Hi, So regardless of the ABI issues affecting jessie, the first thing to do is to fix this in unstable which can be done by just uploading 1.3.14 and doing an ABI transition.
I've attached a debdiff for an NMU to experimental which would start this off. The orig tarball is not included in the diff to make it easier to read. Instead it can be downloaded from upstream here https://tls.mbed.org/download/mbedtls-1.3.14-gpl.tgz sha1sum: 690ae3cc3da82cfc5530f5cb1f82bec0c778b5dc So the package doesn't conflict with the mbedtls 2 package (in NEW), and so none of the API is broken, the only thing changed was the SONAME of the library and the package name. The symlinks used by ld and the names of the binaries all keep the 'polarssl' name instead of being renamed to 'mbedtls'. Thanks, James
diff -Nru polarssl-1.3.9/debian/changelog polarssl-1.3.14/debian/changelog
--- polarssl-1.3.9/debian/changelog 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/changelog 2015-10-23 21:51:22.000000000 +0100
@@ -1,3 +1,20 @@
+polarssl (1.3.14-0.1) experimental; urgency=high
+
+ * Non-maintainer upload.
+ * New upstream release. (Closes: #787324)
+ - The upstream project has been renamed to "mbed TLS", but for
+ compatibility the binaries supplied by this package will still
+ be called "polarssl" for the 1.3 series.
+ - Fixes CVE-2015-5291: Remote attack on clients using session tickets or
+ SNI. (Closes: #801413)
+ - Fixes mips64el bignum implementation. (Closes: #773306)
+ - Fixes parsing of certain PCKS#3 files. (Closes: #781840)
+
+ * Rename libpolarssl7 package to libmbedtls9 due to SONAME bump.
+ * Drop CVE-2015-1182.patch - applied upstream.
+
+ -- James Cowgill <james...@cowgill.org.uk> Fri, 23 Oct 2015 21:49:24 +0100
+
polarssl (1.3.9-2.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru polarssl-1.3.9/debian/control polarssl-1.3.14/debian/control
--- polarssl-1.3.9/debian/control 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/control 2015-10-23 18:56:02.000000000 +0100
@@ -9,7 +9,7 @@
Package: libpolarssl-dev
Architecture: any
Section: libdevel
-Depends: libc6-dev, ${misc:Depends}, libpolarssl7 (= ${binary:Version})
+Depends: libc6-dev, ${misc:Depends}, libmbedtls9 (= ${binary:Version})
Description: lightweight crypto and SSL/TLS library
PolarSSL is a lean open source crypto library for providing SSL and TLS
support in your programs. It offers an intuitive API and documented header
@@ -46,7 +46,7 @@
.
This package contains the runtime executables.
-Package: libpolarssl7
+Package: libmbedtls9
Architecture: any
Section: libs
Depends: ${shlibs:Depends}, ${misc:Depends}
diff -Nru polarssl-1.3.9/debian/libmbedtls9.install polarssl-1.3.14/debian/libmbedtls9.install
--- polarssl-1.3.9/debian/libmbedtls9.install 1970-01-01 01:00:00.000000000 +0100
+++ polarssl-1.3.14/debian/libmbedtls9.install 2015-10-23 18:56:02.000000000 +0100
@@ -0,0 +1 @@
+usr/lib/*.so.*
diff -Nru polarssl-1.3.9/debian/libmbedtls9.lintian-overrides polarssl-1.3.14/debian/libmbedtls9.lintian-overrides
--- polarssl-1.3.9/debian/libmbedtls9.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ polarssl-1.3.14/debian/libmbedtls9.lintian-overrides 2015-10-23 18:56:02.000000000 +0100
@@ -0,0 +1,3 @@
+# For compatability and to avoid conflicting with the libmbedtls-dev
+# package, the shlib symlink is called 'libpolarssl.so'
+libmbedtls9 binary: dev-pkg-without-shlib-symlink usr/lib/libmbedtls.so.9 usr/lib/libmbedtls.so
diff -Nru polarssl-1.3.9/debian/libpolarssl-dev.links polarssl-1.3.14/debian/libpolarssl-dev.links
--- polarssl-1.3.9/debian/libpolarssl-dev.links 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/libpolarssl-dev.links 2015-10-23 18:56:02.000000000 +0100
@@ -1 +1 @@
-usr/lib/libpolarssl.so.7 usr/lib/libpolarssl.so
+usr/lib/libmbedtls.so.9 usr/lib/libpolarssl.so
diff -Nru polarssl-1.3.9/debian/libpolarssl7.install polarssl-1.3.14/debian/libpolarssl7.install
--- polarssl-1.3.9/debian/libpolarssl7.install 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/libpolarssl7.install 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-usr/lib/*.so.*
diff -Nru polarssl-1.3.9/debian/patches/01-config.patch polarssl-1.3.14/debian/patches/01-config.patch
--- polarssl-1.3.9/debian/patches/01-config.patch 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/patches/01-config.patch 2015-10-23 18:56:02.000000000 +0100
@@ -3,9 +3,9 @@
capabilities
Author: Arnaud Cornet <arnaud.cor...@gmail.com>
---- polarssl-1.3.9.orig/include/polarssl/config.h
-+++ polarssl-1.3.9/include/polarssl/config.h
-@@ -860,7 +860,7 @@
+--- a/include/polarssl/config.h
++++ b/include/polarssl/config.h
+@@ -1012,7 +1012,7 @@
*
* Comment this macro to disable support for SSL 3.0
*/
@@ -14,7 +14,7 @@
/**
* \def POLARSSL_SSL_PROTO_TLS1
-@@ -973,7 +973,7 @@
+@@ -1126,7 +1126,7 @@
*
* Uncomment this to enable pthread mutexes.
*/
@@ -23,7 +23,7 @@
/**
* \def POLARSSL_VERSION_FEATURES
-@@ -1518,7 +1518,7 @@
+@@ -1673,7 +1673,7 @@
*
* Uncomment to enable the HAVEGE random generator.
*/
@@ -32,7 +32,7 @@
/**
* \def POLARSSL_HMAC_DRBG_C
-@@ -1556,7 +1556,7 @@
+@@ -1711,7 +1711,7 @@
*
* Uncomment to enable support for (rare) MD2-signed X.509 certs.
*/
@@ -41,7 +41,7 @@
/**
* \def POLARSSL_MD4_C
-@@ -1568,7 +1568,7 @@
+@@ -1723,7 +1723,7 @@
*
* Uncomment to enable support for (rare) MD4-signed X.509 certs.
*/
@@ -50,9 +50,9 @@
/**
* \def POLARSSL_MD5_C
-@@ -1959,7 +1959,7 @@
+@@ -2125,7 +2125,7 @@
*
- * Enable this layer to allow use of mutexes within PolarSSL
+ * Enable this layer to allow use of mutexes within mbed TLS
*/
-//#define POLARSSL_THREADING_C
+#define POLARSSL_THREADING_C
diff -Nru polarssl-1.3.9/debian/patches/02-makefile-destdir-fix.patch polarssl-1.3.14/debian/patches/02-makefile-destdir-fix.patch
--- polarssl-1.3.9/debian/patches/02-makefile-destdir-fix.patch 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/patches/02-makefile-destdir-fix.patch 2015-10-23 18:56:02.000000000 +0100
@@ -2,10 +2,10 @@
This patch adjusts DESTDIR to FHS
Author: Arnaud Cornet <arnaud.cor...@gmail.com>
---- polarssl-1.3.2.orig/Makefile
-+++ polarssl-1.3.2/Makefile
-@@ -17,18 +17,18 @@ lib:
- cd library && $(MAKE) all && cd ..
