Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi Stable Release Managers, X-Debbugs-CC'ed Andreas Metzler. gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3, having a flaw in the OCSP certificate check. This was fixed upstream and included in unstable with 3.5.3-4 but would not warrant a DSA. Attached is proposed debdiff for jessie. Would it be acceptable for an upcoming point release? Regards, Salvatore
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200 +++ gnutls28-3.3.8/debian/changelog 2016-10-09 14:36:18.000000000 +0200 @@ -1,3 +1,11 @@ +gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2016-7444: Incorrect certificate validation when using OCSP responses + (GNUTLS-SA-2016-3) + + -- Salvatore Bonaccorso <[email protected]> Sun, 09 Oct 2016 14:36:18 +0200 + gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch --- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-09 14:36:18.000000000 +0200 @@ -0,0 +1,24 @@ +From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <[email protected]> +Date: Sat, 27 Aug 2016 17:00:22 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP + response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/x509/ocsp.c ++++ b/lib/x509/ocsp.c +@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200 +++ gnutls28-3.3.8/debian/patches/series 2016-10-09 14:36:18.000000000 +0200 @@ -14,3 +14,4 @@ 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch +52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
