Accepting request 224736 from Base:System

Upgrade to 3.2.12.1; Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz; Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig (forwarded request 224729 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/224736 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=71
2014-03-06 18:18:08 +00:00 · 2014-03-06 18:18:08 +00:00 · e0a2fbfd43
commit e0a2fbfd43
parent 71f2bb57a3
7 changed files with 42 additions and 152 deletions
--- a/CVE-2014-0092.patch
+++ b/CVE-2014-0092.patch
@ -1,144 +0,0 @@
-index bc0d560..8cd4e2a 100644
--- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -129,7 +129,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 					 &issuer_signed_data);
- 	if (result < 0) {
- 		gnutls_assert();
-		goto cleanup;
-+		goto fail;
- 	}
- 
- 	result =
-@@ -137,7 +137,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 					 &cert_signed_data);
- 	if (result < 0) {
- 		gnutls_assert();
-		goto cleanup;
-+		goto fail;
- 	}
- 
- 	result =
-@@ -145,7 +145,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 				       &issuer_signature);
- 	if (result < 0) {
- 		gnutls_assert();
-		goto cleanup;
-+		goto fail;
- 	}
- 
- 	result =
-@@ -153,7 +153,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 				       &cert_signature);
- 	if (result < 0) {
- 		gnutls_assert();
-		goto cleanup;
-+		goto fail;
- 	}
- 
- 	/* If the subject certificate is the same as the issuer
-@@ -206,9 +206,10 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
- 	} else
- 		gnutls_assert();
- 
-+ fail:
- 	result = 0;
- 
-      cleanup:
-+ cleanup:
- 	_gnutls_free_datum(&cert_signed_data);
- 	_gnutls_free_datum(&issuer_signed_data);
- 	_gnutls_free_datum(&cert_signature);
-@@ -390,8 +391,9 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 	gnutls_datum_t cert_signed_data = { NULL, 0 };
- 	gnutls_datum_t cert_signature = { NULL, 0 };
- 	gnutls_x509_crt_t issuer = NULL;
-	int issuer_version, result, hash_algo;
-+	int issuer_version, result = 0, hash_algo;
- 	unsigned int out = 0, usage;
-+	const mac_entry_st * me;
- 
- 	if (output)
- 		*output = 0;
-@@ -429,13 +431,14 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 	issuer_version = gnutls_x509_crt_get_version(issuer);
- 	if (issuer_version < 0) {
- 		gnutls_assert();
-		return issuer_version;
-+		result = 0;
-+		goto cleanup;
- 	}
- 
- 	if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
- 	    ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
- 	     || issuer_version != 1)) {
-		if (check_if_ca(cert, issuer, max_path, flags) == 0) {
-+		if (check_if_ca(cert, issuer, max_path, flags) != 1) {
- 			gnutls_assert();
- 			out =
- 			    GNUTLS_CERT_SIGNER_NOT_CA |
-@@ -467,6 +470,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 					 &cert_signed_data);
- 	if (result < 0) {
- 		gnutls_assert();
-+		result = 0;
- 		goto cleanup;
- 	}
- 
-@@ -475,6 +479,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 				       &cert_signature);
- 	if (result < 0) {
- 		gnutls_assert();
-+		result = 0;
- 		goto cleanup;
- 	}
- 
-@@ -483,13 +488,20 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 						 "signatureAlgorithm.algorithm");
- 	if (result < 0) {
- 		gnutls_assert();
-+		result = 0;
- 		goto cleanup;
- 	}
- 
- 	hash_algo = gnutls_sign_get_hash_algorithm(result);
-+	me = mac_to_entry(hash_algo);
-+	if (me == NULL) {
-+		gnutls_assert();
-+		result = 0;
-+		goto cleanup;
-+	}
- 
- 	result =
-	    _gnutls_x509_verify_data(mac_to_entry(hash_algo),
-+	    _gnutls_x509_verify_data(me,
- 				     &cert_signed_data, &cert_signature,
- 				     issuer);
- 	if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
