Re: Fixing "lucky 13" CVE-2013-0169 in gnutls28

[Andreas Metzler]

On 2013-03-19 Andreas Metzler <ametz...@downhill.at.eu.org> wrote:

> Find attached a proposed patch.



diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog   2013-02-04 19:44:26.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog   2013-03-19 19:54:02.000000000 +0100
@@ -1,10 +1,22 @@
+gnutls26 (2.12.20-5) UNRELEASED; urgency=low
+
+  * For wheezy build gnutls-bin and guile-gnutls from this source package 
+    rather than from gnutls28. gnutls28 is a leaf-package in wheezy. Not
+    shipping would mean a lot less work for the security team if there was a
+    GnuTLS vulnerability. If wanted, it can be re-introduced via backports.
+    The versioning trick has been copied from Ubuntu.
+  * Since guile support would require building with --disable-largefile on
+    armel armhf mipsel we do not provide the package there.
+
+ -- Andreas Metzler <ametz...@debian.org>  Mon, 04 Feb 2013 19:48:31 +0100
+
 gnutls26 (2.12.20-4) unstable; urgency=high
 
   * Pull fixes from 2.12.23:
     + 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
       initialization.
     + 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
-      attack
+      attack. CVE-2013-0169 CVE-2013-1619
 
  -- Andreas Metzler <ametz...@debian.org>  Mon, 04 Feb 2013 19:35:29 +0100
 
diff -Nru gnutls26-2.12.20/debian/control gnutls26-2.12.20/debian/control
--- gnutls26-2.12.20/debian/control     2012-11-13 19:03:33.000000000 +0100
+++ gnutls26-2.12.20/debian/control     2013-03-19 19:39:47.000000000 +0100
@@ -8,7 +8,8 @@
  Simon Josefsson <si...@josefsson.org>
 Build-Depends: debhelper (>= 8.1.3), libgcrypt11-dev (>= 1.4.0), zlib1g-dev,
  cdbs (>= 0.4.93), gtk-doc-tools, texinfo (>= 4.8),
- libtasn1-3-dev (>= 0.3.4-0), autotools-dev, datefudge,
+ libtasn1-3-dev (>= 0.3.4-0), autotools-dev, 
+ guile-1.8-dev[!armel !armhf !mipsel], datefudge, 
  libp11-kit-dev (>= 0.11), pkg-config, chrpath
 Build-Conflicts: libgnutls-dev
 Standards-Version: 3.9.3
@@ -91,7 +92,32 @@
  GnuTLS is a portable library which implements the Transport Layer
  Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
  .
- This package contains the debugger symbols and commandline utilities.
+ This package contains the debugger symbols.
+
+Package: gnutls-bin
+Architecture: any
+Section: net
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - commandline utilities
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+  - TLS extensions: server name indication, max record size, opaque PRF
+    input, etc.
+  - authentication using the SRP protocol.
+  - authentication using both X.509 certificates and OpenPGP keys.
+  - TLS Pre-Shared-Keys (PSK) extension.
+  - Inner Application (TLS/IA) extension.
+  - X.509 and OpenPGP certificate handling.
+  - X.509 Proxy Certificates (RFC 3820).
+  - all the strong encryption algorithms (including SHA-256/384/512 and
+    Camellia (RFC 4132)).
+ .
+ This package contains a commandline interface to the GNU TLS library, which
+ can be used to set up secure connections from e.g. shell scripts, debugging
+ connection issues or managing certificates.
 
 Package: gnutls26-doc
 Architecture: all
@@ -116,6 +142,30 @@
  .
  This package contains the documentation for the GnuTLS 2.x legacy version.
 
