726650 – net-libs/gnutls-3.6.13 mishandles expired root certificates by ignoring a valid one in the chain

Bug 726650 - net-libs/gnutls-3.6.13 mishandles expired root certificates by ignoring a valid one in the chain

Summary: net-libs/gnutls-3.6.13 mishandles expired root certificates by ignoring a val...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:	https://gitlab.com/gnutls/gnutls/-/me...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-06-01 14:25 UTC by Mart Raudsepp
Modified:	2020-06-02 17:13 UTC (History)
CC List:	0 users

See Also:	726412
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mart Raudsepp gentoo-dev

2020-06-01 14:25:27 UTC

net-libs/gnutls-3.6.13 fails to properly handle TLS certificate expiry in a chain of certificates, effectively breaking since today https sites that ought to continue to be working, due to expiration of AddTrust root certificate.
For example adblockplus filters for epiphany can't be retrieved anymore.

https://mail.gnome.org/archives/distributor-list/2020-June/msg00000.html
https://gitlab.com/gnutls/gnutls/-/issues/1008
https://gitlab.com/gnutls/gnutls/-/merge_requests/1271
https://gitlab.com/gnutls/gnutls/-/merge_requests/1271.patch

Please consider it urgent to get the last link patch included in a stable revision.

Comment 1 Larry the Git Cow gentoo-dev

2020-06-01 19:17:26 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7402bdfcb5c3017b29d80d60312804b4b3fbebd

commit f7402bdfcb5c3017b29d80d60312804b4b3fbebd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-01 19:01:34 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-01 19:17:15 +0000

    net-libs/gnutls: rev bump to fix handling of expired root certificates
    
    Link: https://gitlab.com/gnutls/gnutls/-/issues/1008
    Closes: https://bugs.gentoo.org/726650
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...s-3.6.13-handle-expired-root-certificates.patch | 391 +++++++++++++++++++++
 ...nutls-3.6.13.ebuild => gnutls-3.6.13-r1.ebuild} |   2 +
 2 files changed, 393 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2020-06-02 17:13:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=617b767f5022f81117e028e258d8b0e008594a31

commit 617b767f5022f81117e028e258d8b0e008594a31
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2020-06-02 16:48:35 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2020-06-02 17:13:18 +0000

    app-misc/ca-certificates: bump
    
    Bump to unreleased latest Debian sources which haven't been formally
    announced but are available via the Debian git systems.
    
    Removes expired AddTrust External CA root causing problems with GnuTLS &
    OpenSSL 1.0.
    
    Closes: https://bugs.gentoo.org/726412
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=726650
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 app-misc/ca-certificates/Manifest                  |   1 +
 .../ca-certificates-20200601.3.53.ebuild           | 192 +++++++++++++++++++++
 2 files changed, 193 insertions(+)