Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Good morning, I would like to see #933538 fixed in buster, which is a interoperability problem with old (2.x, that is wheezy) versions of gnutls. cu Andreas
[The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/1a/591272a07d9e6d0140db75455b9b4bcc8eeddd.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1c/a9574531f2bffce01464c8a654b2e0c2ed894b.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/5e/61e31c2ae39982eeb14ae1c8f66aff43e1083a.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/74/0d1a42bc21c173d6a991375b0d8ddb934ec0bd.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/8b/c687d446ade64a2f7c29950e17eda1a2e91e11.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b1/7a60f0701c7de3d7e5e921305846b5efbc3c91.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b8/bd0e5aecb48c352850674891129476d08d016a.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/be/692a24b17141539bbe9fe246bbde637669ecff.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c0/fe9421f82709abe4e7d487af28fd7402ffbb53.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/cb/6160515c1e9b0c02a1d6751325e360b590b83e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f3/e7c24dbf4184d814468b89270b4c40cb205b8c.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f8/818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/fa/92b545084722f485080b95a6eca92571ece25f.debug Files in first .changes but not in second ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/0f/f0796530c37d210935e7808160fd89b3303092.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/11/06d4483482f51e9f04c4fffbf164e0348ba5d3.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/13/874b86eafc2b2965ff1853c87ee6df7987c581.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/4d/66d28cd2e7537e1e1d2905595b260226b22ad2.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/55/58da73c3d0c1fae464c8c1c206dea6279aa5b2.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/70/0562a775625daa6f3892bbd4bfdf2478537723.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b2/ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b4/d85fa0bcde4dd34ea2de34f8bac96e9244b058.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c4/444a7b5a7906fc1eeca540d1d91064c4a92a3e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d1/9c1bb870c8ec979ea276b8f584cddc80e2da61.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d3/28298de34135fca5f236357f2f2dd56cb109f3.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d7/52158b357b5875ebc8680001b57a886b94a1a4.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/fe/4c3c0c38af44779c38ae5d1e187b6250f7afe0.debug Control files of package gnutls-bin: lines which differ (wdiff format) ---------------------------------------------------------------------- Installed-Size: [-1587-] {+1588+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format) ----------------------------------------------------------------------------- Build-Ids: [-0ff0796530c37d210935e7808160fd89b3303092 1106d4483482f51e9f04c4fffbf164e0348ba5d3 13874b86eafc2b2965ff1853c87ee6df7987c581 5558da73c3d0c1fae464c8c1c206dea6279aa5b2 700562a775625daa6f3892bbd4bfdf2478537723 b2ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e b4d85fa0bcde4dd34ea2de34f8bac96e9244b058 c4444a7b5a7906fc1eeca540d1d91064c4a92a3e d19c1bb870c8ec979ea276b8f584cddc80e2da61-] {+1a591272a07d9e6d0140db75455b9b4bcc8eeddd 740d1a42bc21c173d6a991375b0d8ddb934ec0bd 8bc687d446ade64a2f7c29950e17eda1a2e91e11 be692a24b17141539bbe9fe246bbde637669ecff c0fe9421f82709abe4e7d487af28fd7402ffbb53 cb6160515c1e9b0c02a1d6751325e360b590b83e f3e7c24dbf4184d814468b89270b4c40cb205b8c f8818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b fa92b545084722f485080b95a6eca92571ece25f+} Depends: gnutls-bin (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package gnutls-doc: lines which differ (wdiff format) ---------------------------------------------------------------------- Installed-Size: [-7334-] {+7335+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-dane0: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libunbound8 (>= 1.8.0) Installed-Size: [-369-] {+370+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Build-Ids: [-d328298de34135fca5f236357f2f2dd56cb109f3-] {+b17a60f0701c7de3d7e5e921305846b5efbc3c91+} Depends: libgnutls-dane0 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) ------------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14) Installed-Size: [-372-] {+373+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------------- Build-Ids: [-fe4c3c0c38af44779c38ae5d1e187b6250f7afe0-] {+5e61e31c2ae39982eeb14ae1c8f66aff43e1083a+} Depends: libgnutls-openssl27 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls-openssl27 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutlsxx28 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1) Installed-Size: [-4313-] {+4314+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls30: lines which differ (wdiff format) ----------------------------------------------------------------------- Installed-Size: [-2643-] {+2644+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) ------------------------------------------------------------------------------ Build-Ids: [-4d66d28cd2e7537e1e1d2905595b260226b22ad2-] {+1ca9574531f2bffce01464c8a654b2e0c2ed894b+} Depends: libgnutls30 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutlsxx28: lines which differ (wdiff format) ------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------- Build-Ids: [-d752158b357b5875ebc8680001b57a886b94a1a4-] {+b8bd0e5aecb48c352850674891129476d08d016a+} Depends: libgnutlsxx28 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2019-06-12 19:21:23.000000000 +0200 +++ gnutls28-3.6.7/debian/changelog 2019-11-30 13:41:59.000000000 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium + + * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch + from 3.6.10: Fix interop problems with gnutls 2.x. Closes: #933538 + (Thanks, Hanno Stock!) + + -- Andreas Metzler <ametz...@debian.org> Sat, 30 Nov 2019 13:41:59 +0100 + gnutls28 (3.6.7-4) unstable; urgency=medium * Cherry-pick important bug-fixes from 3.6.8: diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 2019-11-30 13:41:59.000000000 +0100 @@ -0,0 +1,63 @@ +From daa49b9e455d262a1a2bc1b641e72dc004e2cb3e Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@gnutls.org> +Date: Sat, 3 Aug 2019 21:51:58 +0200 +Subject: [PATCH] _gnutls_epoch_set_keys: do not forbid random padding in + TLS1.x CBC ciphersuites + +Since some point in 3.6.x we updated the calculation of maximum record size, +however that did not include the possibility of random record padding available +for CBC ciphersuites which exceeds the maximum. This commit allows for larger +sizes for these ciphersuites to account for random padding as applied by +gnutls 2.12.x. + +Resolves: #811 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org> +--- + NEWS | 4 ++++ + lib/constate.c | 11 +++++++++-- + lib/record.c | 4 ++-- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/constate.c b/lib/constate.c +index 51a4eca30..4c6ca0fd0 100644 +--- a/lib/constate.c ++++ b/lib/constate.c +@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t + return gnutls_assert_val(ret); + } + +- if (ver->tls13_sem) { ++ /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC ++ * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding ++ * data exceeding the maximum. */ ++ if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { + session->internals.max_recv_size = 256; + } else { +- session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1); ++ session->internals.max_recv_size = 0; ++ } ++ ++ if (!ver->tls13_sem) { ++ session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1); + if (session->internals.allow_large_records != 0) + session->internals.max_recv_size += EXTRA_COMP_SIZE; + } +diff --git a/lib/record.c b/lib/record.c +index 39d2a16be..7c7e36561 100644 +--- a/lib/record.c ++++ b/lib/record.c +@@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session, + + if (record->length == 0 || record->length > max_record_recv_size(session)) { + _gnutls_audit_log +- (session, "Received packet with illegal length: %u\n", +- (unsigned int) record->length); ++ (session, "Received packet with illegal length: %u (max: %u)\n", ++ (unsigned int) record->length, (unsigned)max_record_recv_size(session)); + + if (record->length == 0) { + /* Empty, unencrypted records are always unexpected. */ +-- +2.24.0 + diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series --- gnutls28-3.6.7/debian/patches/series 2019-06-12 19:21:15.000000000 +0200 +++ gnutls28-3.6.7/debian/patches/series 2019-11-30 13:41:59.000000000 +0100 @@ -5,3 +5,4 @@ 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch +42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
signature.asc
Description: PGP signature