Fixing "lucky 13" CVE-2013-0169 in gnutls28
Andreas Metzler
ametzler at downhill.at.eu.org
Sun Apr 14 16:38:56 UTC 2013
On 2013-03-31 Julien Cristau <jcristau at debian.org> wrote:
> On Sun, Mar 31, 2013 at 14:35:56 +0200, Andreas Metzler wrote:
> > Could you please remove gnutls28 3.0.22-3 from *unstable* to make it
> > possible to start testing the transition?
> We don't handle unstable. You'll have to file a bug against
> ftp.debian.org for that.
Hello,
We have managed to do without removal from unstable by using a
slightly different faked version number. Letting gnutls26 propagate to
testing and removing gnutls28 should now be possible.
unblock gnutls26/2.12.20-6
RM: gnutls28/3.0.20-3
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
Warning: these package names were in the second list but not in the first:
--------------------------------------------------------------------------
gnutls-bin
guile-gnutls
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files only in first set of .debs, found in package libgnutls26-dbg
------------------------------------------------------------------
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/certtool
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/gnutls-cli
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/gnutls-cli-debug
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/gnutls-serv
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/p11tool
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/psktool
-rwxr-xr-x root/root /usr/lib/i386-linux-gnu/libgnutls26/srptool
New files in second set of .debs, found in package gnutls-bin
-------------------------------------------------------------
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/AUTHORS.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/NEWS.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/README.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/THANKS.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/changelog.Debian.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/changelog.gz
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/copyright
-rw-r--r-- root/root /usr/share/doc/gnutls-bin/examples/certtool.cfg
-rw-r--r-- root/root /usr/share/man/man1/certtool.1.gz
-rw-r--r-- root/root /usr/share/man/man1/gnutls-cli-debug.1.gz
-rw-r--r-- root/root /usr/share/man/man1/gnutls-cli.1.gz
-rw-r--r-- root/root /usr/share/man/man1/gnutls-serv.1.gz
-rw-r--r-- root/root /usr/share/man/man1/p11tool.1.gz
-rw-r--r-- root/root /usr/share/man/man1/psktool.1.gz
-rw-r--r-- root/root /usr/share/man/man1/srptool.1.gz
-rwxr-xr-x root/root /usr/bin/certtool
-rwxr-xr-x root/root /usr/bin/gnutls-cli
-rwxr-xr-x root/root /usr/bin/gnutls-cli-debug
-rwxr-xr-x root/root /usr/bin/gnutls-serv
-rwxr-xr-x root/root /usr/bin/p11tool
-rwxr-xr-x root/root /usr/bin/psktool
-rwxr-xr-x root/root /usr/bin/srptool
New files in second set of .debs, found in package guile-gnutls
---------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0.0.0
-rw-r--r-- root/root /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0.0.0
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/AUTHORS.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/NEWS.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/README.Debian
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/README.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/THANKS.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/changelog.Debian.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/changelog.gz
-rw-r--r-- root/root /usr/share/doc/guile-gnutls/copyright
-rw-r--r-- root/root /usr/share/guile/site/gnutls.scm
-rw-r--r-- root/root /usr/share/guile/site/gnutls/extra.scm
-rw-r--r-- root/root /usr/share/lintian/overrides/guile-gnutls
lrwxrwxrwx root/root /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so -> libguile-gnutls-extra-v-1.so.0.0.0
lrwxrwxrwx root/root /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0 -> libguile-gnutls-extra-v-1.so.0.0.0
lrwxrwxrwx root/root /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so -> libguile-gnutls-v-1.so.0.0.0
lrwxrwxrwx root/root /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0 -> libguile-gnutls-v-1.so.0.0.0
New files in second set of .debs, found in package libgnutls26-dbg
------------------------------------------------------------------
-rw-r--r-- root/root /usr/lib/debug/usr/bin/certtool
-rw-r--r-- root/root /usr/lib/debug/usr/bin/gnutls-cli
-rw-r--r-- root/root /usr/lib/debug/usr/bin/gnutls-cli-debug
-rw-r--r-- root/root /usr/lib/debug/usr/bin/gnutls-serv
-rw-r--r-- root/root /usr/lib/debug/usr/bin/p11tool
-rw-r--r-- root/root /usr/lib/debug/usr/bin/psktool
-rw-r--r-- root/root /usr/lib/debug/usr/bin/srptool
-rw-r--r-- root/root /usr/lib/debug/usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0.0.0
-rw-r--r-- root/root /usr/lib/debug/usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0.0.0
Files moved or copied from at least TWO packages or to at least TWO packages
----------------------------------------------------------------------------
-rw-r--r-- root/root DEBIAN/control
>From packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, libgnutlsxx27, libgnutls-openssl27
To packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, gnutls-bin, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rw-r--r-- root/root DEBIAN/md5sums
>From packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, libgnutlsxx27, libgnutls-openssl27
To packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, gnutls-bin, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rw-r--r-- root/root DEBIAN/shlibs
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rwxr-xr-x root/root DEBIAN/postinst
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rwxr-xr-x root/root DEBIAN/postrm
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
Control files of package gnutls26-doc: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-2.12.20-4-] {+2.12.20-6+}
Control files of package libgnutls-dev: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-6),+} libgnutlsxx27 (= [-2.12.20-4),-] {+2.12.20-6),+} libgnutls-openssl27 (= [-2.12.20-4),-] {+2.12.20-6),+} libgcrypt11-dev (>= 1.4.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4), libp11-kit-dev (>= 0.4)
Version: [-2.12.20-4-] {+2.12.20-6+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-6),+} libc6 (>= 2.4), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0)
Version: [-2.12.20-4-] {+2.12.20-6+}
Control files of package libgnutls26: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-1398-] {+1399+}
Version: [-2.12.20-4-] {+2.12.20-6+}
Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4), libc6 (>= 2.4), libgcrypt11 (>= 1.4.5), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0), zlib1g (>= 1:1.1.4)-] {+2.12.20-6)+}
This package contains the debugger [-symbols and commandline utilities.-] {+symbols.+}
Version: [-2.12.20-4-] {+2.12.20-6+}
Control files of package libgnutlsxx27: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-6),+} libc6 (>= 2.1.3), libgcc1 (>= 1:4.1.1), libp11-kit0 (>= 0.11), libstdc++6 (>= 4.1.1)
Version: [-2.12.20-4-] {+2.12.20-6+}
diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog 2013-02-04 19:44:26.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog 2013-04-04 18:34:41.000000000 +0200
@@ -1,10 +1,28 @@
+gnutls26 (2.12.20-6) unstable; urgency=low
+
+ * For wheezy build gnutls-bin and guile-gnutls from this source package
+ rather than from gnutls28. gnutls28 is a leaf-package in wheezy. Not
+ shipping would mean a lot less work for the security team if there was a
+ GnuTLS vulnerability. If wanted, it can be re-introduced via backports.
+ The versioning trick has been copied from Ubuntu.
+ * Since guile support would require building with --disable-largefile on
+ armel armhf mipsel we do not provide the package there.
+
+ -- Andreas Metzler <ametzler at debian.org> Thu, 04 Apr 2013 18:34:25 +0200
+
+gnutls26 (2.12.20-5) unstable; urgency=low
+
+ * Testbuild gnutls guile bindings, binary packages unchanged.
+
+ -- Andreas Metzler <ametzler at debian.org> Fri, 22 Mar 2013 18:58:28 +0100
+
gnutls26 (2.12.20-4) unstable; urgency=high
* Pull fixes from 2.12.23:
+ 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
initialization.
+ 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
- attack
+ attack. CVE-2013-0169 CVE-2013-1619
-- Andreas Metzler <ametzler at debian.org> Mon, 04 Feb 2013 19:35:29 +0100
diff -Nru gnutls26-2.12.20/debian/control gnutls26-2.12.20/debian/control
--- gnutls26-2.12.20/debian/control 2012-11-13 19:03:33.000000000 +0100
+++ gnutls26-2.12.20/debian/control 2013-03-19 19:39:47.000000000 +0100
@@ -8,7 +8,8 @@
Simon Josefsson <simon at josefsson.org>
Build-Depends: debhelper (>= 8.1.3), libgcrypt11-dev (>= 1.4.0), zlib1g-dev,
cdbs (>= 0.4.93), gtk-doc-tools, texinfo (>= 4.8),
- libtasn1-3-dev (>= 0.3.4-0), autotools-dev, datefudge,
+ libtasn1-3-dev (>= 0.3.4-0), autotools-dev,
+ guile-1.8-dev[!armel !armhf !mipsel], datefudge,
libp11-kit-dev (>= 0.11), pkg-config, chrpath
Build-Conflicts: libgnutls-dev
Standards-Version: 3.9.3
@@ -91,7 +92,32 @@
GnuTLS is a portable library which implements the Transport Layer
Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
.
- This package contains the debugger symbols and commandline utilities.
+ This package contains the debugger symbols.
+
+Package: gnutls-bin
+Architecture: any
+Section: net
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - commandline utilities
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains a commandline interface to the GNU TLS library, which
+ can be used to set up secure connections from e.g. shell scripts, debugging
+ connection issues or managing certificates.
Package: gnutls26-doc
Architecture: all
@@ -116,6 +142,30 @@
.
This package contains the documentation for the GnuTLS 2.x legacy version.
+Package: guile-gnutls
+Architecture: amd64 hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips powerpc s390 s390x sparc
+Section: lisp
+Depends: ${misc:Depends},${shlibs:Depends}, guile-1.8
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - GNU Guile bindings
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the GNU Guile 1.8 modules.
