Hello community, here is the log from the commit of package gnutls for openSUSE:11.4 checked in at Fri Feb 17 16:47:54 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/gnutls/gnutls.changes 2011-11-14 09:28:23.000000000 +0100 +++ 11.4/gnutls/gnutls.changes 2012-02-17 08:33:14.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Feb 13 06:38:11 UTC 2012 - [email protected] + +- fix Bug[bnc#739898] - GnuTLS DTLS plaintext recovery attack. + CVE-2012-0390 + +------------------------------------------------------------------- @@ -4 +10 @@ -- fix Bug 729486 - VUL-1: CVE-2011-4128: gnutls: buffer overflow +- fix Bug[bnc#729486] - VUL-1: CVE-2011-4128: gnutls: buffer overflow calling whatdependson for 11.4-i586 New: ---- CVE-2012-0390.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.3z46nf/_old 2012-02-17 16:47:40.000000000 +0100 +++ /var/tmp/diff_new_pack.3z46nf/_new 2012-02-17 16:47:40.000000000 +0100 @@ -21,13 +21,14 @@ Name: gnutls BuildRequires: gcc-c++ libgcrypt-devel libopencdk-devel libtasn1-devel pkg-config Version: 2.8.6 -Release: 5.<RELEASE6> +Release: 5.<RELEASE8> License: LGPLv2.1+ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.gnutls.org/ Source0: %name-%version.tar.bz2 Source1: baselibs.conf Patch1: CVE-2011-4128.patch +Patch2: CVE-2012-0390.patch Summary: The GNU Transport Layer Security Library Group: Productivity/Networking/Security AutoReqProv: on @@ -139,7 +140,7 @@ %prep %setup -q %patch1 -p1 -#%patch2 -p1 +%patch2 -p1 %build autoreconf -fi ++++++ CVE-2012-0390.patch ++++++ Index: gnutls-2.8.6/lib/gnutls_cipher.c =================================================================== --- gnutls-2.8.6.orig/lib/gnutls_cipher.c +++ gnutls-2.8.6/lib/gnutls_cipher.c @@ -541,7 +541,12 @@ _gnutls_ciphertext2compressed (gnutls_se } if (length < 0) - length = 0; + { + /* Setting a proper length to prevent timing differences in + * processing of records with invalid encryption. + */ + length = ciphertext.size - hash_size; + } c_length = _gnutls_conv_uint16 ((uint16_t) length); /* Pass the type, version, length and compressed through continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
