From d9b5f828c5110c9ebf1cb640bbdfe6c6ed15255c140e1ef297707165a4d5e2ad Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Mon, 30 May 2022 08:08:31 +0000
Subject: [PATCH] Accepting request 979523 from
 home:1Antoine1:branches:security:tls

- Update to version 3.7.6:
  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
    called with new_size < old_size. This bug caused heap
    corruption when gnutls_realloc_zero() has been set as gmp
    reallocfunc.
  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
    upstream.

- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
  boo#1199929).

- update to 3.7.5:
  * add options disable session ticket usage in TLS 1.2 because
    it does not provide forward secrecy
  * For TLS 1.3 where session tickets do provide forward secrecy,
    the PFS priority string now only disables session tickets in
    TLS 1.2.
  * Future backward incompatibility: in the next major release of
     GnuTLS those flag and modifier are planned to be removed
  * gnutls-cli, gnutls-serv: Channel binding for printing
    information has been changed from tls-unique to tls-exporter
    as tls-unique is not supported in TLS 1.3.
  * Certificate sanity checks has been enhanced to make gnutls
    more RFC 5280 compliant:
  * Removed 3DES from FIPS approved algorithms
  * Optimized support for AES-SIV-CMAC algorithms
  * libgnutls: HKDF and AES-GCM algorithms are now approved in
    FIPS-140 mode when used in TLS

OBS-URL: https://build.opensuse.org/request/show/979523
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=67
---
 gnutls-3.7.4.tar.xz                       |   3 --
 gnutls-3.7.4.tar.xz.sig                   | Bin 685 -> 0 bytes
 gnutls-3.7.6.tar.xz                       |   3 ++
 gnutls-3.7.6.tar.xz.sig                   | Bin 0 -> 685 bytes
 gnutls-FIPS-PBKDF2-KAT-requirements.patch |  13 ++++----
 gnutls.changes                            |  39 ++++++++++++++++++++++
 gnutls.spec                               |  22 ++++++------
 7 files changed, 60 insertions(+), 20 deletions(-)
 delete mode 100644 gnutls-3.7.4.tar.xz
 delete mode 100644 gnutls-3.7.4.tar.xz.sig
 create mode 100644 gnutls-3.7.6.tar.xz
 create mode 100644 gnutls-3.7.6.tar.xz.sig

diff --git a/gnutls-3.7.4.tar.xz b/gnutls-3.7.4.tar.xz
deleted file mode 100644
index 2a5a64d..0000000
--- a/gnutls-3.7.4.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f
-size 6131772
diff --git a/gnutls-3.7.4.tar.xz.sig b/gnutls-3.7.4.tar.xz.sig
deleted file mode 100644
index 5cd81fca7ec0c74f4565bbc97198bdb80ee1f7f57ef75721b263627155d02df1..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 685
zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVlyr80162ZdUd8q
zv-u(n1fT%@6p|Gjsi!d%jZayHA(`cQ<>+~sy4$WtrhapJo4T(K0RXwd%q}q}Ybf;b
z%vd1>kQOV+LR^s~^WXqaLUuumtqh3*GXwwu2ml=xAp}MuCBw9DG>4zaNo>{ygpSwd
zm~jOHVlz7C0162Z)&+!)*XEdUbkz_26y8?IDiWQ~yL{S3<@MyX0J#&?!B!Hmkuqjr
zVjSXJ<K;)`kex9WWWscqFT{g<1gUP6`xNrmnuo6^Pk2(HK9S;+1fi?yK(c!Bc%Yr6
z&m!fpsXh=h>p&OyeF&uRa*1-ZjIZQ|HW5c4yp=uLm>WYU-Ib4Irr?CgoL7fZ1l$y6
z!bx4F4Jylhe5XS-;?wZ38V=L4I0Z)<b{x=+bb(OiD@0iAUkK*}Lloqn8I?Gh%oV5X
z_`D4cZtk|ZdifWn{H){nLP*3LXaLoCx0b0$jriTR&BJAKExBdbyPc+1c~yk95OIW&
z7TvuOun1M7AsL61tWuS{Q+#;{!fmI}rRNRdS`pf4S2TJTwx$F2og3oNqnya|=lyZg
za(4V20DRY6c6}2iL<JFCvLk-378hXMk|&@_&kXefN4PZUlR42dS9WuK6H0H+;4^e)
zo_WdaG%A;dcya3p#YMa2Emwv4y}P8aSAHf630I~w`E$T*dq6T0BK{ubv9}jb06zh=
zgftabG~4Zf`QTL$tE4c^t$p!ag~`IzLV5YEdj~z4^4q?0OI?x2!GB1Q)eQ@gbz>%$
zmHdQpnRXGHNa_UoPKj_Kdd5(Pc!UPKU8^0qG>GF{yJD%H&W;gP{`zG7$PG;qSKAr;
Ty-KhOFJ<0WcXPu(BNiKNz}7%A

