_P. AC_DEFUN_ONCE([AC_PROG_MKDIR_P], - [AC_REQUIRE([AM_PROG_MKDIR_P])dnl defined by automake + [AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake MKDIR_P='$(mkdir_p)' AC_SUBST([MKDIR_P])])]) Index: gnutls-3.0.20/m4/po.m4 =================================================================== --- gnutls-3.0.20.orig/m4/po.m4 2011-11-08 22:07:12.000000000 +0100 +++ gnutls-3.0.20/m4/po.m4 2012-07-01 21:53:42.822893277 +0200 @@ -24,7 +24,7 @@ AC_DEFUN([AM_PO_SUBDIRS], [ AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl - AC_REQUIRE([AM_PROG_MKDIR_P])dnl defined by automake + AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake AC_REQUIRE([AM_NLS])dnl dnl Release version of the gettext macros. This is used to ensure that ++++++ baselibs.conf ++++++ libgnutls28 obsoletes "gnutls-<targettype>" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls28-<targettype> = <version>" ++++++ gnutls-3.0.26-skip-test-fwrite.patch ++++++ Index: gl/tests/test-fwrite.c =================================================================== --- gl/tests/test-fwrite.c.orig 2012-04-12 21:05:11.000000000 +0100 +++ gl/tests/test-fwrite.c 2012-11-23 22:51:17.000000000 +0000 @@ -32,6 +32,8 @@ SIGNATURE_CHECK (fwrite, size_t, (const int main (int argc, char **argv) { + // skip test-fwrite + return 77; const char *filename = "test-fwrite.txt"; /* We don't have an fwrite() function that installs an invalid parameter @@ -50,6 +52,7 @@ main (int argc, char **argv) setvbuf (fp, NULL, _IONBF, 0); ASSERT (close (fileno (fp)) == 0); errno = 0; + // this fwrite returns 5 == sizeof (buf) in openSUSE Factory ASSERT (fwrite (buf, 1, sizeof (buf), fp) == 0); ASSERT (errno == EBADF); ASSERT (ferror (fp)); ++++++ gnutls-3.2.10-supported-ecc.patch ++++++ Index: gnutls-3.0.28/lib/ext/ecc.c =================================================================== --- gnutls-3.0.28.orig/lib/ext/ecc.c +++ gnutls-3.0.28/lib/ext/ecc.c @@ -91,8 +91,10 @@ _gnutls_supported_ecc_recv_params (gnutl if (session->security_parameters.entity == GNUTLS_CLIENT) { - /* A client shouldn't receive this extension */ - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); + /* A client shouldn't receive this extension, but of course + there are servers out there that send it. Just ignore it. */ + _gnutls_debug_log("received SUPPORTED ECC extension on client side!!!\n"); + return 0; } else { /* SERVER SIDE - we must check if the sent supported ecc type is the right one ++++++ gnutls-CVE-2014-8564.patch ++++++ commit a737abecf1affa08469ca2e9804eb3b6e95027e9 Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> Date: Mon Nov 10 07:44:11 2014 +0100 when exporting curve coordinates to X9.63 format, perform additional sanity checks on input Reported by Sean Burford. Index: gnutls-3.2.4/lib/gnutls_ecc.c =================================================================== --- gnutls-3.2.4.orig/lib/gnutls_ecc.c +++ gnutls-3.2.4/lib/gnutls_ecc.c @@ -53,20 +53,36 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc /* pad and store x */ byte_size = (_gnutls_mpi_get_nbits (x) + 7) / 8; + if (numlen < byte_size) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } + size = out->size - (1 + (numlen - byte_size)); ret = _gnutls_mpi_print (x, &out->data[1 + (numlen - byte_size)], &size); - if (ret < 0) - return gnutls_assert_val (ret); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } byte_size = (_gnutls_mpi_get_nbits (y) + 7) / 8; + if (numlen < byte_size) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } size = out->size - (1 + (numlen + numlen - byte_size)); ret = _gnutls_mpi_print (y, &out->data[1 + numlen + numlen - byte_size], &size); - if (ret < 0) - return gnutls_assert_val (ret); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } /* pad and store y */ return 0; +cleanup: + _gnutls_free_datum(out); + return ret; } ++++++ gnutls-implement-trust-store-dir.diff ++++++

