From bdab2e0cbb51961ab7b367e3243a6d23280778ee365c445518aab6f7a14f031d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Thu, 4 Apr 2019 14:11:38 +0000 Subject: [PATCH 1/2] Accepting request 691550 from home:jsikes:branches:security:tls Forgot changelog entry. OBS-URL: https://build.opensuse.org/request/show/691550 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=19 --- ...3.6.0-disable-flaky-dtls_resume-test.patch | 24 ++++---- gnutls-3.6.6-set_guile_site_dir.patch | 13 +++++ gnutls-3.6.6.tar.xz | 3 - gnutls-3.6.6.tar.xz.sig | Bin 310 -> 0 bytes gnutls-3.6.7.tar.xz | 3 + gnutls-3.6.7.tar.xz.sig | Bin 0 -> 310 bytes gnutls.changes | 54 ++++++++++++++++++ gnutls.spec | 19 +++--- 8 files changed, 94 insertions(+), 22 deletions(-) create mode 100644 gnutls-3.6.6-set_guile_site_dir.patch delete mode 100644 gnutls-3.6.6.tar.xz delete mode 100644 gnutls-3.6.6.tar.xz.sig create mode 100644 gnutls-3.6.7.tar.xz create mode 100644 gnutls-3.6.7.tar.xz.sig diff --git a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch index 34ea17b..4746cac 100644 --- a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch +++ b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.5/tests/Makefile.am +Index: gnutls-3.6.7/tests/Makefile.am =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546 +0100 -+++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100 -@@ -445,7 +445,7 @@ if !WINDOWS +--- gnutls-3.6.7.orig/tests/Makefile.am ++++ gnutls-3.6.7/tests/Makefile.am +@@ -453,7 +453,7 @@ if !WINDOWS # List of tests not available/functional under windows # @@ -11,11 +11,11 @@ Index: gnutls-3.6.5/tests/Makefile.am indirect_tests += dtls-stress -Index: gnutls-3.6.5/tests/Makefile.in +Index: gnutls-3.6.7/tests/Makefile.in =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568 +0100 -+++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100 -@@ -164,7 +164,7 @@ host_triplet = @host@ +--- gnutls-3.6.7.orig/tests/Makefile.in ++++ gnutls-3.6.7/tests/Makefile.in +@@ -165,7 +165,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # @@ -23,13 +23,13 @@ Index: gnutls-3.6.5/tests/Makefile.in +@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ - @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \ -@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM + @WINDOWS_FALSE@ starttls-pop3.sh starttls-xmpp.sh \ +@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ - dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \ + fastopen.sh pkgconfig.sh starttls.sh \ starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \ - starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \ - ocsp-tests/ocsp-tls-connection \ + starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \ + starttls-sieve.sh ocsp-tests/ocsp-tls-connection \ diff --git a/gnutls-3.6.6-set_guile_site_dir.patch b/gnutls-3.6.6-set_guile_site_dir.patch new file mode 100644 index 0000000..f6b07e1 --- /dev/null +++ b/gnutls-3.6.6-set_guile_site_dir.patch @@ -0,0 +1,13 @@ +Index: gnutls-3.6.6/configure +=================================================================== +--- gnutls-3.6.6.orig/configure ++++ gnutls-3.6.6/configure +@@ -62868,7 +62868,7 @@ + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 + $as_echo_n "checking for Guile site directory... " >&6; } +- GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` ++ GUILE_SITE=/usr/share/guile + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 + $as_echo "$GUILE_SITE" >&6; } + if test "$GUILE_SITE" = ""; then diff --git a/gnutls-3.6.6.tar.xz b/gnutls-3.6.6.tar.xz deleted file mode 100644 index f5e0afd..0000000 --- a/gnutls-3.6.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7 -size 8257612 diff --git a/gnutls-3.6.6.tar.xz.sig b/gnutls-3.6.6.tar.xz.sig deleted file mode 100644 index 6d74eaedf39729e4696f18000da54fbdb2a0748aebfd5fa72c9b3c040307b160..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$fVHo&X975ZD|@ zhw*2cWw@pX|9FORJf3HWL|bDI3ljWI!JGN+JlruA*yIG5m%%qjehw_B_g1V6ykiNS z4Cx-f5Pt^>C<+;-4aMlfujFgS!?sJfgI$$C%PfG@%Ei-C=qi2Kb`Ky|&*pCX$pi?# z4qym0pHpdsC$0M*1d^wJlpp$5L<#KWD+gQWM}=fi~HIPErDI6``|K5&k zSjnAeF>=>O8YLgM{iW0HgTZ4>Oa3df4=3!dzl$Gx}4378<_oSYSahSc$^^8`g2k&Ki&VzV$r@L}1#0yRvoeibm zf+J8I=$#738eNbF;RY-O_{kehB=|*v@A-n8?8*0kJNF-hj0Vf8E|;lsbBDl>Y*6Jf IWEjHda|ZR4uK)l5 literal 0 HcmV?d00001 diff --git a/gnutls.changes b/gnutls.changes index d69f7a3..11a557f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Thu Apr 4 13:34:03 UTC 2019 - Jason Sikes + +- Update gnutls to 3.6.7 + ** libgnutls, gnutls tools: Every gnutls_free() will automatically set + the free'd pointer to NULL. This prevents possible use-after-free and + double free issues. Use-after-free will be turned into NULL dereference. + The counter-measure does not extend to applications using gnutls_free(). + + ** libgnutls: Fixed a memory corruption (double free) vulnerability in the + certificate verification API. Reported by Tavis Ormandy; addressed with + the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) + + ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; + Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) + + ** libgnutls: enforce key usage limitations on certificates more actively. + Previously we would enforce it for TLS1.2 protocol, now we enforce it + even when TLS1.3 is negotiated, or on client certificates as well. When + an inappropriate for TLS1.3 certificate is seen on the credentials structure + GnuTLS will disable TLS1.3 support for that session (#690). + + ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to + two. This makes