Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 245850
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gnutls-2.2.5-selfsigned-trust.patch gnutls-2.2.5-selfsigned-trust.patch patch Robert Buchholz 2008-11-06 17:58 0000 1.81 KB Details | Diff
gnutls-2.2.5-selfsigned-trust.patch gnutls-2.2.5-selfsigned-trust.patch text/plain Daniel Black 2008-11-06 20:19 0000 1.81 KB Details
gnutls-2.2.5-selfsigned-trust.patch gnutls-2.2.5-selfsigned-trust.patch patch Daniel Black 2008-11-07 05:54 0000 1.21 KB Details | Diff
gnutls-2.4.1-r1.ebuild gnutls-2.4.1-r1.ebuild text/plain Jeroen Roovers 2008-11-07 07:20 0000 2.06 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 245850 depends on: 246976 Show dependency tree
Bug 245850 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-11-06 17:55 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Martin von Gagern discovered that GnuTLS allows man in the middle attacks via
self-signed certificates that are appended at a certificate chain.

------- Comment #1 From Robert Buchholz 2008-11-06 17:58:19 0000 ------- 
Created an attachment (id=170927) [details]
gnutls-2.2.5-selfsigned-trust.patch

Upstream approved patch.

------- Comment #2 From Robert Buchholz 2008-11-06 18:00:45 0000 ------- 
Daniel, can you prepare an ebuild with the patch and attach it to this bug. Do
not commit anything to CVS, we will handle prestable testing on this bug.

------- Comment #3 From Daniel Black 2008-11-06 20:19:41 0000 ------- 
Created an attachment (id=170942) [details]
gnutls-2.2.5-selfsigned-trust.patch

contains whitespace correction.

epatch "${FILESDIR}"/${P}-selfsigned-trust.patch
 or 
epatch "${FILESDIR}"/${PN}-2.2.5-selfsigned-trust.patch

is sufficient. I've tested this patch applied before the other patches for all
versions though I doubt there will be conflicts.

note gnutls-2.6.0 has a openpgp selftest failure and the test has been
determined to be the problem (https://savannah.gnu.org/support/?106543).

I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as
amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll
purge gnutls-2.4.1 and all will be good. Acceptable?

------- Comment #4 From Robert Buchholz 2008-11-07 00:40:32 0000 ------- 
(In reply to comment #3)
> contains whitespace correction.

Sorry, I accidently attached the unclean patch even though I corrected the
whitespace myself :-/

> I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as
> amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll
> purge gnutls-2.4.1 and all will be good. Acceptable?

Yes, fine with me. As it might be preferable to have the same version stable
across all arches, and since 2.4.1 is in the tree for several months now, let's
go with:
 =net-libs/gnutls-2.4.1-r1

Arch Security Liaisons, please test and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76

------- Comment #5 From Ferris McCormick 2008-11-07 00:51:14 0000 ------- 
What am I missing?  Do we make our own ebuild for gnutls-2.4.1-r1 or what?

------- Comment #6 From Jeroen Roovers 2008-11-07 05:30:48 0000 ------- 
Hmm, I tried attachment #170942 [details] but it failed to apply to 2.4.1:

PATCH COMMAND:   patch -p1 -g0 -E --no-backup-if-mismatch <
/keeps/gentoo/local/
net-libs/gnutls/files/gnutls-2.2.5-selfsigned-trust.patch

===============================================
patching file lib/x509/verify.c
Hunk #1 succeeded at 376 (offset 2 lines).
Hunk #2 FAILED at 425.
1 out of 2 hunks FAILED -- saving rejects to file lib/x509/verify.c.rej
===============================================

------- Comment #7 From Daniel Black 2008-11-07 05:54:19 0000 ------- 
Created an attachment (id=170962) [details]
gnutls-2.2.5-selfsigned-trust.patch

did the dumb thing and uploaded the same file I downloaded. Sorry folks.