diff --git a/gnutls-3.7.6.tar.xz b/gnutls-3.7.6.tar.xz
new file mode 100644
index 0000000..1a101d8
--- /dev/null
+++ b/gnutls-3.7.6.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff
+size 6338276
diff --git a/gnutls-3.7.6.tar.xz.sig b/gnutls-3.7.6.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..4c6fdb836161a808310b1c9451acd3f4c00f78bd951f13efdbb42287dc9f7fbb
GIT binary patch
literal 685
zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%DM=asUbm5Y`2R
zj@Raxag~S<|6D@l3C3#|Jf^=OwKKysslXB+p;!Ex&05zgiTPH4f-KUI^0rO|%5HLC
zcqlZLJfI{ft90^YHlVmsW)tiIu5|vOl1A3=r=NDpLbuo^P5iV~Z+iBr#DLYG_l^-N
z+@%p;65TrGX*i(k0ncB=DN2|=SdBdZ{z}TT7YJzgd1Gl)R-71t9Q>nrlmFsxeI4)7
z>|q#*M2D~Y380*5)@$X#B`lg0oraC@$tlt)#8EE*=!619mLQo7xciwU-KDl|G~PmX
zY_{lGs%M0eh}D7x4UyAoekX+{eM$g-=HuV9rmaV_{JKfa+Z~^qu|4^2?Jp0oi>E#I
zKXKXFg;k#?1p~(g-e*Y1yN6xR1Hruv@nk8NM7n`s3rV{Hw(j&apnj*?g(n&OGf0Cy
zt$0!7N0u;x={}M;VX>uG_`zH0vX4YYSf8wj_pC&#>tiUL{%EMrFH8<(>LG!Ha_@i-
z4Fo<So`;xH!J6sXZYB|{g+`c3lqCoN_#<p75_xWyXgg{FMb)<?NE|Pyr&FsNy1-N*
z%E67?u~)xbQA!)FWhl#dg_#-p{vRY-_YdUNlmFZ@%T%T3vYkt5+Qcu)>0C@#5uqcs
zZL4w_X10cGjIq8Gs_rimDBxqByOUO7eR~O!%%s8ni;$kT5P65+Hn#qFy(#!8gF{|f
z{fKo002T@W9Tp)3T}I0fb~FX21vOUmdUd8qv-u(n1p;D_l4Sr22@ra9rbx5-A`I}}
z0RA~Yf@MX8iwd_>M6_sh73C=7B7}?+21`rW9!3W-oTC8%yxSB_;^bY^-$zRA&RE{(
THJM||bc2D~!02dd{<MP)NO(ox

literal 0
HcmV?d00001

diff --git a/gnutls-FIPS-PBKDF2-KAT-requirements.patch b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
index 21f767e..669eeca 100644
--- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch
+++ b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
@@ -1,10 +1,10 @@
-Index: gnutls-3.7.3/lib/crypto-selftests.c
+Index: gnutls-3.7.5/lib/crypto-selftests.c
 ===================================================================
---- gnutls-3.7.3.orig/lib/crypto-selftests.c
-+++ gnutls-3.7.3/lib/crypto-selftests.c
-@@ -3112,6 +3112,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
- 		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
- 		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+--- gnutls-3.7.5.orig/lib/crypto-selftests.c
++++ gnutls-3.7.5/lib/crypto-selftests.c
+@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
+ 		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
+ 		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
  	},
 +	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
 +	{
@@ -19,3 +19,4 @@ Index: gnutls-3.7.3/lib/crypto-selftests.c
  };
  
  static int test_pbkdf2(gnutls_mac_algorithm_t mac,
+
diff --git a/gnutls.changes b/gnutls.changes
index 0ff9c92..65cb7c7 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Fri May 27 16:56:26 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Update to version 3.7.6:
+  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
+    called with new_size < old_size. This bug caused heap
+    corruption when gnutls_realloc_zero() has been set as gmp
+    reallocfunc.
+  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
+    upstream.
+
+-------------------------------------------------------------------
+Wed May 25 19:46:21 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
+  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
+  boo#1199929).
+
+-------------------------------------------------------------------
+Sat May 21 17:50:57 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+    it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+    the PFS priority string now only disables session tickets in
+    TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+     GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+    information has been changed from tls-unique to tls-exporter
+    as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+    more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+    FIPS-140 mode when used in TLS
+
 -------------------------------------------------------------------
 Wed May 11 09:19:52 UTC 2022 - Marcus Meissner <meissner@suse.com>
 
diff --git a/gnutls.spec b/gnutls.spec
index 1079524..e829ab0 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.4
+Version:        3.7.6
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -159,7 +159,6 @@ Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       gnutls = %{version}
 Requires:       libgnutls%{gnutls_sover} = %{version}
-Requires(pre):  %{install_info_prereq}
 Provides:       gnutls-devel = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
@@ -186,7 +185,6 @@ Group:          Development/Libraries/C and C++
 Requires:       libgnutls-devel = %{version}
 Requires:       libgnutlsxx%{gnutlsxx_sover} = %{version}
 Requires:       libstdc++-devel
-Requires(pre):  %{install_info_prereq}
 
 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
@@ -241,7 +239,7 @@ export CXXFLAGS="%{optflags} -fPIE"
         --with-fips140-module-name="GnuTLS version" \
         --with-fips140-module-version="%{version}-%{release}" \
         %{nil}
-make %{?_smp_mflags}
+%make_build
 
 %install
 %make_install
@@ -268,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 
 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
     find -name test-suite.log -print -exec cat {} +
     exit 1
 }
@@ -290,12 +288,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
-%post -n libgnutls-devel
-%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
-%preun -n libgnutls-devel
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
 %files -f libgnutls.lang
 %license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
@@ -316,20 +308,25 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
+%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 
 %files -n libgnutls%{gnutls_sover}-hmac
+%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
+%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
+%license LICENSE
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
 
 %files -n libgnutls-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@@ -356,6 +353,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 
 %if %{with dane}
 %files -n libgnutls-dane-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -363,12 +361,14 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %endif
 
 %files -n libgnutlsxx-devel
+%license LICENSE
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h
 
 %if %{with guile}
 %files guile
+%license LICENSE
 %{_libdir}/guile/*
 %{_datadir}/guile/gnutls*
 %endif