Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:gnutls28
Hello,
I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a
oldstable-updates since they do not require a DSA.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog
--- gnutls28-3.7.1/debian/changelog 2023-11-30 11:37:44.0 +0100
+++ gnutls28-3.7.1/debian/changelog 2024-01-20 07:56:15.0 +0100
@@ -1,3 +1,13 @@
+gnutls28 (3.7.1-5+deb11u5) bullseye; urgency=medium
+
+ * Cherrypick two CVE fixes from 3.8.3:
+Fix assertion failure when verifying a certificate chain with a cycle of
+cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045
+Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553
+GNUTLS-SA-2024-01-14 Closes: #1061046
+
+ -- Andreas Metzler Sat, 20 Jan 2024 07:56:15 +0100
+
gnutls28 (3.7.1-5+deb11u4) bullseye; urgency=medium
* Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel
diff -Nru gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch
--- gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch 1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch 2024-01-20 07:56:15.0 +0100
@@ -0,0 +1,188 @@
+From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno
+Date: Thu, 11 Jan 2024 15:45:11 +0900
+Subject: [PATCH 1/2] x509: detect loop in certificate chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There can be a loop in a certificate chain, when multiple CA
+certificates are cross-signed with each other, such as A → B, B → C,
+and C → A. Previously, the verification logic was not capable of
+handling this scenario while sorting the certificates in the chain in
+_gnutls_sort_clist, resulting in an assertion failure. This patch
+properly detects such loop and aborts further processing in a graceful
+manner.
+
+Signed-off-by: Daiki Ueno
+---
+ lib/x509/common.c | 4 ++
+ tests/test-chains.h | 125
+ 2 files changed, 129 insertions(+)
+
+--- a/lib/x509/common.c
b/lib/x509/common.c
+@@ -1794,10 +1794,14 @@ unsigned int _gnutls_sort_clist(gnutls_x
+ prev = issuer[prev];
+ if (prev < 0) { /* no issuer */
+ break;
+ }
+
++ if (insorted[prev]) { /* loop detected */
++ break;
++ }
++
+ sorted[i] = clist[prev];
+ insorted[prev] = 1;
+ }
+
+ /* append the remaining certs */
+--- a/tests/test-chains.h
b/tests/test-chains.h
+@@ -4261,10 +4261,133 @@ static const char *rsa_sha1_not_in_trust
+ "tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
+ "-END CERTIFICATE-\n",
+ NULL
+ };
+
++static const char *cross_signed[] = {
++ /* server (signed by A1) */
++ "-BEGIN CERTIFICATE-\n"
++ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n"
++ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n"
++ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n"
++ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n"
++ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n"
++ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n"
++ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n"
++ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n"
++ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n"
++ "-END CERTIFICATE-\n",
++ /* A1 (signed by A) */
++ "-BEGIN CERTIFICATE-\n"
++ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n"
++ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n"
++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n"
++ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n"
++ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n"
++ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n"
++ "TLVBHvUJ\n"
++ "-END CERTIFICATE-\n",
++ /* A (signed by B) */
++ "-BEGIN CERTIFICATE-\n"
++ "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n"
++