diff --git a/gnutls-3.6.6-set_guile_site_dir.patch b/gnutls-3.6.6-set_guile_site_dir.patch index 3b61a9b..054b7f9 100644 --- a/gnutls-3.6.6-set_guile_site_dir.patch +++ b/gnutls-3.6.6-set_guile_site_dir.patch @@ -1,13 +1,13 @@ -Index: gnutls-3.6.15/configure +Index: gnutls-3.7.7/configure =================================================================== ---- gnutls-3.6.15.orig/configure 2020-09-08 10:24:22.362083215 +0200 -+++ gnutls-3.6.15/configure 2020-09-08 10:24:28.510124171 +0200 -@@ -69365,7 +69365,7 @@ fi +--- gnutls-3.7.7.orig/configure ++++ gnutls-3.7.7/configure +@@ -74223,7 +74223,7 @@ fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 - $as_echo_n "checking for Guile site directory... " >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 + printf %s "checking for Guile site directory... " >&6; } - GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` + GUILE_SITE=/usr/share/guile - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 - $as_echo "$GUILE_SITE" >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 + printf "%s\n" "$GUILE_SITE" >&6; } if test "$GUILE_SITE" = ""; then diff --git a/gnutls-3.7.6.tar.xz b/gnutls-3.7.6.tar.xz deleted file mode 100644 index 1a101d8..0000000 --- a/gnutls-3.7.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff -size 6338276 diff --git a/gnutls-3.7.6.tar.xz.sig b/gnutls-3.7.6.tar.xz.sig deleted file mode 100644 index 4c6fdb8..0000000 Binary files a/gnutls-3.7.6.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.7.7.tar.xz b/gnutls-3.7.7.tar.xz new file mode 100644 index 0000000..a9bf40a --- /dev/null +++ b/gnutls-3.7.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:be9143d0d58eab64dba9b77114aaafac529b6c0d7e81de6bdf1c9b59027d2106 +size 6351664 diff --git a/gnutls-3.7.7.tar.xz.sig b/gnutls-3.7.7.tar.xz.sig new file mode 100644 index 0000000..5406f22 Binary files /dev/null and b/gnutls-3.7.7.tar.xz.sig differ diff --git a/gnutls-FIPS-PBKDF2-KAT-requirements.patch b/gnutls-FIPS-PBKDF2-KAT-requirements.patch deleted file mode 100644 index 669eeca..0000000 --- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: gnutls-3.7.5/lib/crypto-selftests.c -=================================================================== ---- gnutls-3.7.5.orig/lib/crypto-selftests.c -+++ gnutls-3.7.5/lib/crypto-selftests.c -@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh - "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f" - "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"), - }, -+ /* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */ -+ { -+ STR(key, key_size, "passwordPASSWORDpassword"), -+ STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"), -+ .iter_count = 4096, -+ STR(output, output_size, -+ "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e" -+ "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f" -+ "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"), -+ }, - }; - - static int test_pbkdf2(gnutls_mac_algorithm_t mac, - diff --git a/gnutls-FIPS-TLS_KDF_selftest.patch b/gnutls-FIPS-TLS_KDF_selftest.patch index baa8106..38a8c0a 100644 --- a/gnutls-FIPS-TLS_KDF_selftest.patch +++ b/gnutls-FIPS-TLS_KDF_selftest.patch @@ -1,9 +1,9 @@ -Index: gnutls-3.6.15/lib/fips.c +Index: gnutls-3.7.7/lib/fips.c =================================================================== ---- gnutls-3.6.15.orig/lib/fips.c 2020-09-03 16:59:05.000000000 +0200 -+++ gnutls-3.6.15/lib/fips.c 2020-11-10 12:51:40.420071675 +0100 -@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo - goto error; +--- gnutls-3.7.7.orig/lib/fips.c ++++ gnutls-3.7.7/lib/fips.c +@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo + return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); } + /* KDF */ @@ -18,14 +18,12 @@ Index: gnutls-3.6.15/lib/fips.c + ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, + label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); + if (ret < 0) { -+ gnutls_assert(); -+ goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = memcmp(derived, expected.data, expected.size); + if (ret != 0) { -+ gnutls_assert(); -+ goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + /* PK */ diff --git a/gnutls-FIPS-disable-failing-tests.patch b/gnutls-FIPS-disable-failing-tests.patch index 405813a..d4fefa7 100644 --- a/gnutls-FIPS-disable-failing-tests.patch +++ b/gnutls-FIPS-disable-failing-tests.