Accepting request 979801 from security:tls

- Update to version 3.7.6: * libgnutls: Fixed invalid write when gnutls_realloc_zero() is called with new_size < old_size. This bug caused heap corruption when gnutls_realloc_zero() has been set as gmp reallocfunc. * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed upstream. - Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367, boo#1199929). - update to 3.7.5: * add options disable session ticket usage in TLS 1.2 because it does not provide forward secrecy * For TLS 1.3 where session tickets do provide forward secrecy, the PFS priority string now only disables session tickets in TLS 1.2. * Future backward incompatibility: in the next major release of GnuTLS those flag and modifier are planned to be removed * gnutls-cli, gnutls-serv: Channel binding for printing information has been changed from tls-unique to tls-exporter as tls-unique is not supported in TLS 1.3. * Certificate sanity checks has been enhanced to make gnutls more RFC 5280 compliant: * Removed 3DES from FIPS approved algorithms * Optimized support for AES-SIV-CMAC algorithms * libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode when used in TLS (forwarded request 979523 from 1Antoine1) OBS-URL: https://build.opensuse.org/request/show/979801 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=139
2022-05-31 13:46:57 +00:00 · 2022-05-31 13:46:57 +00:00 · 909e41ef37
commit 909e41ef37
parent a72843bbe6 d9b5f828c5
7 changed files with 60 additions and 20 deletions
--- a/gnutls-3.7.4.tar.xz
+++ b/gnutls-3.7.4.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f
-size 6131772
--- a/gnutls-3.7.4.tar.xz.sig
+++ b/gnutls-3.7.4.tar.xz.sig
--- a/gnutls-3.7.6.tar.xz
+++ b/gnutls-3.7.6.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff
+size 6338276
--- a/gnutls-3.7.6.tar.xz.sig
+++ b/gnutls-3.7.6.tar.xz.sig
--- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch
+++ b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
@ -1,10 +1,10 @@
-Index: gnutls-3.7.3/lib/crypto-selftests.c
+Index: gnutls-3.7.5/lib/crypto-selftests.c
 ===================================================================
--- gnutls-3.7.3.orig/lib/crypto-selftests.c
-+++ gnutls-3.7.3/lib/crypto-selftests.c
-@@ -3112,6 +3112,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
- 		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
- 		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+--- gnutls-3.7.5.orig/lib/crypto-selftests.c
+++ gnutls-3.7.5/lib/crypto-selftests.c
+@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
+ 		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
+ 		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
 	},
 +	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
 +	{
@ -19,3 +19,4 @@ Index: gnutls-3.7.3/lib/crypto-selftests.c
 };
 
 static int test_pbkdf2(gnutls_mac_algorithm_t mac,
+
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Fri May 27 16:56:26 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Update to version 3.7.6:
+  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
+    called with new_size < old_size. This bug caused heap
+    corruption when gnutls_realloc_zero() has been set as gmp
+    reallocfunc.
+  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
+    upstream.
+
+-------------------------------------------------------------------
+Wed May 25 19:46:21 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
+  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
+  boo#1199929).
+
+-------------------------------------------------------------------
+Sat May 21 17:50:57 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+    it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+    the PFS priority string now only disables session tickets in
+    TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+     GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+    information has been changed from tls-unique to tls-exporter
+    as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+    more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+    FIPS-140 mode when used in TLS
+
 -------------------------------------------------------------------
 Wed May 11 09:19:52 UTC 2022 - Marcus Meissner <meissner@suse.com>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.4
+Version:        3.7.6
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@ -159,7 +159,6 @@ Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       gnutls = %{version}
 Requires:       libgnutls%{gnutls_sover} = %{version}
-Requires(pre):  %{install_info_prereq}
 Provides:       gnutls-devel = %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
@ -186,7 +185,6 @@ Group:          Development/Libraries/C and C++
 Requires:       libgnutls-devel = %{version}
 Requires:       libgnutlsxx%{gnutlsxx_sover} = %{version}
 Requires:       libstdc++-devel
-Requires(pre):  %{install_info_prereq}

 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
@ -241,7 +239,7 @@ export CXXFLAGS="%{optflags} -fPIE"
        --with-fips140-module-name="GnuTLS version" \
        --with-fips140-module-version="%{version}-%{release}" \
        %{nil}
-make %{?_smp_mflags}
+%make_build

 %install
 %make_install
@ -268,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls

 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
    find -name test-suite.log -print -exec cat {} +
    exit 1
 }
@ -290,12 +288,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig

-%post -n libgnutls-devel
-%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
-%preun -n libgnutls-devel
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-
 %files -f libgnutls.lang
 %license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
@ -316,20 +308,25 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_mandir}/man1/*

 %files -n libgnutls%{gnutls_sover}
+%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*

 %files -n libgnutls%{gnutls_sover}-hmac
+%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac

 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
+%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif

 %files -n libgnutlsxx%{gnutlsxx_sover}
+%license LICENSE
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*

 %files -n libgnutls-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@ -356,6 +353,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=

 %if %{with dane}
 %files -n libgnutls-dane-devel
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@ -363,12 +361,14 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %endif

 %files -n libgnutlsxx-devel
+%license LICENSE
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h

 %if %{with guile}
 %files guile
+%license LICENSE
 %{_libdir}/guile/*
 %{_datadir}/guile/gnutls*
 %endif