Fixing "lucky 13" CVE-2013-0169 in gnutls28
Andreas Metzler
ametzler at downhill.at.eu.org
Tue Mar 19 19:09:04 UTC 2013
On 2013-03-19 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> Find attached a proposed patch.
-------------- next part --------------
diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog 2013-02-04 19:44:26.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog 2013-03-19 19:54:02.000000000 +0100
@@ -1,10 +1,22 @@
+gnutls26 (2.12.20-5) UNRELEASED; urgency=low
+
+ * For wheezy build gnutls-bin and guile-gnutls from this source package
+ rather than from gnutls28. gnutls28 is a leaf-package in wheezy. Not
+ shipping would mean a lot less work for the security team if there was a
+ GnuTLS vulnerability. If wanted, it can be re-introduced via backports.
+ The versioning trick has been copied from Ubuntu.
+ * Since guile support would require building with --disable-largefile on
+ armel armhf mipsel we do not provide the package there.
+
+ -- Andreas Metzler <ametzler at debian.org> Mon, 04 Feb 2013 19:48:31 +0100
+
gnutls26 (2.12.20-4) unstable; urgency=high
* Pull fixes from 2.12.23:
+ 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
initialization.
+ 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
- attack
+ attack. CVE-2013-0169 CVE-2013-1619
-- Andreas Metzler <ametzler at debian.org> Mon, 04 Feb 2013 19:35:29 +0100
diff -Nru gnutls26-2.12.20/debian/control gnutls26-2.12.20/debian/control
--- gnutls26-2.12.20/debian/control 2012-11-13 19:03:33.000000000 +0100
+++ gnutls26-2.12.20/debian/control 2013-03-19 19:39:47.000000000 +0100
@@ -8,7 +8,8 @@
Simon Josefsson <simon at josefsson.org>
Build-Depends: debhelper (>= 8.1.3), libgcrypt11-dev (>= 1.4.0), zlib1g-dev,
cdbs (>= 0.4.93), gtk-doc-tools, texinfo (>= 4.8),
- libtasn1-3-dev (>= 0.3.4-0), autotools-dev, datefudge,
+ libtasn1-3-dev (>= 0.3.4-0), autotools-dev,
+ guile-1.8-dev[!armel !armhf !mipsel], datefudge,
libp11-kit-dev (>= 0.11), pkg-config, chrpath
Build-Conflicts: libgnutls-dev
Standards-Version: 3.9.3
@@ -91,7 +92,32 @@
GnuTLS is a portable library which implements the Transport Layer
Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
.
- This package contains the debugger symbols and commandline utilities.
+ This package contains the debugger symbols.
+
+Package: gnutls-bin
+Architecture: any
+Section: net
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - commandline utilities
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains a commandline interface to the GNU TLS library, which
+ can be used to set up secure connections from e.g. shell scripts, debugging
+ connection issues or managing certificates.
Package: gnutls26-doc
Architecture: all
@@ -116,6 +142,30 @@
.
This package contains the documentation for the GnuTLS 2.x legacy version.
+Package: guile-gnutls
+Architecture: amd64 hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips powerpc s390 s390x sparc
+Section: lisp
+Depends: ${misc:Depends},${shlibs:Depends}, guile-1.8
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - GNU Guile bindings
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the GNU Guile 1.8 modules.
+
Package: libgnutlsxx27
Priority: extra
Architecture: any
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.examples gnutls26-2.12.20/debian/gnutls-bin.examples
--- gnutls26-2.12.20/debian/gnutls-bin.examples 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.examples 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+doc/certtool.cfg
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.install gnutls26-2.12.20/debian/gnutls-bin.install
--- gnutls26-2.12.20/debian/gnutls-bin.install 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.install 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/bin/* usr/bin
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.manpages gnutls26-2.12.20/debian/gnutls-bin.manpages
--- gnutls26-2.12.20/debian/gnutls-bin.manpages 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.manpages 2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/*/*.1
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.install gnutls26-2.12.20/debian/guile-gnutls.install
--- gnutls26-2.12.20/debian/guile-gnutls.install 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.install 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/libguile-gnutls*.so*
+debian/tmp/usr/share/guile/site
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides
--- gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+guile-gnutls: non-dev-pkg-with-shlib-symlink
+guile-gnutls: package-name-doesnt-match-sonames
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.README.Debian gnutls26-2.12.20/debian/guile-gnutls.README.Debian
--- gnutls26-2.12.20/debian/guile-gnutls.README.Debian 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.README.Debian 2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,8 @@
+guile bindings for gnutls.
