Bug#648441: [SRM] Fixing #648441 (CVE-2011-4128) in stable
Andreas Metzler
ametzler at downhill.at.eu.org
Thu Dec 22 17:53:06 UTC 2011
On 2011-12-22 Moritz Muehlenhoff <jmm at inutil.org> wrote:
> On Fri, Nov 11, 2011 at 04:35:56PM +0100, Simon Josefsson wrote:
[...]
> > As far as I understand, the client also has to be written in a
> > vulnerable way. The example code doesn't, and likely there are few
> > clients like that around. More investigation is warranted...
> Andreas, can you fix this for the upcoming stable point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> Although it's minor it would be nice to fix it up in stable.
Hello,
I would like to upload gnutls26_2.8.6-1+squeeze1 to stable.
---------------------------
* Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
---------------------------
diff to 2.8.6-1 attached.
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
File lists identical on package level (after any substitutions)
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package guile-gnutls: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls-dev: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.8.6-1),-] {+2.8.6-1+squeeze1),+} libgcrypt11-dev (>= 1.3.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4)
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls26: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-1268-] {+1264+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.8.6-1)-] {+2.8.6-1+squeeze1)+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
changelog | 8 ++++++
patches/20_CVE-2011-4128.part1.diff | 44 ++++++++++++++++++++++++++++++++++++
patches/20_CVE-2011-4128.part2.diff | 24 +++++++++++++++++++
patches/series | 2 +
4 files changed, 78 insertions(+)
diff -Nru gnutls26-2.8.6/debian/changelog gnutls26-2.8.6/debian/changelog
--- gnutls26-2.8.6/debian/changelog 2010-03-20 16:06:34.000000000 +0100
+++ gnutls26-2.8.6/debian/changelog 2011-12-22 18:19:27.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls26 (2.8.6-1+squeeze1) stable; urgency=low
+
+ * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
+ git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
+ 20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
+
+ -- Andreas Metzler <ametzler at debian.org> Thu, 22 Dec 2011 18:07:26 +0100
+
gnutls26 (2.8.6-1) unstable; urgency=low
* Use dh_lintian.
diff -Nru gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff
--- gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff 2011-12-22 18:17:52.000000000 +0100
@@ -0,0 +1,44 @@
+From 190cef6eed37d0e73a73c1e205eb31d45ab60a3c Mon Sep 17 00:00:00 2001
+From: Alban Crequy <alban.crequy at collabora.co.uk>
+Date: Mon, 7 Nov 2011 18:51:27 +0000
+Subject: [PATCH] gnutls_session_get_data: fix possible buffer overflow
+
+The test to avoid the buffer overflow was always false because
+session_data_size was set at the wrong place. This problem has been introduced
+by this commit:
+
+|commit ad4ed44c65e753e6d3a00104c049dd81826ccbf3
+|Author: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+|Date: Mon Nov 7 22:24:48 2005 +0000
+|
+| This is the initial commit in the 1.3 branch. Ported from the PSK branch:
+| * PSK ciphersuites have been added.
+| * The session resumption data are now system independent.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+---
+ lib/gnutls_session.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
+index 8028d5a..418a2ba 100644
+--- a/lib/gnutls_session.c
++++ b/lib/gnutls_session.c
+@@ -63,13 +63,13 @@ gnutls_session_get_data (gnutls_session_t session,
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = psession.size;
+
+ if (session_data != NULL)
+ memcpy (session_data, psession.data, psession.size);
+--
+1.7.2.5
+
diff -Nru gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff
--- gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part2.diff 2011-12-22 18:18:08.000000000 +0100
@@ -0,0 +1,24 @@
+From e82ef4545e9e98cbcb032f55d7c750b81e3a0450 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Tue, 8 Nov 2011 07:52:56 +0100
+Subject: [PATCH] bug fix in gnutls_session_get_data().
+
+---
+ lib/gnutls_session.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
+index 418a2ba..fd012fe 100644
+--- a/lib/gnutls_session.c
++++ b/lib/gnutls_session.c
+@@ -66,6 +66,7 @@ gnutls_session_get_data (gnutls_session_t session,
+
+ if (psession.size > *session_data_size)
+ {
++ *session_data_size = psession.size;
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
+--
+1.7.2.5
+
diff -Nru gnutls26-2.8.6/debian/patches/series gnutls26-2.8.6/debian/patches/series
--- gnutls26-2.8.6/debian/patches/series 2010-03-20 16:02:18.000000000 +0100
+++ gnutls26-2.8.6/debian/patches/series 2011-12-22 18:18:58.000000000 +0100
@@ -1,3 +1,5 @@
14_version_gettextcat.diff
15_fixgnutlspc.diff
16_unnecessarydep.diff
+20_CVE-2011-4128.part1.diff
+20_CVE-2011-4128.part2.diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20111222/9293f7cf/attachment.pgp>
More information about the Pkg-gnutls-maint
mailing list