it easier for clients which perform multiple connections + to the server to use the tickets sent by a default server. + + ** libgnutls: enforce the equality of the two signature parameters fields in + a certificate. We were already enforcing the signature algorithm, but there + was a bug in parameter checking code. + + ** libgnutls: fixed issue preventing sending and receiving from different + threads when false start was enabled (#713). + + ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. + Previously the sentinel value was embedded to early in version + negotiation and was sent even on TLS 1.3. It is now sent only when + TLS 1.2 or earlier is negotiated (#689). + + ** gnutls-cli: Added option --logfile to redirect informational messages output. + +- Disabled dane support in SLE since dane is not shipped there + +- Changed configure script to hardware guile site directory since command-line + option '--with-guile-site-dir=' was removed from the configure script. + + ** Added gnutls-3.6.6-set_guile_site_dir.patch + +- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix + compilation issues on PPC + ------------------------------------------------------------------- Mon Feb 4 12:41:43 UTC 2019 - Vítězslav Čížek diff --git a/gnutls.spec b/gnutls.spec index 22a6772..dd78ec8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,8 +20,8 @@ %define gnutlsxx_sover 28 %define gnutls_dane_sover 0 -# unbound isn't in SLE12 (bsc#1086428) -%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500 +# unbound isn't in SLE (bsc#1086428) +%if 0%{?is_opensuse} %bcond_without dane %else %bcond_with dane @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.6 +Version: 3.6.7 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -42,6 +42,7 @@ Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch +Patch4: gnutls-3.6.6-set_guile_site_dir.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -83,7 +84,7 @@ BuildRequires: guile-devel %description The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETF's TLS working group. +of the IETFs TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library @@ -93,8 +94,9 @@ Group: System/Libraries %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETF's TLS working group. +of the IETFs TLS working group. +%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -104,6 +106,7 @@ Group: System/Libraries The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. +%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library @@ -113,7 +116,7 @@ Group: System/Libraries %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport layer. -implements the proposed standards of the IETF's TLS working group. +implements the proposed standards of the IETF TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API @@ -127,6 +130,7 @@ Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. +%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -135,6 +139,7 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. +%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API @@ -161,6 +166,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme. %setup -q %patch1 -p1 %patch3 -p1 +%patch4 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 @@ -179,7 +185,6 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ - --with-guile-site-dir=%{_datadir}/guile \ %if %{without tpm} --without-tpm \ %endif From f11f79c7aef76d082fee632ab2859dcc1ff2a14c26c5d36a7797a09483840bea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 8 Apr 2019 09:25:11 +0000 Subject: [PATCH 2/2] Accepting request 691610 from home:jengelh:branches:security:tls - Trim useless %if..%endif guards that do not affect the build. - Fix language errors in description again. OBS-URL: https://build.opensuse.org/request/show/691610 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=20 --- gnutls.changes | 6 ++++++ gnutls.spec | 12 ++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/gnutls.changes b/gnutls.changes index 11a557f..885fd28 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Apr 4 20:31:19 UTC 2019 - Jan Engelhardt + +- Trim useless %if..%endif guards that do not affect the build. +- Fix language errors in description again. + ------------------------------------------------------------------- Thu Apr 4 13:34:03 UTC 2019 - Jason Sikes diff --git a/gnutls.spec b/gnutls.spec index dd78ec8..d7b6d1e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -84,7 +84,7 @@ BuildRequires: guile-devel %description The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETFs TLS working group. +of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library @@ -94,9 +94,8 @@ Group: System/Libraries %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETFs TLS working group. +of the IETF's TLS working group. -%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -106,7 +105,6 @@ Group: System/Libraries The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. -%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library @@ -115,8 +113,8 @@ Group: System/Libraries %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport -layer. -implements the proposed standards of the IETF TLS working group. +layer. Currently the GnuTLS library implements the proposed standards +of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API @@ -130,7 +128,6 @@ Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. -%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -139,7 +136,6 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. -%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API