+--- a/Makefile
++++ b/Makefile
+@@ -19,20 +19,19 @@ tests: lib
+ $(MAKE) -C tests
install:
- mkdir -p $(DESTDIR)/include/polarssl
@@ -14,18 +14,21 @@
+ cp -r include/polarssl $(DESTDIR)/usr/include
- mkdir -p $(DESTDIR)/lib
-- cp library/libpolarssl.* $(DESTDIR)/lib
+- cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)/lib
+ mkdir -p $(DESTDIR)/usr/lib
-+ cp library/libpolarssl.* $(DESTDIR)/usr/lib
++ cp library/libmbedtls.so.* $(DESTDIR)/usr/lib
++ cp library/libmbedtls.a $(DESTDIR)/usr/lib/libpolarssl.a
- mkdir -p $(DESTDIR)/bin
+ mkdir -p $(DESTDIR)/usr/bin
for p in programs/*/* ; do \
if [ -x $$p ] && [ ! -d $$p ] ; \
then \
- f=$(PREFIX)`basename $$p` ; \
+- f=$(PREFIX)`basename $$p` ; \
+ o=$(OLDPREFIX)`basename $$p` ; \
- cp $$p $(DESTDIR)/bin/$$f ; \
-+ cp $$p $(DESTDIR)/usr/bin/$$f ; \
+- ln -sf $$f $(DESTDIR)/bin/$$o ; \
++ cp $$p $(DESTDIR)/usr/bin/$$o ; \
fi \
done
diff -Nru polarssl-1.3.9/debian/patches/CVE-2015-1182.patch polarssl-1.3.14/debian/patches/CVE-2015-1182.patch
--- polarssl-1.3.9/debian/patches/CVE-2015-1182.patch 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/patches/CVE-2015-1182.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-Description: Remote attack using crafted certificates
- During the parsing of a ASN.1 sequence, a pointer in the linked list of
- asn1_sequence is not initialized by asn1_get_sequence_of(). In case an
- error occurs during parsing of the list, a situation is created where
- the uninitialized pointer is passed to polarssl_free().
- .
- This sequence can be triggered when a PolarSSL entity is parsing a
- certificate. So practically this means clients when receiving a
- certificate from the server or servers in case they are actively asking
- for a client certificate.
- .
- Depending on the attackers knowledge of the system under attack, this
- results at the lowest into a denial of service, and at the most a
- possible remote code execution.
- .
- CVE-2015-1182
-Origin: upstream, https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
-Bug-Debian: https://bugs.debian.org/775776
-Forwarded: not-needed
-Author: Salvatore Bonaccorso <car...@debian.org>
-Last-Update: 2015-01-21
-
---- a/library/asn1parse.c
-+++ b/library/asn1parse.c
-@@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char
- if( cur->next == NULL )
- return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
-
-+ memset( cur->next, 0, sizeof( asn1_sequence ) );
-+
- cur = cur->next;
- }
- }
diff -Nru polarssl-1.3.9/debian/patches/series polarssl-1.3.14/debian/patches/series
--- polarssl-1.3.9/debian/patches/series 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/patches/series 2015-10-23 18:56:02.000000000 +0100
@@ -1,3 +1,2 @@
01-config.patch
02-makefile-destdir-fix.patch
-CVE-2015-1182.patch
diff -Nru polarssl-1.3.9/debian/rules polarssl-1.3.14/debian/rules
--- polarssl-1.3.9/debian/rules 2015-01-22 16:53:27.000000000 +0000
+++ polarssl-1.3.14/debian/rules 2015-10-23 18:56:02.000000000 +0100
@@ -10,9 +10,9 @@
override_dh_auto_build:
$(MAKE) -C library SHARED=1 shared
- mv library/libpolarssl.so.7 library/SOBACKUP
+ mv library/libmbedtls.so.9 library/SOBACKUP
$(MAKE) clean
- mv library/SOBACKUP library/libpolarssl.so.7
+ mv library/SOBACKUP library/libmbedtls.so.9
$(MAKE) all
$(MAKE) check
signature.asc
Description: This is a digitally signed message part
