diff --git a/CVE-2014-0092.patch b/CVE-2014-0092.patch deleted file mode 100644 index 4b9a6e2..0000000 --- a/CVE-2014-0092.patch +++ /dev/null @@ -1,144 +0,0 @@ -index bc0d560..8cd4e2a 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -129,7 +129,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - &issuer_signed_data); - if (result < 0) { - gnutls_assert(); -- goto cleanup; -+ goto fail; - } - - result = -@@ -137,7 +137,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - &cert_signed_data); - if (result < 0) { - gnutls_assert(); -- goto cleanup; -+ goto fail; - } - - result = -@@ -145,7 +145,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - &issuer_signature); - if (result < 0) { - gnutls_assert(); -- goto cleanup; -+ goto fail; - } - - result = -@@ -153,7 +153,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - &cert_signature); - if (result < 0) { - gnutls_assert(); -- goto cleanup; -+ goto fail; - } - - /* If the subject certificate is the same as the issuer -@@ -206,9 +206,10 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - } else - gnutls_assert(); - -+ fail: - result = 0; - -- cleanup: -+ cleanup: - _gnutls_free_datum(&cert_signed_data); - _gnutls_free_datum(&issuer_signed_data); - _gnutls_free_datum(&cert_signature); -@@ -390,8 +391,9 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer = NULL; -- int issuer_version, result, hash_algo; -+ int issuer_version, result = 0, hash_algo; - unsigned int out = 0, usage; -+ const mac_entry_st * me; - - if (output) - *output = 0; -@@ -429,13 +431,14 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - issuer_version = gnutls_x509_crt_get_version(issuer); - if (issuer_version < 0) { - gnutls_assert(); -- return issuer_version; -+ result = 0; -+ goto cleanup; - } - - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) - || issuer_version != 1)) { -- if (check_if_ca(cert, issuer, max_path, flags) == 0) { -+ if (check_if_ca(cert, issuer, max_path, flags) != 1) { - gnutls_assert(); - out = - GNUTLS_CERT_SIGNER_NOT_CA | -@@ -467,6 +470,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - &cert_signed_data); - if (result < 0) { - gnutls_assert(); -+ result = 0; - goto cleanup; - } - -@@ -475,6 +479,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - &cert_signature); - if (result < 0) { - gnutls_assert(); -+ result = 0; - goto cleanup; - } - -@@ -483,13 +488,20 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - "signatureAlgorithm.algorithm"); - if (result < 0) { - gnutls_assert(); -+ result = 0; - goto cleanup; - } - - hash_algo = gnutls_sign_get_hash_algorithm(result); -+ me = mac_to_entry(hash_algo); -+ if (me == NULL) { -+ gnutls_assert(); -+ result = 0; -+ goto cleanup; -+ } - - result = -- _gnutls_x509_verify_data(mac_to_entry(hash_algo), -+ _gnutls_x509_verify_data(me, - &cert_signed_data, &cert_signature, - issuer); - if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { -@@ -501,6 +513,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - result = 0; - } else if (result < 0) { - gnutls_assert(); -+ result = 0; - goto cleanup; - } - -@@ -672,7 +685,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list, - trusted_cas, tcas_size, flags, - &output, &issuer, now, &max_path, - func); -- if (ret == 0) { -+ if (ret != 1) { - /* if the last certificate in the certificate - * list is invalid, then the certificate is not - * trusted. -@@ -701,7 +714,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list, - _gnutls_verify_certificate2(certificate_list[i - 1], - &certificate_list[i], 1, - flags, &output, NULL, now, -- &max_path, func)) == 0) { -+ &max_path, func)) != 1) { - status |= output; - status |= GNUTLS_CERT_INVALID; - return status; - diff --git a/gnutls-3.2.11.tar.xz b/gnutls-3.2.11.tar.xz deleted file mode 100644 index f430c19..0000000 --- a/gnutls-3.2.11.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b844c58a72d6930abbda42129f4051dbf97f91754bea3514931173e3d01cf3c1 -size 5135168 diff --git a/gnutls-3.2.11.tar.xz.sig b/gnutls-3.2.11.tar.xz.sig deleted file mode 100644 index 68f78bf..0000000 Binary files a/gnutls-3.2.11.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.2.12.1.tar.xz b/gnutls-3.2.12.1.tar.xz new file mode 100644 index 0000000..f804eb2 --- /dev/null +++ b/gnutls-3.2.12.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29069907546f6b9e134aafcaa52a030f517835c83de9ffc38b51ab33c31adf12 +size 5137552 diff --git a/gnutls-3.2.12.1.tar.xz.sig b/gnutls-3.2.12.1.tar.xz.sig new file mode 100644 index 0000000..637786e Binary files /dev/null and b/gnutls-3.2.12.1.tar.xz.sig differ diff --git a/gnutls.changes b/gnutls.changes index 007f762..6cc3b71 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Wed Mar 5 15:30:54 UTC 2014 - shchang@suse.com + +- Upgrade to 3.2.12.1; + +** libgnutls: Reverted change that broke ABI. Reported by Andreas +Metzler. + +** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) + +** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw +when provided with invalid data. Reported by Dmitriy Anisimkov. + +** libgnutls: Corrected timeout issue in subsequent to the first +DTLS handshakes. + +** libgnutls: Removed unconditional not-trusted message in +gnutls_certificate_verification_status_print() when used with +OpenPGP certificates. Reported by Michel Briand. + +** libgnutls: All ciphersuites that were available in TLS1.0 or +later are now made available in SSL3.0 or later to prevent +any incompatibilities with servers that negotiate them in SSL 3.0. + +** ocsptool: When verifying a response and a signer isn't provided +assume that the signer is the issuer. + +** ocsptool: When sending a nonce, verify that the nonce exists +in the OCSP response. + +** gnutls-cli: Added --strict-tofu option; contributed by Jens +Lechtenboerger. + +Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz; +Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig + ------------------------------------------------------------------- Mon Mar 3 09:04:31 UTC 2014 - shchang@suse.com diff --git a/gnutls.spec b/gnutls.spec index 26d23b3..332fd7f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -21,15 +21,15 @@ %define gnutls_ossl_sover 27 Name: gnutls -Version: 3.2.11 +Version: 3.2.12 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf @@ -37,7 +37,6 @@ Source3: baselibs.conf Patch3: gnutls-3.0.26-skip-test-fwrite.patch Patch6: gnutls-implement-trust-store-dir-3.2.8.diff -Patch7: CVE-2014-0092.patch BuildRequires: automake BuildRequires: gcc-c++ @@ -138,7 +137,6 @@ Files needed for software development using gnutls. %setup -q %patch3 %patch6 -p1 -%patch7 -p1 %build autoreconf -if