[Pkg-gnutls-commits] r1463 - in /packages/gnutls26/branches/branch2.8.6-squeeze/debian: changelog patches/21_CVE-2012-1573 patches/series

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Mon Mar 26 16:50:22 UTC 2012 

Author: ametzler
Date: Mon Mar 26 16:50:20 2012
New Revision: 1463

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=1463
Log:
Apply patch to fix crashes in record parsing (CVE-2012-1573)

Added:
    packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/21_CVE-2012-1573
Modified:
    packages/gnutls26/branches/branch2.8.6-squeeze/debian/changelog
    packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/series

Modified: packages/gnutls26/branches/branch2.8.6-squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.8.6-squeeze/debian/changelog?rev=1463&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.8.6-squeeze/debian/changelog (original)
+++ packages/gnutls26/branches/branch2.8.6-squeeze/debian/changelog Mon Mar 26 16:50:20 2012
@@ -1,8 +1,8 @@
-gnutls26 (2.8.6-1+squeeze2) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org>  Fri, 23 Dec 2011 08:00:13 +0100
+gnutls26 (2.8.6-1+squeeze2) stable-security; urgency=high
+
+  * Apply patch to fix crashes in record parsing (CVE-2012-1573)
+
+ -- Florian Weimer <fw at deneb.enyo.de>  Sun, 25 Mar 2012 13:37:15 +0200
 
 gnutls26 (2.8.6-1+squeeze1) stable; urgency=low
 

Added: packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/21_CVE-2012-1573
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/21_CVE-2012-1573?rev=1463&op=file
==============================================================================
--- packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/21_CVE-2012-1573 (added)
+++ packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/21_CVE-2012-1573 Mon Mar 26 16:50:20 2012
@@ -1,0 +1,24 @@
+Index: squeeze/lib/gnutls_cipher.c
+===================================================================
+--- squeeze.orig/lib/gnutls_cipher.c	2012-03-25 13:27:36.922136305 +0200
++++ squeeze/lib/gnutls_cipher.c	2012-03-25 13:27:48.460965884 +0200
+@@ -501,14 +501,13 @@
+ 	{
+ 	  ciphertext.size -= blocksize;
+ 	  ciphertext.data += blocksize;
+-
+-	  if (ciphertext.size == 0)
+-	    {
+-	      gnutls_assert ();
+-	      return GNUTLS_E_DECRYPTION_FAILED;
+-	    }
+ 	}
+ 
++      if (ciphertext.size < hash_size)
++	{
++	  gnutls_assert ();
++	  return GNUTLS_E_DECRYPTION_FAILED;
++	}
+       pad = ciphertext.data[ciphertext.size - 1] + 1;	/* pad */
+ 
+       if ((int) pad > (int) ciphertext.size - hash_size)

Modified: packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/series?rev=1463&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/series (original)
+++ packages/gnutls26/branches/branch2.8.6-squeeze/debian/patches/series Mon Mar 26 16:50:20 2012
@@ -3,3 +3,4 @@
 16_unnecessarydep.diff
 20_CVE-2011-4128.part1.diff
 20_CVE-2011-4128.part2.diff
+21_CVE-2012-1573

More information about the Pkg-gnutls-commits mailing list