Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2012-02-21 12:38:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls", Maintainer is "g...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2011-12-02 16:25:51.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2012-02-21 12:38:10.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Feb 13 06:09:57 UTC 2012 - g...@suse.com + +- fix Bug[bnc#739898] - VUL-1: CVE-2012-0390: GnuTLS DTLS plaintext + recovery attack. + +------------------------------------------------------------------- New: ---- CVE-2012-0390.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.wtjTK7/_old 2012-02-21 12:38:12.000000000 +0100 +++ /var/tmp/diff_new_pack.wtjTK7/_new 2012-02-21 12:38:12.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,7 @@ # PATCH-FIX-UPSTREAM gnutls-fix-crash-on-strcat.patch bnc#724421 vu...@opensuse.org -- Fix a crash because of badly used strcat, sent upstream by mail on 2011-10-17 Patch1: gnutls-fix-crash-on-strcat.patch Patch2: CVE-2011-4128.patch +Patch3: CVE-2012-0390.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libnettle-devel >= 2.2 @@ -158,6 +159,7 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure \ ++++++ CVE-2012-0390.patch ++++++ Index: gnutls-3.0.3/lib/gnutls_cipher.c =================================================================== --- gnutls-3.0.3.orig/lib/gnutls_cipher.c +++ gnutls-3.0.3/lib/gnutls_cipher.c @@ -559,7 +559,12 @@ ciphertext_to_compressed (gnutls_session } if (length < 0) - length = 0; + { + /* Setting a proper length to prevent timing differences in + * processing of records with invalid encryption. + */ + length = ciphertext->size - tag_size; + } /* Pass the type, version, length and compressed through * MAC. -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org