Am 23.10.23 um 22:02 schrieb Salvatore Bonaccorso:
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog 2023-02-06 14:41:53.000000000 +0000
+++ wolfssl-5.5.4/debian/changelog 2023-10-23 17:46:16.000000000 +0000
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
+
+ * Stable update to address the following vulnerabilities:
+ - Fix CVE-2023-3724.
Should the changelog entry close as well #1041699?
I do not mind adding the bug reference but usually, the Security Team's bugs
say that one should not close them but rather edit their fixed values.
And the bug is already closed. I am including the debdiff with the bug
reference and let you choose.
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog 2023-02-06 14:41:53.000000000 +0000
+++ wolfssl-5.5.4/debian/changelog 2023-10-23 17:46:16.000000000 +0000
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
+
+ * Stable update to address the following vulnerabilities:
+ - Fix CVE-2023-3724. (see #1041699)
+
+ -- Bastian Germann <b...@debian.org> Mon, 23 Oct 2023 17:46:16 +0000
+
wolfssl (5.5.4-2) unstable; urgency=medium
* Clarify in README.Debian and in the package descriptions that wolfssl is
diff -Nru wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
--- wolfssl-5.5.4/debian/patches/cve-2023-3724.patch 1970-01-01
00:00:00.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/cve-2023-3724.patch 2023-10-23
17:46:16.000000000 +0000
@@ -0,0 +1,47 @@
+Origin: backport, 00f1eddee429ff51390b20caadd2eb6afe51e1aa
+From: Jacob Barthelmeh <ja...@wolfssl.com>
+Date: Mon, 15 May 2023 15:49:44 -0700
+Subject: add tls extension sanity check
+
+---
+ src/tls.c | 3 +++
+ src/tls13.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/tls.c b/src/tls.c
+index bced9f9b13f..9bbabfb14e2 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -8475,6 +8475,9 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input,
word16 length,
+ if (!WOLFSSL_NAMED_GROUP_IS_PQC(group))
+ #endif
+ ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
++
++ if (ret == 0)
++ ssl->session->namedGroup = ssl->namedGroup = group;
+ }
+ else {
+ /* Not a message type that is allowed to have this extension. */
+diff --git a/src/tls13.c b/src/tls13.c
+index e5360790b3b..0f1bbc1aad1 100644
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5236,8 +5236,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input,
word32* inOutIdx,
+ }
+ #endif
+
++ /* sanity check on PSK / KSE */
++ if (
++ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
++ ssl->options.pskNegotiated == 0 &&
++ #endif
++ ssl->session->namedGroup == 0) {
++ return EXT_MISSING;
++ }
++
+ ssl->keys.encryptionOn = 1;
+ ssl->options.serverState = SERVER_HELLO_COMPLETE;
++
+ }
+ else {
+ ssl->options.tls1_3 = 1;
diff -Nru wolfssl-5.5.4/debian/patches/series
wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series 2022-11-07 17:38:12.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/series 2023-10-23 17:46:16.000000000 +0000
@@ -4,3 +4,4 @@
fix-hurd-i386-flags.patch
disable-crl-monitor.patch
disable-jobserver.patch
+cve-2023-3724.patch
