Bug#1054446: bookworm-pu: package wolfssl/5.5.4-2+deb12u1

Mon, 23 Oct 2023 12:51:31 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-CC: sirkilam...@msn.com

Hi,

I am including a fix for wolfssl's CVE-2023-3724.
The vulnerability is tracked by the Security Team in #1041699 and is fixed in 
unstable.
Aside from the changelog, this is exactly the same debdiff as provided by 
5.5.4-2.1.
The new patch is taken from upstream as suggested by Jacob Barthelmeh.

Thanks,
Bastian
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog      2023-02-06 14:41:53.000000000 +0000
+++ wolfssl-5.5.4/debian/changelog      2023-10-23 17:46:16.000000000 +0000
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
+
+  * Stable update to address the following vulnerabilities:
+    - Fix CVE-2023-3724.
+
+ -- Bastian Germann <b...@debian.org>  Mon, 23 Oct 2023 17:46:16 +0000
+
 wolfssl (5.5.4-2) unstable; urgency=medium
 
   * Clarify in README.Debian and in the package descriptions that wolfssl is
diff -Nru wolfssl-5.5.4/debian/patches/cve-2023-3724.patch 
wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
--- wolfssl-5.5.4/debian/patches/cve-2023-3724.patch    1970-01-01 
00:00:00.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/cve-2023-3724.patch    2023-10-23 
17:46:16.000000000 +0000
@@ -0,0 +1,47 @@
+Origin: backport, 00f1eddee429ff51390b20caadd2eb6afe51e1aa
+From: Jacob Barthelmeh <ja...@wolfssl.com>
+Date: Mon, 15 May 2023 15:49:44 -0700
+Subject: add tls extension sanity check
+
+---
+ src/tls.c   |  3 +++
+ src/tls13.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/tls.c b/src/tls.c
+index bced9f9b13f..9bbabfb14e2 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -8475,6 +8475,9 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, 
word16 length,
+         if (!WOLFSSL_NAMED_GROUP_IS_PQC(group))
+ #endif
+             ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
++
++        if (ret == 0)
++            ssl->session->namedGroup = ssl->namedGroup = group;
+     }
+     else {
+         /* Not a message type that is allowed to have this extension. */
+diff --git a/src/tls13.c b/src/tls13.c
+index e5360790b3b..0f1bbc1aad1 100644
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5236,8 +5236,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, 
word32* inOutIdx,
+         }
+ #endif
+ 
++        /* sanity check on PSK / KSE */
++        if (
++    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
++            ssl->options.pskNegotiated == 0 &&
++    #endif
++            ssl->session->namedGroup == 0) {
++            return EXT_MISSING;
++        }
++
+         ssl->keys.encryptionOn = 1;
+         ssl->options.serverState = SERVER_HELLO_COMPLETE;
++
+     }
+     else {
+         ssl->options.tls1_3 = 1;
diff -Nru wolfssl-5.5.4/debian/patches/series 
wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series 2022-11-07 17:38:12.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/series 2023-10-23 17:46:16.000000000 +0000
@@ -4,3 +4,4 @@
 fix-hurd-i386-flags.patch
 disable-crl-monitor.patch
 disable-jobserver.patch
+cve-2023-3724.patch

Reply via email to