+Package: guile-gnutls
+Architecture: amd64 hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips 
powerpc s390 s390x sparc
+Section: lisp
+Depends: ${misc:Depends},${shlibs:Depends}, guile-1.8
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - GNU Guile bindings
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+  - TLS extensions: server name indication, max record size, opaque PRF
+    input, etc.
+  - authentication using the SRP protocol.
+  - authentication using both X.509 certificates and OpenPGP keys.
+  - TLS Pre-Shared-Keys (PSK) extension.
+  - Inner Application (TLS/IA) extension.
+  - X.509 and OpenPGP certificate handling.
+  - X.509 Proxy Certificates (RFC 3820).
+  - all the strong encryption algorithms (including SHA-256/384/512 and
+    Camellia (RFC 4132)).
+ .
+ This package contains the GNU Guile 1.8 modules.
+
 Package: libgnutlsxx27
 Priority: extra
 Architecture: any
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.examples 
gnutls26-2.12.20/debian/gnutls-bin.examples
--- gnutls26-2.12.20/debian/gnutls-bin.examples 1970-01-01 01:00:00.000000000 
+0100
+++ gnutls26-2.12.20/debian/gnutls-bin.examples 2013-02-10 17:12:04.000000000 
+0100
@@ -0,0 +1 @@
+doc/certtool.cfg
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.install 
gnutls26-2.12.20/debian/gnutls-bin.install
--- gnutls26-2.12.20/debian/gnutls-bin.install  1970-01-01 01:00:00.000000000 
+0100
+++ gnutls26-2.12.20/debian/gnutls-bin.install  2013-02-10 17:12:04.000000000 
+0100
@@ -0,0 +1 @@
+debian/tmp/usr/bin/* usr/bin
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.manpages 
gnutls26-2.12.20/debian/gnutls-bin.manpages
--- gnutls26-2.12.20/debian/gnutls-bin.manpages 1970-01-01 01:00:00.000000000 
+0100
+++ gnutls26-2.12.20/debian/gnutls-bin.manpages 2013-02-10 17:12:04.000000000 
+0100
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/*/*.1
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.install 
gnutls26-2.12.20/debian/guile-gnutls.install
--- gnutls26-2.12.20/debian/guile-gnutls.install        1970-01-01 
01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.install        2013-02-10 
17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/libguile-gnutls*.so*
+debian/tmp/usr/share/guile/site
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides 
gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides
--- gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides      1970-01-01 
01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides      2013-02-10 
17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+guile-gnutls: non-dev-pkg-with-shlib-symlink
+guile-gnutls: package-name-doesnt-match-sonames
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.README.Debian 
gnutls26-2.12.20/debian/guile-gnutls.README.Debian
--- gnutls26-2.12.20/debian/guile-gnutls.README.Debian  1970-01-01 
01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.README.Debian  2013-02-10 
17:37:46.000000000 +0100
@@ -0,0 +1,8 @@
+guile bindings for gnutls.
+
+Guile binary extensions currently use dlopened dynamic libraries installed in
+/usr/lib/. These are not to be used a C-libraries. Which is why ...
+ - we do not provide shlibs files for these
+ - and the .so symlink is not in the dev-package.
+
+(Thanks to Ludovic Courtès for the explanations.)
diff -Nru gnutls26-2.12.20/debian/libgnutls26-dbg.install 
gnutls26-2.12.20/debian/libgnutls26-dbg.install
--- gnutls26-2.12.20/debian/libgnutls26-dbg.install     2012-11-12 
19:16:57.000000000 +0100
+++ gnutls26-2.12.20/debian/libgnutls26-dbg.install     1970-01-01 
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-debian/tmp/usr/lib/*/libgnutls26
diff -Nru gnutls26-2.12.20/debian/rules gnutls26-2.12.20/debian/rules
--- gnutls26-2.12.20/debian/rules       2012-11-13 19:02:55.000000000 +0100
+++ gnutls26-2.12.20/debian/rules       2013-03-19 19:57:29.000000000 +0100
@@ -5,7 +5,7 @@
 include /usr/share/cdbs/1/class/autotools.mk
 
 DEB_CONFIGURE_EXTRA_FLAGS = --enable-ld-version-script --enable-cxx \
-       --without-lzo --disable-guile \
+       --without-lzo \
        --cache-file=$(CURDIR)/config.cache --with-libgcrypt \
        --with-packager=Debian \
        --with-packager-bug-reports=http://bugs.debian.org/ \
@@ -14,8 +14,18 @@
 DEB_MAKE_CHECK_TARGET = check
 DEB_DH_MAKESHLIBS_ARGS_libgnutls26 := -V 'libgnutls26 (>= 2.12.17-0)'
 DEB_DH_MAKESHLIBS_ARGS_libgnutlsxx27 := -V 'libgnutlsxx27 (>= 2.12.17-0)'
+DEB_DH_MAKESHLIBS_ARGS_guile-gnutls := -V 'guile-gnutls (>= 2.12.17-0)'
 DEB_COMPRESS_EXCLUDE := gnutls.pdf
 
+# Do not build guile-gnutls on these archs, as we would need to build with
+# --disable-largefile
+ifeq (,$(filter $(DEB_BUILD_ARCH),armel armhf mipsel))
+       DEB_CONFIGURE_EXTRA_FLAGS += --enable-guile \
+               --with-guile-site-dir=/usr/share/guile/site
+else
+       DEB_CONFIGURE_EXTRA_FLAGS += --disable-guile
+endif
+
 # pre-clean rule: save gnutls.pdf since it is expensive to regenerate.
 # See README.source
 cleanbuilddir/gnutls26-doc::
@@ -41,10 +51,10 @@
 common-install-arch::
        find debian/tmp/usr/lib/* -name '*.so.*.*' -type f -exec \
                chrpath -d {} +
-       if ! test -e debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ; \
-               then \
-               install -d -m755 \
-                       debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 &&\
-               mv -v debian/tmp/usr/bin/* \
-                       debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ;\
-               fi
+
+# gnutls-bin and guile-gnutls were built from gnutls28 but we chose
+# to not ship this sourcepackage in wheezy. Bump the binary package version
+# to supersede the gnutls28-built versions.
+binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- 
-v3.0.20-3+really$(DEB_VERSION)
+
+binary-makedeb/guile-gnutls: DEB_DH_GENCONTROL_ARGS := -- 
-v3.0.20-3+really$(DEB_VERSION)