commit gnutls for openSUSE:Factory

Tue, 21 Feb 2012 03:38:23 -0800 

Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked 
in at 2012-02-21 12:38:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
 and      /work/SRC/openSUSE:Factory/.gnutls.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gnutls", Maintainer is "g...@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes    2011-12-02 
16:25:51.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes       2012-02-21 
12:38:10.000000000 +0100
@@ -1,0 +2,6 @@
+Mon Feb 13 06:09:57 UTC 2012 - g...@suse.com
+
+- fix Bug[bnc#739898] - VUL-1: CVE-2012-0390: GnuTLS DTLS plaintext 
+  recovery attack.
+
+-------------------------------------------------------------------

New:
----
  CVE-2012-0390.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gnutls.spec ++++++
--- /var/tmp/diff_new_pack.wtjTK7/_old  2012-02-21 12:38:12.000000000 +0100
+++ /var/tmp/diff_new_pack.wtjTK7/_new  2012-02-21 12:38:12.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -35,6 +35,7 @@
 # PATCH-FIX-UPSTREAM gnutls-fix-crash-on-strcat.patch bnc#724421 
vu...@opensuse.org -- Fix a crash because of badly used strcat, sent upstream 
by mail on 2011-10-17
 Patch1:         gnutls-fix-crash-on-strcat.patch
 Patch2:         CVE-2011-4128.patch
+Patch3:         CVE-2012-0390.patch
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libnettle-devel >= 2.2
@@ -158,6 +159,7 @@
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %configure \

++++++ CVE-2012-0390.patch ++++++
Index: gnutls-3.0.3/lib/gnutls_cipher.c
===================================================================
--- gnutls-3.0.3.orig/lib/gnutls_cipher.c
+++ gnutls-3.0.3/lib/gnutls_cipher.c
@@ -559,7 +559,12 @@ ciphertext_to_compressed (gnutls_session
           }
 
       if (length < 0)
-        length = 0;
+      {
+             /* Setting a proper length to prevent timing differences in
+              * processing of records with invalid encryption.
+              */
+             length = ciphertext->size - tag_size;
+      }
 
       /* Pass the type, version, length and compressed through
        * MAC.

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to