-@@ -501,6 +513,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
- 		result = 0;
- 	} else if (result < 0) {
- 		gnutls_assert();
-+		result = 0;
- 		goto cleanup;
- 	}
- 
-@@ -672,7 +685,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
- 					  trusted_cas, tcas_size, flags,
- 					  &output, &issuer, now, &max_path,
- 					  func);
-	if (ret == 0) {
-+	if (ret != 1) {
- 		/* if the last certificate in the certificate
- 		 * list is invalid, then the certificate is not
- 		 * trusted.
-@@ -701,7 +714,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
- 		     _gnutls_verify_certificate2(certificate_list[i - 1],
- 						 &certificate_list[i], 1,
- 						 flags, &output, NULL, now,
-						 &max_path, func)) == 0) {
-+						 &max_path, func)) != 1) {
- 			status |= output;
- 			status |= GNUTLS_CERT_INVALID;
- 			return status;
-
--- a/gnutls-3.2.11.tar.xz
+++ b/gnutls-3.2.11.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b844c58a72d6930abbda42129f4051dbf97f91754bea3514931173e3d01cf3c1
-size 5135168
--- a/gnutls-3.2.11.tar.xz.sig
+++ b/gnutls-3.2.11.tar.xz.sig
--- a/gnutls-3.2.12.1.tar.xz
+++ b/gnutls-3.2.12.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:29069907546f6b9e134aafcaa52a030f517835c83de9ffc38b51ab33c31adf12
+size 5137552
--- a/gnutls-3.2.12.1.tar.xz.sig
+++ b/gnutls-3.2.12.1.tar.xz.sig
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Mar  5 15:30:54 UTC 2014 - shchang@suse.com
+
+- Upgrade to 3.2.12.1; 
+
+** libgnutls: Reverted change that broke ABI. Reported by Andreas
+Metzler.
+
+** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
+
+** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
+when provided with invalid data. Reported by Dmitriy Anisimkov.
+
+** libgnutls: Corrected timeout issue in subsequent to the first
+DTLS handshakes.
+
+** libgnutls: Removed unconditional not-trusted message in
+gnutls_certificate_verification_status_print() when used with
+OpenPGP certificates. Reported by Michel Briand.
+
+** libgnutls: All ciphersuites that were available in TLS1.0 or
+later are now made available in SSL3.0 or later to prevent
+any incompatibilities with servers that negotiate them in SSL 3.0.
+
+** ocsptool: When verifying a response and a signer isn't provided
+assume that the signer is the issuer.
+
+** ocsptool: When sending a nonce, verify that the nonce exists
+in the OCSP response.
+
+** gnutls-cli: Added --strict-tofu option; contributed by Jens
+Lechtenboerger.
+
+Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz; 
+Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig
+
 -------------------------------------------------------------------
 Mon Mar  3 09:04:31 UTC 2014 - shchang@suse.com

--- a/gnutls.spec
+++ b/gnutls.spec
@ -21,15 +21,15 @@
 %define gnutls_ossl_sover 27

 Name:           gnutls
-Version:        3.2.11
+Version:        3.2.12
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.gnutls.org/
-Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz
+Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz
 # signature is checked by source services.
-Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig
+Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz.sig
 Source2:        %name.keyring
 Source3:        baselibs.conf

@ -37,7 +37,6 @@ Source3:        baselibs.conf
 Patch3:         gnutls-3.0.26-skip-test-fwrite.patch

 Patch6:         gnutls-implement-trust-store-dir-3.2.8.diff
-Patch7:         CVE-2014-0092.patch

 BuildRequires:  automake
 BuildRequires:  gcc-c++
@ -138,7 +137,6 @@ Files needed for software development using gnutls.
 %setup -q
 %patch3
 %patch6 -p1
-%patch7 -p1

 %build
 autoreconf -if