+
Package: libgnutlsxx27
Priority: extra
Architecture: any
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.examples gnutls26-2.12.20/debian/gnutls-bin.examples
--- gnutls26-2.12.20/debian/gnutls-bin.examples 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.examples 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+doc/certtool.cfg
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.install gnutls26-2.12.20/debian/gnutls-bin.install
--- gnutls26-2.12.20/debian/gnutls-bin.install 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.install 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/bin/* usr/bin
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.manpages gnutls26-2.12.20/debian/gnutls-bin.manpages
--- gnutls26-2.12.20/debian/gnutls-bin.manpages 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.manpages 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/*/*.1
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.install gnutls26-2.12.20/debian/guile-gnutls.install
--- gnutls26-2.12.20/debian/guile-gnutls.install 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.install 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/libguile-gnutls*.so*
+debian/tmp/usr/share/guile/site
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides
--- gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+guile-gnutls: non-dev-pkg-with-shlib-symlink
+guile-gnutls: package-name-doesnt-match-sonames
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.README.Debian gnutls26-2.12.20/debian/guile-gnutls.README.Debian
--- gnutls26-2.12.20/debian/guile-gnutls.README.Debian 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.README.Debian 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,8 @@
+guile bindings for gnutls.
+
+Guile binary extensions currently use dlopened dynamic libraries installed in
+/usr/lib/. These are not to be used a C-libraries. Which is why ...
+ - we do not provide shlibs files for these
+ - and the .so symlink is not in the dev-package.
+
+(Thanks to Ludovic Court?s for the explanations.)
diff -Nru gnutls26-2.12.20/debian/libgnutls26-dbg.install gnutls26-2.12.20/debian/libgnutls26-dbg.install
--- gnutls26-2.12.20/debian/libgnutls26-dbg.install 2012-11-12 19:16:57.000000000 +0100
+++ gnutls26-2.12.20/debian/libgnutls26-dbg.install 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-debian/tmp/usr/lib/*/libgnutls26
diff -Nru gnutls26-2.12.20/debian/rules gnutls26-2.12.20/debian/rules
--- gnutls26-2.12.20/debian/rules 2012-11-13 19:02:55.000000000 +0100
+++ gnutls26-2.12.20/debian/rules 2013-04-04 18:34:19.000000000 +0200
@@ -5,7 +5,7 @@
include /usr/share/cdbs/1/class/autotools.mk
DEB_CONFIGURE_EXTRA_FLAGS = --enable-ld-version-script --enable-cxx \
- --without-lzo --disable-guile \
+ --without-lzo \
--cache-file=$(CURDIR)/config.cache --with-libgcrypt \
--with-packager=Debian \
--with-packager-bug-reports=http://bugs.debian.org/ \
@@ -14,8 +14,18 @@
DEB_MAKE_CHECK_TARGET = check
DEB_DH_MAKESHLIBS_ARGS_libgnutls26 := -V 'libgnutls26 (>= 2.12.17-0)'
DEB_DH_MAKESHLIBS_ARGS_libgnutlsxx27 := -V 'libgnutlsxx27 (>= 2.12.17-0)'
+DEB_DH_MAKESHLIBS_ARGS_guile-gnutls := -V 'guile-gnutls (>= 2.12.17-0)'
DEB_COMPRESS_EXCLUDE := gnutls.pdf
+# Do not build guile-gnutls on these archs, as we would need to build with
+# --disable-largefile
+ifeq (,$(filter $(DEB_BUILD_ARCH),armel armhf mipsel))
+ DEB_CONFIGURE_EXTRA_FLAGS += --enable-guile \
+ --with-guile-site-dir=/usr/share/guile/site
+else
+ DEB_CONFIGURE_EXTRA_FLAGS += --disable-guile
+endif
+
# pre-clean rule: save gnutls.pdf since it is expensive to regenerate.
# See README.source
cleanbuilddir/gnutls26-doc::
@@ -41,10 +51,10 @@
common-install-arch::
find debian/tmp/usr/lib/* -name '*.so.*.*' -type f -exec \
chrpath -d {} +
- if ! test -e debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ; \
- then \
- install -d -m755 \
- debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 &&\
- mv -v debian/tmp/usr/bin/* \
- debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ;\
- fi
+
+# gnutls-bin and guile-gnutls were built from gnutls28 but we chose
+# to not ship this sourcepackage in wheezy. Bump the binary package version
+# to supersede the gnutls28-built versions.
+binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- -v3.0.22-3+really$(DEB_VERSION)
+
+binary-makedeb/guile-gnutls: DEB_DH_GENCONTROL_ARGS := -- -v3.0.22-3+really$(DEB_VERSION)
More information about the Pkg-gnutls-maint
mailing list