Bug#1012033: bullseye-pu: package gnutls28/3.7.1-5+deb11u1

Andreas Metzler ametzler at bebt.de
Tue Jun 14 18:24:44 BST 2022 

On 2022-05-29 Andreas Metzler <ametzler at bebt.de> wrote:
[...]
> as requested in #1011246 I would like fix miscalculation of SHA384 in
> the SSA accelarated implementation.

> It is a one-line change and was part of the 3.7.3 release.
[...]

Actually this seems like a good opportunity to fix a minor CVE, which
was also fixed in 3.7.3.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog
--- gnutls28-3.7.1/debian/changelog	2021-05-29 12:14:30.000000000 +0200
+++ gnutls28-3.7.1/debian/changelog	2022-06-14 18:55:44.000000000 +0200
@@ -1,3 +1,12 @@
+gnutls28 (3.7.1-5+deb11u1) bullseye; urgency=medium
+
+  * 56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch: Backport SSSE3 SHA384
+    miscalculation fix from 3.7.3.  Closes: #1011246
+  * 56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch from
+    3.7.3: Fix null-pointer dereference flaw. CVE-2021-4209
+
+ -- Andreas Metzler <ametzler at debian.org>  Tue, 14 Jun 2022 18:55:44 +0200
+
 gnutls28 (3.7.1-5) unstable; urgency=medium
 
   * Another fix from 3.7.2:
diff -Nru gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
--- gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch	2022-06-14 10:55:13.000000000 +0200
@@ -0,0 +1,34 @@
+From acdfeb4b3f0c64ad20f28513618e9903bfb81426 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar at redhat.com>
+Date: Wed, 1 Sep 2021 15:48:27 +0200
+Subject: [PATCH] fix SSSE3 SHA384 to work more than once
+
+The output function called sha512_digest() instead of sha384_digest(),
+which caused the hash context to be reinitialized for SHA512 instead of
+SHA384 and all following digests using the hash handle were wrong.
+
+Signed-off-by: Miroslav Lichvar <mlichvar at redhat.com>
+---
+ lib/accelerated/x86/sha-x86-ssse3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c
+index 8ea4e54aee..1d442e97e7 100644
+--- a/lib/accelerated/x86/sha-x86-ssse3.c
++++ b/lib/accelerated/x86/sha-x86-ssse3.c
+@@ -258,11 +258,11 @@ static int _ctx_init(gnutls_digest_algorithm_t algo,
+ 		ctx->length = SHA256_DIGEST_SIZE;
+ 		break;
+ 	case GNUTLS_DIG_SHA384:
+ 		sha384_init(&ctx->ctx.sha384);
+ 		ctx->update = (update_func) x86_sha512_update;
+-		ctx->digest = (digest_func) sha512_digest;
++		ctx->digest = (digest_func) sha384_digest;
+ 		ctx->init = (init_func) sha384_init;
+ 		ctx->ctx_ptr = &ctx->ctx.sha384;
+ 		ctx->length = SHA384_DIGEST_SIZE;
+ 		break;
+ 	case GNUTLS_DIG_SHA512:
+-- 
+2.35.1
+
diff -Nru gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
--- gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch	2022-06-14 10:58:46.000000000 +0200
@@ -0,0 +1,32 @@
+From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno at gnu.org>
+Date: Wed, 22 Dec 2021 09:12:25 +0100
+Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
+ input
+
+As Nettle's hash update functions internally call memcpy, providing
+zero-length input may cause undefined behavior.
+
+Signed-off-by: Daiki Ueno <ueno at gnu.org>
+---
+ lib/nettle/mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
+index f9d4d7a8df..35e070fab0 100644
+--- a/lib/nettle/mac.c
++++ b/lib/nettle/mac.c
+@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	ctx.update(&ctx, text_size, text);
++	if (text_size > 0) {
++		ctx.update(&ctx, text_size, text);
++	}
+ 	ctx.digest(&ctx, ctx.length, digest);
+ 
+ 	return 0;
+-- 
+2.35.1
+
diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series
--- gnutls28-3.7.1/debian/patches/series	2021-05-29 11:37:38.000000000 +0200
+++ gnutls28-3.7.1/debian/patches/series	2022-06-14 10:59:12.000000000 +0200
@@ -18,3 +18,5 @@
 56_28-handshake-fix-timing-of-sending-early-data.patch
 56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
 56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
+56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
+56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20220614/a36dd346/attachment.sig>

More information about the Pkg-gnutls-maint mailing list