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.7.3/guile/Makefile.am +Index: gnutls-3.7.7/guile/Makefile.am =================================================================== ---- gnutls-3.7.3.orig/guile/Makefile.am -+++ gnutls-3.7.3/guile/Makefile.am -@@ -102,8 +102,6 @@ endif HAVE_GUILD +--- gnutls-3.7.7.orig/guile/Makefile.am ++++ gnutls-3.7.7/guile/Makefile.am +@@ -102,14 +102,11 @@ endif HAVE_GUILD # TESTS = \ @@ -11,11 +11,17 @@ Index: gnutls-3.7.3/guile/Makefile.am tests/pkcs-import-export.scm \ tests/errors.scm \ tests/x509-certificates.scm \ -Index: gnutls-3.7.3/guile/Makefile.in + tests/x509-auth.scm \ + tests/reauth.scm \ +- tests/premature-termination.scm \ + tests/priorities.scm + + if ENABLE_SRP +Index: gnutls-3.7.7/guile/Makefile.in =================================================================== ---- gnutls-3.7.3.orig/guile/Makefile.in -+++ gnutls-3.7.3/guile/Makefile.in -@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap +--- gnutls-3.7.7.orig/guile/Makefile.in ++++ gnutls-3.7.7/guile/Makefile.in +@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap # # Tests. # @@ -23,5 +29,8 @@ Index: gnutls-3.7.3/guile/Makefile.in - tests/pkcs-import-export.scm tests/errors.scm \ +TESTS = tests/pkcs-import-export.scm tests/errors.scm \ tests/x509-certificates.scm tests/x509-auth.scm \ - tests/reauth.scm tests/priorities.scm $(am__append_2) +- tests/reauth.scm tests/premature-termination.scm \ ++ tests/reauth.scm \ + tests/priorities.scm $(am__append_2) TESTS_ENVIRONMENT = \ + GUILE_AUTO_COMPILE=0 \ diff --git a/gnutls.changes b/gnutls.changes index 65cb7c7..fe82799 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal + +- Update to 3.7.7: [bsc#1202020, CVE-2022-2509] + * libgnutls: Fixed double free during verification of pkcs7 + signatures. CVE-2022-2509 + * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument + less than or equal to 255 times hash digest size, to comply with + RFC 5869 2.3. + * libgnutls: Length limit for TLS PSK usernames has been increased + from 128 to 65535 characters + * libgnutls: AES-GCM encryption function now limits plaintext + length to 2^39-256 bits, according to SP800-38D 5.2.1.1. + * libgnutls: New block cipher functions have been added to + transparently handle padding. gnutls_cipher_encrypt3 and + gnutls_cipher_decrypt3 can be used in combination of + GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove + padding if the length of the original plaintext is not a multiple + of the block size. + * libgnutls: New function for manual FIPS self-testing. + * API and ABI modifications: + - gnutls_fips140_run_self_tests: New function + - gnutls_cipher_encrypt3: New function + - gnutls_cipher_decrypt3: New function + - gnutls_cipher_padding_flags_t: New enum + * guile: Guile 1.8 is no longer supported + * guile: Session record port treats premature termination as EOF Previously, + a 'gnutls-error' exception with the 'error/premature-termination' value + would be thrown while reading from a session record port when the + underlying session was terminated prematurely. This was inconvenient + since users of the port may not be prepared to handle such an exception. + Reading from the session record port now returns the end-of-file object + instead of throwing an exception, just like it would for a proper + session termination. + * guile: Session record ports can have a 'close' procedure. The + 'session-record-port' procedure now takes an optional second parameter, + and a new 'set-session-record-port-close!' procedure is provided to + specify a 'close' procedure for a session record port. This 'close' + procedure lets users specify cleanup operations for when the port is + closed, such as closing the file descriptor or port that backs the + underlying session. + * Rebase patches: + - gnutls-3.6.6-set_guile_site_dir.patch + - gnutls-FIPS-TLS_KDF_selftest.patch + - gnutls-FIPS-disable-failing-tests.patch + * Remove patch merged upstream: + - gnutls-FIPS-PBKDF2-KAT-requirements.patch + - https://gitlab.com/gnutls/gnutls/merge_requests/1561 + ------------------------------------------------------------------- Fri May 27 16:56:26 UTC 2022 - Antoine Belvire diff --git a/gnutls.spec b/gnutls.spec index e829ab0..a6cb5c6 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -36,7 +36,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.7.6 +Version: 3.7.7 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -50,8 +50,6 @@ Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch Patch2: gnutls-FIPS-TLS_KDF_selftest.patch Patch3: gnutls-FIPS-disable-failing-tests.patch -#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT -Patch4: gnutls-FIPS-PBKDF2-KAT-requirements.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -91,7 +89,7 @@ BuildRequires: libunbound-devel %endif %endif %if %{with guile} -BuildRequires: guile-devel +BuildRequires: guile-devel > 1.8 %endif %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 BuildRequires: crypto-policies @@ -194,7 +192,7 @@ Files needed for software development using gnutls. Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later Group: Development/Libraries/Other -Requires: guile +Requires: guile > 1.8 %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme.