Re: Fixing "lucky 13" CVE-2013-0169 in gnutls28

Andreas Metzler Sat, 23 Feb 2013 09:37:56 -0800

On 2013-02-20 Dominique Dumont <d...@debian.org> wrote:
> Le dimanche 10 février 2013 16:26:40, Andreas Metzler a écrit :
>>>> PS: My first idea was to simply pull gnutls28, providing guile-gnutls
>>>> and gnutls-bin from gnutls26 again. However there is a reverse
>>>> dependency (pan) on libgnutls28 in testing nowadays. Pan is not
>>>> distributable currently http://bugs.debian.org/699892
>>>> but that might still be fixed in time for the release.


> I've fixed the license bug by dropping SSL support from pan. pan no longer 
> depends on any libgnutls.

Hello,

the new pan upload should propagate to testing in a week.

Find attached a proposed patch to build both guile-gnutls and
gnutls-bin from gnutls26 instead of gnutls28 for wheezy. Would this be
acceptable for an unstable upload targeted for testing? Afterwards
gnutls28 could be pulled from wheezy.

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Warning: these package names were in the second list but not in the first:
--------------------------------------------------------------------------
gnutls-bin
guile-gnutls

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files only in first set of .debs, found in package libgnutls26-dbg
------------------------------------------------------------------
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/certtool
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/gnutls-cli
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/gnutls-cli-debug
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/gnutls-serv
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/p11tool
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/psktool
-rwxr-xr-x  root/root   /usr/lib/i386-linux-gnu/libgnutls26/srptool

New files in second set of .debs, found in package gnutls-bin
-------------------------------------------------------------
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/AUTHORS.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/NEWS.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/README.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/THANKS.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/changelog.Debian.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/changelog.gz
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/copyright
-rw-r--r--  root/root   /usr/share/doc/gnutls-bin/examples/certtool.cfg
-rw-r--r--  root/root   /usr/share/man/man1/certtool.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/gnutls-cli-debug.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/gnutls-cli.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/gnutls-serv.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/p11tool.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/psktool.1.gz
-rw-r--r--  root/root   /usr/share/man/man1/srptool.1.gz
-rwxr-xr-x  root/root   /usr/bin/certtool
-rwxr-xr-x  root/root   /usr/bin/gnutls-cli
-rwxr-xr-x  root/root   /usr/bin/gnutls-cli-debug
-rwxr-xr-x  root/root   /usr/bin/gnutls-serv
-rwxr-xr-x  root/root   /usr/bin/p11tool
-rwxr-xr-x  root/root   /usr/bin/psktool
-rwxr-xr-x  root/root   /usr/bin/srptool

New files in second set of .debs, found in package guile-gnutls
---------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0.0.0
-rw-r--r--  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0.0.0
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/AUTHORS.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/NEWS.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/README.Debian
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/README.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/THANKS.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/changelog.Debian.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/changelog.gz
-rw-r--r--  root/root   /usr/share/doc/guile-gnutls/copyright
-rw-r--r--  root/root   /usr/share/guile/site/gnutls.scm
-rw-r--r--  root/root   /usr/share/guile/site/gnutls/extra.scm
-rw-r--r--  root/root   /usr/share/lintian/overrides/guile-gnutls
lrwxrwxrwx  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so -> libguile-gnutls-extra-v-1.so.0.0.0
lrwxrwxrwx  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0 -> libguile-gnutls-extra-v-1.so.0.0.0
lrwxrwxrwx  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so -> libguile-gnutls-v-1.so.0.0.0
lrwxrwxrwx  root/root   /usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0 -> libguile-gnutls-v-1.so.0.0.0

New files in second set of .debs, found in package libgnutls26-dbg
------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/certtool
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/gnutls-cli
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/gnutls-cli-debug
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/gnutls-serv
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/p11tool
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/psktool
-rw-r--r--  root/root   /usr/lib/debug/usr/bin/srptool
-rw-r--r--  root/root   /usr/lib/debug/usr/lib/i386-linux-gnu/libguile-gnutls-extra-v-1.so.0.0.0
-rw-r--r--  root/root   /usr/lib/debug/usr/lib/i386-linux-gnu/libguile-gnutls-v-1.so.0.0.0

Files moved or copied from at least TWO packages or to at least TWO packages
----------------------------------------------------------------------------
-rw-r--r--  root/root   DEBIAN/control
>From packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, libgnutlsxx27, libgnutls-openssl27
To packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, gnutls-bin, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rw-r--r--  root/root   DEBIAN/md5sums
>From packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, libgnutlsxx27, libgnutls-openssl27
To packages: gnutls26-doc, libgnutls-dev, libgnutls26, libgnutls26-dbg, gnutls-bin, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rw-r--r--  root/root   DEBIAN/shlibs
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rwxr-xr-x  root/root   DEBIAN/postinst
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27
-rwxr-xr-x  root/root   DEBIAN/postrm
>From packages: libgnutls26, libgnutlsxx27, libgnutls-openssl27
To packages: libgnutls26, guile-gnutls, libgnutlsxx27, libgnutls-openssl27

Control files of package gnutls26-doc: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-2.12.20-4-] {+2.12.20-5+}

Control files of package libgnutls-dev: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-5),+} libgnutlsxx27 (= [-2.12.20-4),-] {+2.12.20-5),+} libgnutls-openssl27 (= [-2.12.20-4),-] {+2.12.20-5),+} libgcrypt11-dev (>= 1.4.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4), libp11-kit-dev (>= 0.4)
Version: [-2.12.20-4-] {+2.12.20-5+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-5),+} libc6 (>= 2.4), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0)
Version: [-2.12.20-4-] {+2.12.20-5+}

Control files of package libgnutls26: lines which differ (wdiff format)
-----------------------------------------------------------------------
Installed-Size: [-1398-] {+1399+}
Version: [-2.12.20-4-] {+2.12.20-5+}

Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4), libc6 (>= 2.4), libgcrypt11 (>= 1.4.5), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0), zlib1g (>= 1:1.1.4)-] {+2.12.20-5)+}
 This package contains the debugger [-symbols and commandline utilities.-] {+symbols.+}
Version: [-2.12.20-4-] {+2.12.20-5+}

Control files of package libgnutlsxx27: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-4),-] {+2.12.20-5),+} libc6 (>= 2.1.3), libgcc1 (>= 1:4.1.1), libp11-kit0 (>= 0.11), libstdc++6 (>= 4.1.1)
Version: [-2.12.20-4-] {+2.12.20-5+}



diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog	2013-02-04 19:44:26.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog	2013-02-10 17:58:42.000000000 +0100
@@ -1,10 +1,20 @@
+gnutls26 (2.12.20-5) UNRELEASED; urgency=low
+
+  * For wheezy build gnutls-bin and guile-gnutls from this source package 
+    rather than from gnutls28. gnutls28 is a leaf-package in wheezy. Not
+    shipping would mean a lot less work for the security team if there was a
+    GnuTLS vulnerability. If wanted, it can be re-introduced via backports.
+    The versioning trick has been copied from Ubuntu.
+
+ -- Andreas Metzler <ametz...@debian.org>  Mon, 04 Feb 2013 19:48:31 +0100
+
 gnutls26 (2.12.20-4) unstable; urgency=high
 
   * Pull fixes from 2.12.23:
     + 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
       initialization.
     + 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
-      attack
+      attack. CVE-2013-0169 CVE-2013-1619
 
