Accepting request 493998 from Base:System

GnuTLS 3.5.11 bsc#1038337 CVE-2017-7869 bsc#1034173 bsc#901857 (forwarded request 493933 from AndreasStieger) OBS-URL: https://build.opensuse.org/request/show/493998 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=99
2017-05-20 12:28:31 +00:00 · 2017-05-20 12:28:31 +00:00 · 071ff154dc
commit 071ff154dc
parent 15d5bd65c7
8 changed files with 95 additions and 59 deletions
--- a/gnutls-3.5.11.tar.xz
+++ b/gnutls-3.5.11.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51765cc5579e250da77fbd7871507c517d01b15353cc40af7b67e9ec7b6fe28f
+size 7208068
--- a/gnutls-3.5.11.tar.xz.sig
+++ b/gnutls-3.5.11.tar.xz.sig
--- a/gnutls-3.5.9-pkgconfig.patch
+++ b/gnutls-3.5.9-pkgconfig.patch
@ -1,53 +0,0 @@
-From 35c6a78f3b24bf4192e3f01ee6322b42b6fc27fb Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Date: Wed, 15 Feb 2017 18:42:22 +0100
-Subject: [PATCH] gnutls.pc: do not include libidn2 in Requires.private
-
-The libidn2 versions available do not include libidn2.pc,
-thus the inclusion was causing problems when using pkg-config.
-Instead we include -lidn2 in Libs.private.
-
-Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
- configure.ac     | 12 +++++++-----
- lib/gnutls.pc.in |  2 +-
- 2 files changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 6907b215f..4cad4fa3a 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -492,11 +492,13 @@ if test "$try_libidn" = yes;then
-       idna_support="IDNA 2008 (libidn2)"
-       AC_DEFINE([HAVE_LIBIDN2], 1, [Define if IDNA 2008 support is enabled.])
-       AC_SUBST([LIBIDN_LIBS], [-lidn2])
-      if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
-        GNUTLS_REQUIRES_PRIVATE="Requires.private: libidn2"
-      else
-        GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libidn2"
-      fi
-+      AC_SUBST([LIBIDN2_LIBS], [-lidn2]) dnl used in gnutls.pc.in
-+dnl enable once libidn2.pc is widespread; and remove LIBIDN2_LIBS from gnutls.pc.in (Libs.private)
-+dnl      if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
-+dnl        GNUTLS_REQUIRES_PRIVATE="Requires.private: libidn2"
-+dnl      else
-+dnl        GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libidn2"
-+dnl      fi
-     ],[
-       with_libidn2=no;
-       AC_MSG_WARN(*** LIBIDN2 was not found. You will not be able to use IDN2008 support)
-diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in
-index 441b45db0..c03757928 100644
--- a/lib/gnutls.pc.in
-+++ b/lib/gnutls.pc.in
-@@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system
- URL: http://www.gnutls.org/
- Version: @VERSION@
- Libs: -L${libdir} -lgnutls
-Libs.private: @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBNSL@ @LTLIBPTHREAD@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LTLIBUNISTRING@
-+Libs.private: @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBNSL@ @LTLIBPTHREAD@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LTLIBUNISTRING@ @LIBIDN2_LIBS@
- @GNUTLS_REQUIRES_PRIVATE@
- Cflags: -I${includedir}
-- 
-2.11.1
-
--- a/gnutls-3.5.9.tar.xz
+++ b/gnutls-3.5.9.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:82b10f0c4ef18f4e64ad8cef5dbaf14be732f5095a41cf366b4ecb4050382951
-size 7166932
--- a/gnutls-3.5.9.tar.xz.sig
+++ b/gnutls-3.5.9.tar.xz.sig
--- a/gnutls-broken-openpgp-tests.patch
+++ b/gnutls-broken-openpgp-tests.patch
@ -0,0 +1,39 @@
+Index: gnutls-3.5.11/tests/Makefile.am
+===================================================================
+--- gnutls-3.5.11.orig/tests/Makefile.am
+++ gnutls-3.5.11/tests/Makefile.am
+@@ -19,7 +19,7 @@
+ # along with this file; if not, write to the Free Software Foundation,
+ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ 
+-SUBDIRS = . cert-tests ocsp-tests key-tests slow dtls windows
+SUBDIRS = . cert-tests ocsp-tests key-tests slow windows
+ 
+ if WANT_TEST_SUITE
+ SUBDIRS += suite
+@@ -91,7 +91,7 @@ ctests = mini-record-2 simple gc set_pkc
+ 	 crlverify mini-dtls-discard init_fds mini-record-failure \
+ 	 tls-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
+ 	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
+-	 mini-dtls-record-asym openpgp-callback key-import-export \
+	 mini-dtls-record-asym key-import-export \
+ 	 mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \
+ 	 strict-der tls-ext-register tls-supplemental mini-dtls0-9 \
+ 	 mini-record-retvals mini-server-name tls-etm x509-cert-callback \
+@@ -236,6 +236,7 @@ endif
+ endif
+ 
+ if ENABLE_OPENPGP
+SUBDIRS += dtls
+ ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu
+ endif
+ 
+@@ -244,7 +245,7 @@ ctests += x509self x509dn anonself pskse
+ 	setcredcrash resume-x509 resume-psk resume-anon
+ 
+ if ENABLE_OPENPGP
+-ctests += openpgpself 
+ctests += openpgpself openpgp-callback
+ endif
+ 
+ endif
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,8 +1,56 @@
+-------------------------------------------------------------------
+Tue May  9 19:55:33 UTC 2017 - astieger@suse.com
+
+- GnuTLS 3.5.11:
+  * gnutls.pc: do not include libtool options into Libs.private.
+  * libgnutls: Fixed issue when rehandshaking without a client certificate in
+    a session which initially used one
+  * libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
+    certificate parsing (bsc#1038337)
+  * libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
+    That allows PKCS#11 operations such as signing to be performed with the
+    same object from multiple threads.
+  * libgnutls: when disabling OpenPGP authentication, the resulting library
+    is ABI compatible (will openpgp related functions being stubs that fail
+    on invocation).
+
 -------------------------------------------------------------------
 Sat Apr 29 20:03:38 UTC 2017 - bwiedemann@suse.com

 - call gzip -n to make build fully reproducible

+-------------------------------------------------------------------
+Wed Apr 26 14:53:45 UTC 2017 - vcizek@suse.com
+
+- update to 3.5.10
+  * addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173
+  * gnutls.pc: do not include libidn2 in Requires.private
+  * libgnutls: optimized access to subject alternative names (SANs) in parsed
+    certificates
+  * libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
+    when printing certificate information.
+  * libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
+    flags can be set from the gnutls_certificate_verify_flags enumeration.
+    This allows the functions to pass the same flags available for certificates
+    to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
+    GNUTLS_VERIFY_ALLOW_BROKEN).
+  * libgnutls: gnutls_store_commitment() can accept flag
+    GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
+    in applications which use SHA1 for example, after SHA1 is deprecated.
+  * certtool: No longer ignore the 'add_critical_extension' template option if
+    the 'add_extension' option is not present.
+  * gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
+    starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream)
+- drop gnutls-3.5.9-pkgconfig.patch (upstream)
+- remove unknown --disable-srp flag (bsc#901857)
+
+-------------------------------------------------------------------
+Wed Apr 26 14:53:06 UTC 2017 - vcizek@suse.com
+
+- disable the deprecated OpenPGP authentication support
+  * see https://gitlab.com/gnutls/gnutls/issues/102
+- add gnutls-broken-openpgp-tests.patch
+
 -------------------------------------------------------------------
 Mon Feb 20 09:52:38 UTC 2017 - astieger@suse.com

--- a/gnutls.spec
+++ b/gnutls.spec
@ -29,7 +29,7 @@
 %define gnutls_dane_sover 0
 %endif
 Name:           gnutls
-Version:        3.5.9
+Version:        3.5.11
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
@ -40,9 +40,10 @@ Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.x
 Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
-Patch0:         gnutls-3.5.9-pkgconfig.patch
+Patch0:         gnutls-broken-openpgp-tests.patch
 BuildRequires:  autogen
 BuildRequires:  automake
+BuildRequires:  ca-certificates-mozilla
 BuildRequires:  datefudge
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@ -211,11 +212,11 @@ autoreconf -if
        --disable-static \
        --with-pic \
        --disable-rpath \
-	--disable-srp \
        --disable-silent-rules \
 	--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
        --with-sysroot=/%{?_sysroot} \
        --with-guile-site-dir=no \
+        --disable-openpgp-authentication \
 %if %{without tpm}
        --without-tpm \
 %endif
@ -247,6 +248,7 @@ cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
 # PNG files are replaced with the compressed files and that breaks
 # deduplication, this is workaround
 find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
+rm -rf %{buildroot}/usr/share/doc/gnutls
 %fdupes -s %{buildroot}%{_datadir}

 %find_lang libgnutls --all-name