Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5

Andreas Metzler ametzler at bebt.de
Sun Mar 5 18:08:08 UTC 2017

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu


I would like fix a number of minor issues in GnuTLS.

Most of these (notably CVE-2017-533[4567]) are related to the PGP
support, security does not intend to issue a DSA:

+ 55_00_pkcs12-fixed-the-calculation-of-p_size.patch
  Fixed issue in PKCS#12 password encoding, which truncated
  passwords over 32-characters. Reported by Mario Klebsch.
+ 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch
  Fix double free in certificate information printing. If the PKIX
  extension proxy was set with a policy language set but no policy
  specified, that could lead to a double free. [GNUTLS-SA-2017-1]
+ 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch
  Addressed memory leak in server side error path (issue found using
  oss-fuzz project)
+ 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch
  Addressed memory leaks and an infinite loop in OpenPGP certificate
  parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
  Addressed invalid memory accesses in OpenPGP certificate parsing.
  (issues found using oss-fuzz project) [GNUTLS-SA-2017-2]
  CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337
+ 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch
  When returning success, but no elements,
  gnutls_pkcs11_obj_list_import_url4, could have returned zero number of
  elements with a pointer that was uninitialized. Ensure that an
  initialized (i.e., null in that case), pointer is always returned.
+ 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer
  overflow resulting to invalid memory write in OpenPGP certificate
  parsing.  Issue found using oss-fuzz project:
+ 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read
  of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue
  found using oss-fuzz project:
  (This patch is from gnutls_3_5_x branch.)
+ 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch
  Addressed crashes in OpenPGP certificate parsing, related to private key
  parser. No longer allow OpenPGP certificates (public keys) to contain
  private key sub-packets. Issue found using oss-fuzz project:

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: from_u4_to_u5.diff
Type: text/x-diff
Size: 41916 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170305/7cd50b83/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170305/7cd50b83/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list