  -- Andreas Metzler <ametz...@debian.org>  Mon, 04 Feb 2013 19:35:29 +0100
 
diff -Nru gnutls26-2.12.20/debian/control gnutls26-2.12.20/debian/control
--- gnutls26-2.12.20/debian/control	2012-11-13 19:03:33.000000000 +0100
+++ gnutls26-2.12.20/debian/control	2013-02-23 18:13:46.000000000 +0100
@@ -8,7 +8,7 @@
  Simon Josefsson <si...@josefsson.org>
 Build-Depends: debhelper (>= 8.1.3), libgcrypt11-dev (>= 1.4.0), zlib1g-dev,
  cdbs (>= 0.4.93), gtk-doc-tools, texinfo (>= 4.8),
- libtasn1-3-dev (>= 0.3.4-0), autotools-dev, datefudge,
+ libtasn1-3-dev (>= 0.3.4-0), autotools-dev, guile-1.8-dev, datefudge, 
  libp11-kit-dev (>= 0.11), pkg-config, chrpath
 Build-Conflicts: libgnutls-dev
 Standards-Version: 3.9.3
@@ -91,7 +91,32 @@
  GnuTLS is a portable library which implements the Transport Layer
  Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
  .
- This package contains the debugger symbols and commandline utilities.
+ This package contains the debugger symbols.
+
+Package: gnutls-bin
+Architecture: any
+Section: net
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - commandline utilities
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+  - TLS extensions: server name indication, max record size, opaque PRF
+    input, etc.
+  - authentication using the SRP protocol.
+  - authentication using both X.509 certificates and OpenPGP keys.
+  - TLS Pre-Shared-Keys (PSK) extension.
+  - Inner Application (TLS/IA) extension.
+  - X.509 and OpenPGP certificate handling.
+  - X.509 Proxy Certificates (RFC 3820).
+  - all the strong encryption algorithms (including SHA-256/384/512 and
+    Camellia (RFC 4132)).
+ .
+ This package contains a commandline interface to the GNU TLS library, which
+ can be used to set up secure connections from e.g. shell scripts, debugging
+ connection issues or managing certificates.
 
 Package: gnutls26-doc
 Architecture: all
@@ -116,6 +141,30 @@
  .
  This package contains the documentation for the GnuTLS 2.x legacy version.
 
+Package: guile-gnutls
+Architecture: any
+Section: lisp
+Depends: ${misc:Depends},${shlibs:Depends}, guile-1.8
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - GNU Guile bindings
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 protocols.
+ .
+ GnuTLS features support for:
+  - TLS extensions: server name indication, max record size, opaque PRF
+    input, etc.
+  - authentication using the SRP protocol.
+  - authentication using both X.509 certificates and OpenPGP keys.
+  - TLS Pre-Shared-Keys (PSK) extension.
+  - Inner Application (TLS/IA) extension.
+  - X.509 and OpenPGP certificate handling.
+  - X.509 Proxy Certificates (RFC 3820).
+  - all the strong encryption algorithms (including SHA-256/384/512 and
+    Camellia (RFC 4132)).
+ .
+ This package contains the GNU Guile 1.8 modules.
+
 Package: libgnutlsxx27
 Priority: extra
 Architecture: any
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.examples gnutls26-2.12.20/debian/gnutls-bin.examples
--- gnutls26-2.12.20/debian/gnutls-bin.examples	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.examples	2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+doc/certtool.cfg
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.install gnutls26-2.12.20/debian/gnutls-bin.install
--- gnutls26-2.12.20/debian/gnutls-bin.install	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.install	2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/bin/* usr/bin
diff -Nru gnutls26-2.12.20/debian/gnutls-bin.manpages gnutls26-2.12.20/debian/gnutls-bin.manpages
--- gnutls26-2.12.20/debian/gnutls-bin.manpages	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/gnutls-bin.manpages	2013-02-10 17:12:04.000000000 +0100
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/*/*.1
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.install gnutls26-2.12.20/debian/guile-gnutls.install
--- gnutls26-2.12.20/debian/guile-gnutls.install	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.install	2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/libguile-gnutls*.so*
+debian/tmp/usr/share/guile/site
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides
--- gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.lintian-overrides	2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,2 @@
+guile-gnutls: non-dev-pkg-with-shlib-symlink
+guile-gnutls: package-name-doesnt-match-sonames
diff -Nru gnutls26-2.12.20/debian/guile-gnutls.README.Debian gnutls26-2.12.20/debian/guile-gnutls.README.Debian
--- gnutls26-2.12.20/debian/guile-gnutls.README.Debian	1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/guile-gnutls.README.Debian	2013-02-10 17:37:46.000000000 +0100
@@ -0,0 +1,8 @@
+guile bindings for gnutls.
+
+Guile binary extensions currently use dlopened dynamic libraries installed in
+/usr/lib/. These are not to be used a C-libraries. Which is why ...
+ - we do not provide shlibs files for these
+ - and the .so symlink is not in the dev-package.
+
+(Thanks to Ludovic Courtès for the explanations.)
diff -Nru gnutls26-2.12.20/debian/libgnutls26-dbg.install gnutls26-2.12.20/debian/libgnutls26-dbg.install
--- gnutls26-2.12.20/debian/libgnutls26-dbg.install	2012-11-12 19:16:57.000000000 +0100
+++ gnutls26-2.12.20/debian/libgnutls26-dbg.install	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-debian/tmp/usr/lib/*/libgnutls26
diff -Nru gnutls26-2.12.20/debian/rules gnutls26-2.12.20/debian/rules
--- gnutls26-2.12.20/debian/rules	2012-11-13 19:02:55.000000000 +0100
+++ gnutls26-2.12.20/debian/rules	2013-02-10 18:05:17.000000000 +0100
@@ -5,7 +5,8 @@
 include /usr/share/cdbs/1/class/autotools.mk
 
