Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Good morning, I would like to see #933538 fixed in buster, which is a interoperability problem with old (2.x, that is wheezy) versions of gnutls. cu Andreas
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/1a/591272a07d9e6d0140db75455b9b4bcc8eeddd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/1c/a9574531f2bffce01464c8a654b2e0c2ed894b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/5e/61e31c2ae39982eeb14ae1c8f66aff43e1083a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/74/0d1a42bc21c173d6a991375b0d8ddb934ec0bd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/8b/c687d446ade64a2f7c29950e17eda1a2e91e11.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b1/7a60f0701c7de3d7e5e921305846b5efbc3c91.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b8/bd0e5aecb48c352850674891129476d08d016a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/be/692a24b17141539bbe9fe246bbde637669ecff.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c0/fe9421f82709abe4e7d487af28fd7402ffbb53.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/cb/6160515c1e9b0c02a1d6751325e360b590b83e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f3/e7c24dbf4184d814468b89270b4c40cb205b8c.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f8/818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fa/92b545084722f485080b95a6eca92571ece25f.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/0f/f0796530c37d210935e7808160fd89b3303092.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/11/06d4483482f51e9f04c4fffbf164e0348ba5d3.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/13/874b86eafc2b2965ff1853c87ee6df7987c581.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/4d/66d28cd2e7537e1e1d2905595b260226b22ad2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/55/58da73c3d0c1fae464c8c1c206dea6279aa5b2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/70/0562a775625daa6f3892bbd4bfdf2478537723.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b2/ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b4/d85fa0bcde4dd34ea2de34f8bac96e9244b058.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c4/444a7b5a7906fc1eeca540d1d91064c4a92a3e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d1/9c1bb870c8ec979ea276b8f584cddc80e2da61.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d3/28298de34135fca5f236357f2f2dd56cb109f3.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d7/52158b357b5875ebc8680001b57a886b94a1a4.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fe/4c3c0c38af44779c38ae5d1e187b6250f7afe0.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-1587-] {+1588+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-0ff0796530c37d210935e7808160fd89b3303092 1106d4483482f51e9f04c4fffbf164e0348ba5d3 13874b86eafc2b2965ff1853c87ee6df7987c581 5558da73c3d0c1fae464c8c1c206dea6279aa5b2 700562a775625daa6f3892bbd4bfdf2478537723 b2ada5bc7ee4fc083e4a45bd6b2b2b2c5257e68e b4d85fa0bcde4dd34ea2de34f8bac96e9244b058 c4444a7b5a7906fc1eeca540d1d91064c4a92a3e d19c1bb870c8ec979ea276b8f584cddc80e2da61-] {+1a591272a07d9e6d0140db75455b9b4bcc8eeddd 740d1a42bc21c173d6a991375b0d8ddb934ec0bd 8bc687d446ade64a2f7c29950e17eda1a2e91e11 be692a24b17141539bbe9fe246bbde637669ecff c0fe9421f82709abe4e7d487af28fd7402ffbb53 cb6160515c1e9b0c02a1d6751325e360b590b83e f3e7c24dbf4184d814468b89270b4c40cb205b8c f8818eb8e83e9bd9a3c0cfb9b9cbb656bd1f288b fa92b545084722f485080b95a6eca92571ece25f+}
Depends: gnutls-bin (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Installed-Size: [-7334-] {+7335+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libunbound8 (>= 1.8.0)
Installed-Size: [-369-] {+370+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-d328298de34135fca5f236357f2f2dd56cb109f3-] {+b17a60f0701c7de3d7e5e921305846b5efbc3c91+}
Depends: libgnutls-dane0 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14)
Installed-Size: [-372-] {+373+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-fe4c3c0c38af44779c38ae5d1e187b6250f7afe0-] {+5e61e31c2ae39982eeb14ae1c8f66aff43e1083a+}
Depends: libgnutls-openssl27 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls-openssl27 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutlsxx28 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1)
Installed-Size: [-4313-] {+4314+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-2643-] {+2644+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-4d66d28cd2e7537e1e1d2905595b260226b22ad2-] {+1ca9574531f2bffce01464c8a654b2e0c2ed894b+}
Depends: libgnutls30 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-d752158b357b5875ebc8680001b57a886b94a1a4-] {+b8bd0e5aecb48c352850674891129476d08d016a+}
Depends: libgnutlsxx28 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+}
Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+}
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog 2019-06-12 19:21:23.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog 2019-11-30 13:41:59.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium
+
+ * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
+ from 3.6.10: Fix interop problems with gnutls 2.x. Closes: #933538
+ (Thanks, Hanno Stock!)
+
+ -- Andreas Metzler <ametz...@debian.org> Sat, 30 Nov 2019 13:41:59 +0100
+
gnutls28 (3.6.7-4) unstable; urgency=medium
* Cherry-pick important bug-fixes from 3.6.8:
diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
--- gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 2019-11-30 13:41:59.000000000 +0100
@@ -0,0 +1,63 @@
+From daa49b9e455d262a1a2bc1b641e72dc004e2cb3e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 3 Aug 2019 21:51:58 +0200
+Subject: [PATCH] _gnutls_epoch_set_keys: do not forbid random padding in
+ TLS1.x CBC ciphersuites
+
+Since some point in 3.6.x we updated the calculation of maximum record size,
+however that did not include the possibility of random record padding available
+for CBC ciphersuites which exceeds the maximum. This commit allows for larger
+sizes for these ciphersuites to account for random padding as applied by
+gnutls 2.12.x.
+
+Resolves: #811
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org>
+---
+ NEWS | 4 ++++
+ lib/constate.c | 11 +++++++++--
+ lib/record.c | 4 ++--
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/constate.c b/lib/constate.c
+index 51a4eca30..4c6ca0fd0 100644
+--- a/lib/constate.c
++++ b/lib/constate.c
+@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t
+ return gnutls_assert_val(ret);
+ }
+
+- if (ver->tls13_sem) {
++ /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC
++ * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding
++ * data exceeding the maximum. */
++ if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+ session->internals.max_recv_size = 256;
+ } else {
+- session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
++ session->internals.max_recv_size = 0;
++ }
++
++ if (!ver->tls13_sem) {
++ session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
+ if (session->internals.allow_large_records != 0)
+ session->internals.max_recv_size += EXTRA_COMP_SIZE;
+ }
+diff --git a/lib/record.c b/lib/record.c
+index 39d2a16be..7c7e36561 100644
+--- a/lib/record.c
++++ b/lib/record.c
+@@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session,
+
+ if (record->length == 0 || record->length > max_record_recv_size(session)) {
+ _gnutls_audit_log
+- (session, "Received packet with illegal length: %u\n",
+- (unsigned int) record->length);
++ (session, "Received packet with illegal length: %u (max: %u)\n",
++ (unsigned int) record->length, (unsigned)max_record_recv_size(session));
+
+ if (record->length == 0) {
+ /* Empty, unencrypted records are always unexpected. */
+--
+2.24.0
+
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series 2019-06-12 19:21:15.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series 2019-11-30 13:41:59.000000000 +0100
@@ -5,3 +5,4 @@
40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
signature.asc
Description: PGP signature