+
+Guile binary extensions currently use dlopened dynamic libraries installed in
+/usr/lib/. These are not to be used a C-libraries. Which is why ...
+ - we do not provide shlibs files for these
+ - and the .so symlink is not in the dev-package.
+
+(Thanks to Ludovic Court?s for the explanations.)
diff -Nru gnutls26-2.12.20/debian/libgnutls26-dbg.install gnutls26-2.12.20/debian/libgnutls26-dbg.install
--- gnutls26-2.12.20/debian/libgnutls26-dbg.install 2012-11-12 19:16:57.000000000 +0100
+++ gnutls26-2.12.20/debian/libgnutls26-dbg.install 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-debian/tmp/usr/lib/*/libgnutls26
diff -Nru gnutls26-2.12.20/debian/rules gnutls26-2.12.20/debian/rules
--- gnutls26-2.12.20/debian/rules 2012-11-13 19:02:55.000000000 +0100
+++ gnutls26-2.12.20/debian/rules 2013-03-19 19:57:29.000000000 +0100
@@ -5,7 +5,7 @@
include /usr/share/cdbs/1/class/autotools.mk
DEB_CONFIGURE_EXTRA_FLAGS = --enable-ld-version-script --enable-cxx \
- --without-lzo --disable-guile \
+ --without-lzo \
--cache-file=$(CURDIR)/config.cache --with-libgcrypt \
--with-packager=Debian \
--with-packager-bug-reports=http://bugs.debian.org/ \
@@ -14,8 +14,18 @@
DEB_MAKE_CHECK_TARGET = check
DEB_DH_MAKESHLIBS_ARGS_libgnutls26 := -V 'libgnutls26 (>= 2.12.17-0)'
DEB_DH_MAKESHLIBS_ARGS_libgnutlsxx27 := -V 'libgnutlsxx27 (>= 2.12.17-0)'
+DEB_DH_MAKESHLIBS_ARGS_guile-gnutls := -V 'guile-gnutls (>= 2.12.17-0)'
DEB_COMPRESS_EXCLUDE := gnutls.pdf
+# Do not build guile-gnutls on these archs, as we would need to build with
+# --disable-largefile
+ifeq (,$(filter $(DEB_BUILD_ARCH),armel armhf mipsel))
+ DEB_CONFIGURE_EXTRA_FLAGS += --enable-guile \
+ --with-guile-site-dir=/usr/share/guile/site
+else
+ DEB_CONFIGURE_EXTRA_FLAGS += --disable-guile
+endif
+
# pre-clean rule: save gnutls.pdf since it is expensive to regenerate.
# See README.source
cleanbuilddir/gnutls26-doc::
@@ -41,10 +51,10 @@
common-install-arch::
find debian/tmp/usr/lib/* -name '*.so.*.*' -type f -exec \
chrpath -d {} +
- if ! test -e debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ; \
- then \
- install -d -m755 \
- debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 &&\
- mv -v debian/tmp/usr/bin/* \
- debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ;\
- fi
+
+# gnutls-bin and guile-gnutls were built from gnutls28 but we chose
+# to not ship this sourcepackage in wheezy. Bump the binary package version
+# to supersede the gnutls28-built versions.
+binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- -v3.0.20-3+really$(DEB_VERSION)
+
+binary-makedeb/guile-gnutls: DEB_DH_GENCONTROL_ARGS := -- -v3.0.20-3+really$(DEB_VERSION)
More information about the Pkg-gnutls-maint
mailing list