** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Martin von Gagern discovered that GnuTLS allows man in the middle attacks via self-signed certificates that are appended at a certificate chain.
Created attachment 170927 [details, diff] gnutls-2.2.5-selfsigned-trust.patch Upstream approved patch.
Daniel, can you prepare an ebuild with the patch and attach it to this bug. Do not commit anything to CVS, we will handle prestable testing on this bug.
Created attachment 170942 [details] gnutls-2.2.5-selfsigned-trust.patch contains whitespace correction. epatch "${FILESDIR}"/${P}-selfsigned-trust.patch or epatch "${FILESDIR}"/${PN}-2.2.5-selfsigned-trust.patch is sufficient. I've tested this patch applied before the other patches for all versions though I doubt there will be conflicts. note gnutls-2.6.0 has a openpgp selftest failure and the test has been determined to be the problem (https://savannah.gnu.org/support/?106543). I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll purge gnutls-2.4.1 and all will be good. Acceptable?
(In reply to comment #3) > contains whitespace correction. Sorry, I accidently attached the unclean patch even though I corrected the whitespace myself :-/ > I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as > amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll > purge gnutls-2.4.1 and all will be good. Acceptable? Yes, fine with me. As it might be preferable to have the same version stable across all arches, and since 2.4.1 is in the tree for several months now, let's go with: =net-libs/gnutls-2.4.1-r1 Arch Security Liaisons, please test and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
What am I missing? Do we make our own ebuild for gnutls-2.4.1-r1 or what?
Hmm, I tried attachment #170942 [details] but it failed to apply to 2.4.1: PATCH COMMAND: patch -p1 -g0 -E --no-backup-if-mismatch < /keeps/gentoo/local/ net-libs/gnutls/files/gnutls-2.2.5-selfsigned-trust.patch =============================================== patching file lib/x509/verify.c Hunk #1 succeeded at 376 (offset 2 lines). Hunk #2 FAILED at 425. 1 out of 2 hunks FAILED -- saving rejects to file lib/x509/verify.c.rej ===============================================
Created attachment 170962 [details, diff] gnutls-2.2.5-selfsigned-trust.patch did the dumb thing and uploaded the same file I downloaded. Sorry folks. If I did it again: EPATCH_OPTS="--ignore-whitespace" \ epatch ... Sorry this is a vendor sec roll your own
Created attachment 170965 [details] gnutls-2.4.1-r1.ebuild
Thanks, Jeroen. Stable for sparc.
HPPA is OK.
looks good on amd64/x86. please note: dodoc: doc/tex/gnutls.ps does not exist >>> Completed installing gnutls-2.4.1-r1 into /var/tmp/portage/net-libs/gnutls-2.4.1-r1/image/
Looks okay on alpha/ia64/sparc
This is now public, please commit with the keywords gathered in this bug.
(In reply to comment #13) > This is now public, please commit with the keywords gathered in this bug. Committed to the tree. Stable: alpha amd64 hppa ia64 sparc x86 Remaining arches, please test and mark stable: Remaining targets: arm m68k ppc ppc64 s390 sh
(In reply to comment #14) > Remaining arches, please test and mark stable: > Remaining targets: arm m68k ppc ppc64 s390 sh =net-libs/gnutls-2.4.1-r1, that is. Daniel, please fix ~arch as well now, either by patching or bumping to 2.6.1 (thanks to Arfrever, who reminded me on IRC).
ebuilds fixed >=gnutls-2.4.1-r1 is fixed from this vulnerability. Thanks all. good work.
ppc64 stable
ppc stable
May I interrupt you here. It seems the fix causes bug 246976, which has been refixed by gnutls upstream. Could we reiterate the whole process please.
Back to [ebuild] then, waiting for a regression-free version...
(In reply to comment #20) > Back to [ebuild] then, waiting for a regression-free version... Thanks folks. Regression free versions of gnutls-2.4.1-r2.ebuild and gnutls-2.6.0-r2.ebuild added. regression versions of -r1 removed. All stable - the first chunk of the original patch was removed - risk of stable failing this time is very small idead.
ready for vote, YES
YES too, request filed.
As for me is a B4. Comment if you disagree. And Severity for B3 = Severity for B4 = Minor.
GLSA 200901-10