 DEB_CONFIGURE_EXTRA_FLAGS = --enable-ld-version-script --enable-cxx \
-	--without-lzo --disable-guile \
+	--without-lzo --enable-guile \
+	--with-guile-site-dir=/usr/share/guile/site \
 	--cache-file=$(CURDIR)/config.cache --with-libgcrypt \
 	--with-packager=Debian \
 	--with-packager-bug-reports=http://bugs.debian.org/ \
@@ -14,8 +15,14 @@
 DEB_MAKE_CHECK_TARGET = check
 DEB_DH_MAKESHLIBS_ARGS_libgnutls26 := -V 'libgnutls26 (>= 2.12.17-0)'
 DEB_DH_MAKESHLIBS_ARGS_libgnutlsxx27 := -V 'libgnutlsxx27 (>= 2.12.17-0)'
+DEB_DH_MAKESHLIBS_ARGS_guile-gnutls := -V 'guile-gnutls (>= 2.12.17-0)'
 DEB_COMPRESS_EXCLUDE := gnutls.pdf
 
+# workaround for guile testsuite failure.
+ifneq (,$(filter $(DEB_BUILD_ARCH),armel armhf mipsel))
+	DEB_CONFIGURE_EXTRA_FLAGS += --disable-largefile
+endif
+
 # pre-clean rule: save gnutls.pdf since it is expensive to regenerate.
 # See README.source
 cleanbuilddir/gnutls26-doc::
@@ -41,10 +48,10 @@
 common-install-arch::
 	find debian/tmp/usr/lib/* -name '*.so.*.*' -type f -exec \
 		chrpath -d {} +
-	if ! test -e debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ; \
-		then \
-		install -d -m755 \
-			debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 &&\
-		mv -v debian/tmp/usr/bin/* \
-			debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libgnutls26 ;\
-		fi
+
+# gnutls-bin and guile-gnutls were built from gnutls28 but we chose
+# to not ship this sourcepackage in wheezy. Bump the binary package version
+# to supersede the gnutls28-built versions.
+binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- -v3.0.20-3+really$(DEB_VERSION)
+
+binary-makedeb/guile-gnutls: DEB_DH_GENCONTROL_ARGS := -- -v3.0.20-3+really$(DEB_VERSION)

Re: Fixing "lucky 13" CVE-2013-0169 in gnutls28

Reply via email to