Bug#1012033: bullseye-pu: package gnutls28/3.7.1-5+deb11u1

Andreas Metzler Tue, 14 Jun 2022 10:27:26 -0700

On 2022-05-29 Andreas Metzler <ametz...@bebt.de> wrote:
[...]
> as requested in #1011246 I would like fix miscalculation of SHA384 in
> the SSA accelarated implementation.


> It is a one-line change and was part of the 3.7.3 release.
[...]

Actually this seems like a good opportunity to fix a minor CVE, which
was also fixed in 3.7.3.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog
--- gnutls28-3.7.1/debian/changelog     2021-05-29 12:14:30.000000000 +0200
+++ gnutls28-3.7.1/debian/changelog     2022-06-14 18:55:44.000000000 +0200
@@ -1,3 +1,12 @@
+gnutls28 (3.7.1-5+deb11u1) bullseye; urgency=medium
+
+  * 56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch: Backport SSSE3 SHA384
+    miscalculation fix from 3.7.3.  Closes: #1011246
+  * 56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch from
+    3.7.3: Fix null-pointer dereference flaw. CVE-2021-4209
+
+ -- Andreas Metzler <ametz...@debian.org>  Tue, 14 Jun 2022 18:55:44 +0200
+
 gnutls28 (3.7.1-5) unstable; urgency=medium
 
   * Another fix from 3.7.2:
diff -Nru 
gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
 
gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
--- 
gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
   2022-06-14 10:55:13.000000000 +0200
@@ -0,0 +1,34 @@
+From acdfeb4b3f0c64ad20f28513618e9903bfb81426 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlich...@redhat.com>
+Date: Wed, 1 Sep 2021 15:48:27 +0200
+Subject: [PATCH] fix SSSE3 SHA384 to work more than once
+
+The output function called sha512_digest() instead of sha384_digest(),
+which caused the hash context to be reinitialized for SHA512 instead of
+SHA384 and all following digests using the hash handle were wrong.
+
+Signed-off-by: Miroslav Lichvar <mlich...@redhat.com>
+---
+ lib/accelerated/x86/sha-x86-ssse3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/accelerated/x86/sha-x86-ssse3.c 
b/lib/accelerated/x86/sha-x86-ssse3.c
+index 8ea4e54aee..1d442e97e7 100644
+--- a/lib/accelerated/x86/sha-x86-ssse3.c
++++ b/lib/accelerated/x86/sha-x86-ssse3.c
+@@ -258,11 +258,11 @@ static int _ctx_init(gnutls_digest_algorithm_t algo,
+               ctx->length = SHA256_DIGEST_SIZE;
+               break;
+       case GNUTLS_DIG_SHA384:
+               sha384_init(&ctx->ctx.sha384);
+               ctx->update = (update_func) x86_sha512_update;
+-              ctx->digest = (digest_func) sha512_digest;
++              ctx->digest = (digest_func) sha384_digest;
+               ctx->init = (init_func) sha384_init;
+               ctx->ctx_ptr = &ctx->ctx.sha384;
+               ctx->length = SHA384_DIGEST_SIZE;
+               break;
+       case GNUTLS_DIG_SHA512:
+-- 
+2.35.1
+
diff -Nru 
gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
 
gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
--- 
gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
      2022-06-14 10:58:46.000000000 +0200
@@ -0,0 +1,32 @@
+From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <u...@gnu.org>
+Date: Wed, 22 Dec 2021 09:12:25 +0100
+Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
+ input
+
+As Nettle's hash update functions internally call memcpy, providing
+zero-length input may cause undefined behavior.
+
+Signed-off-by: Daiki Ueno <u...@gnu.org>
+---
+ lib/nettle/mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
+index f9d4d7a8df..35e070fab0 100644
+--- a/lib/nettle/mac.c
++++ b/lib/nettle/mac.c
+@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t 
algo,
+       if (ret < 0)
+               return gnutls_assert_val(ret);
+ 
+-      ctx.update(&ctx, text_size, text);
++      if (text_size > 0) {
++              ctx.update(&ctx, text_size, text);
++      }
+       ctx.digest(&ctx, ctx.length, digest);
+ 
+       return 0;
+-- 
+2.35.1
+
diff -Nru gnutls28-3.7.1/debian/patches/series 
gnutls28-3.7.1/debian/patches/series
--- gnutls28-3.7.1/debian/patches/series        2021-05-29 11:37:38.000000000 
+0200
+++ gnutls28-3.7.1/debian/patches/series        2022-06-14 10:59:12.000000000 
+0200
@@ -18,3 +18,5 @@
 56_28-handshake-fix-timing-of-sending-early-data.patch
 56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
 56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
+56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
+56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch

signature.asc
Description: PGP signature

Bug#1012033: bullseye-pu: package gnutls28/3.7.1-5+deb11u1

Reply via email to