From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel@suse.de> Date: Tue, 8 May 2012 15:47:02 +0200 Subject: [PATCH gnutls] implement trust store dir

(since updated as some parts were introduced upstream) --- configure.ac | 18 ++++++++++++- lib/gnutls_x509.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 90 insertions(+), 2 deletions(-) Index: configure.ac =================================================================== --- configure.ac.orig 2012-11-08 23:05:32.000000000 +0000 +++ configure.ac 2012-11-16 23:18:51.000000000 +0000 @@ -301,9 +301,11 @@ AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) -if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ + -a "x$with_default_trust_store_dir" = x; then # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html for i in \ + /etc/ssl/certs \ /etc/ssl/certs/ca-certificates.crt \ /etc/pki/tls/cert.pem \ /usr/local/share/certs/ca-root-nss.crt \ @@ -321,6 +323,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) @@ -562,6 +569,7 @@ if features are disabled) Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir CRL file: $with_default_crl_file ]) Index: lib/gnutls_x509.c =================================================================== --- lib/gnutls_x509.c.orig 2012-09-22 01:01:26.000000000 +0100 +++ lib/gnutls_x509.c 2012-11-16 23:16:31.000000000 +0000 @@ -36,6 +36,7 @@ #include <gnutls_pk.h> #include <gnutls_str.h> #include <debug.h> +#include <dirent.h> #include <x509_b64.h> #include <gnutls_x509.h> #include "x509/common.h" @@ -1694,6 +1695,72 @@ set_x509_system_trust_file (gnutls_certi } #endif +#ifdef DEFAULT_TRUST_STORE_DIR +static int +_gnutls_certificate_set_x509_system_trust_dir (gnutls_certificate_credentials_t cred) +{ + DIR* dir; + struct dirent* buf, *de; + int ret, r = 0; + gnutls_datum_t cas; + size_t size; + char cafile[PATH_MAX]; + + dir = opendir(DEFAULT_TRUST_STORE_DIR); + if (dir == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; + } + + buf = alloca(offsetof(struct dirent, d_name) + pathconf(DEFAULT_TRUST_STORE_DIR, _PC_NAME_MAX) + 1); + + while (1) + { + if (readdir_r(dir, buf, &de)) + { + gnutls_assert(); + break; + } + if (de == NULL) + { + break; + } + if (strlen(de->d_name) < 4 || strcmp(de->d_name+strlen(de->d_name)-4, ".pem")) + { + continue; + } + + strcpy(cafile, DEFAULT_TRUST_STORE_DIR "/"); + strncat(cafile, de->d_name, sizeof(cafile)-strlen(cafile)-1); + cas.data = (void*)read_binary_file (cafile, &size); + if (cas.data == NULL) + { + gnutls_assert (); + continue; + } + + cas.size = size; + + ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); + + free (cas.data); + + if (ret < 0) + { + gnutls_assert (); + } + else + { + r += ret; + } + } + closedir(dir); + + return r; +} +#endif + /** * gnutls_certificate_set_x509_system_trust: * @cred: is a #gnutls_certificate_credentials_t structure. @@ -1712,7 +1779,7 @@ set_x509_system_trust_file (gnutls_certi int gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) { -#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) +#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(DEFAULT_TRUST_STORE_DIR) int r = GNUTLS_E_UNIMPLEMENTED_FEATURE; #else int ret, r = 0; @@ -1730,6 +1797,11 @@ gnutls_certificate_set_x509_system_trust r += ret; #endif +#ifdef DEFAULT_TRUST_STORE_DIR + ret = _gnutls_certificate_set_x509_system_trust_dir(cred); + if (ret > 0) + r += ret; +#endif return r; } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org