If I did it again:
EPATCH_OPTS="--ignore-whitespace" \
      epatch ...

Sorry this is a vendor sec roll your own

------- Comment #8 From Jeroen Roovers 2008-11-07 07:20:57 0000 ------- 
Created an attachment (id=170965) [details]
gnutls-2.4.1-r1.ebuild

------- Comment #9 From Ferris McCormick 2008-11-07 13:18:51 0000 ------- 
Thanks, Jeroen.  Stable for sparc.

------- Comment #10 From Jeroen Roovers 2008-11-07 16:51:44 0000 ------- 
HPPA is OK.

------- Comment #11 From Markus Meier 2008-11-08 15:24:14 0000 ------- 
looks good on amd64/x86. please note:

dodoc: doc/tex/gnutls.ps does not exist
>>> Completed installing gnutls-2.4.1-r1 into /var/tmp/portage/net-libs/gnutls-2.4.1-r1/image/

------- Comment #12 From Raúl Porcel 2008-11-08 17:28:00 0000 ------- 
Looks okay on alpha/ia64/sparc

------- Comment #13 From Robert Buchholz 2008-11-10 13:19:57 0000 ------- 
This is now public, please commit with the keywords gathered in this bug.

------- Comment #14 From Christian Hoffmann 2008-11-10 15:03:59 0000 ------- 
(In reply to comment #13)
> This is now public, please commit with the keywords gathered in this bug.
Committed to the tree.

Stable: alpha amd64 hppa ia64 sparc x86

Remaining arches, please test and mark stable:
Remaining targets: arm m68k ppc ppc64 s390 sh

------- Comment #15 From Christian Hoffmann 2008-11-10 15:32:29 0000 ------- 
(In reply to comment #14)
> Remaining arches, please test and mark stable:
> Remaining targets: arm m68k ppc ppc64 s390 sh
=net-libs/gnutls-2.4.1-r1, that is.

Daniel, please fix ~arch as well now, either by patching or bumping to 2.6.1
(thanks to Arfrever, who reminded me on IRC).

------- Comment #16 From Daniel Black 2008-11-10 19:56:35 0000 ------- 
ebuilds fixed >=gnutls-2.4.1-r1 is fixed from this vulnerability. Thanks all.
good work.

------- Comment #17 From Markus Rothe 2008-11-12 18:28:14 0000 ------- 
ppc64 stable

------- Comment #18 From Tobias Scherbaum 2008-11-15 17:58:48 0000 ------- 
ppc stable

------- Comment #19 From Christian Faulhammer 2008-11-17 15:23:34 0000 ------- 
May I interrupt you here.  It seems the fix causes bug 246976, which has been
refixed by gnutls upstream.  Could we reiterate the whole process please.

------- Comment #20 From Christian Hoffmann 2008-11-17 16:34:24 0000 ------- 
Back to [ebuild] then, waiting for a regression-free version...

------- Comment #21 From Daniel Black 2008-11-18 12:00:16 0000 ------- 
(In reply to comment #20)
> Back to [ebuild] then, waiting for a regression-free version...

Thanks folks. Regression free versions of gnutls-2.4.1-r2.ebuild and
gnutls-2.6.0-r2.ebuild added. regression versions of -r1 removed. All stable -
the first chunk of the original patch was removed - risk of stable failing this
time is very small idead.

------- Comment #22 From Robert Buchholz 2008-11-27 17:26:39 0000 ------- 
ready for vote, YES

------- Comment #23 From Tobias Heinlein 2008-11-30 19:05:43 0000 ------- 
YES too, request filed.

------- Comment #24 From Raphael Marichez 2009-01-12 23:21:49 0000 ------- 
As for me is a B4. Comment if you disagree.

And Severity for B3 = Severity for B4 = Minor.

------- Comment #25 From Pierre-Yves Rofes 2009-01-14 22:58:43 0000 ------- 
GLSA 200901-10
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug