Compare commits
3 Commits
| Author | SHA1 | Date |
|---|---|---|
Tomas Mraz
|
5db784ae45 | |
|
Tomas Mraz
|
7ec95e726c | |
|
Tomas Mraz
|
8daaff1b68 |
|
|
@ -19,3 +19,4 @@ gnutls-2.10.1-nosrp.tar.bz2
|
|||
/gnutls-2.12.20-nosrp.tar.xz
|
||||
/gnutls-2.12.21-nosrp.tar.xz
|
||||
/gnutls-2.12.22-nosrp.tar.xz
|
||||
/gnutls-2.12.23-nosrp.tar.xz
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
diff -up gnutls-2.12.23/lib/gnutls_cipher.c.overread gnutls-2.12.23/lib/gnutls_cipher.c
|
||||
--- gnutls-2.12.23/lib/gnutls_cipher.c.overread 2013-02-04 09:53:03.000000000 +0100
|
||||
+++ gnutls-2.12.23/lib/gnutls_cipher.c 2013-05-31 16:38:00.771256253 +0200
|
||||
@@ -506,7 +506,9 @@ _gnutls_ciphertext2compressed (gnutls_se
|
||||
unsigned int pad = 0;
|
||||
int length;
|
||||
uint16_t blocksize;
|
||||
- int ret, i, pad_failed = 0;
|
||||
+ int ret, i;
|
||||
+ unsigned int tmp_pad_failed = 0;
|
||||
+ unsigned int pad_failed = 0;
|
||||
opaque preamble[PREAMBLE_SIZE];
|
||||
int preamble_size = 0;
|
||||
int ver = gnutls_protocol_get_version (session);
|
||||
@@ -566,13 +568,14 @@ _gnutls_ciphertext2compressed (gnutls_se
|
||||
* Note that we access all 256 bytes of ciphertext for padding check
|
||||
* because there is a timing channel in that memory access (in certain CPUs).
|
||||
*/
|
||||
- if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
|
||||
- for (i = 2; i <= pad; i++)
|
||||
+ if (_gnutls_version_has_variable_padding (ver))
|
||||
+ for (i = 2; i <= MIN(256, ciphertext.size); i++)
|
||||
{
|
||||
- if (ciphertext.data[ciphertext.size - i] != pad)
|
||||
- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
|
||||
+ tmp_pad_failed |= (ciphertext.data[ciphertext.size - i] != pad);
|
||||
+ pad_failed |= ((i<= (1+pad)) & (tmp_pad_failed));
|
||||
}
|
||||
-
|
||||
+
|
||||
+ pad_failed |= 1+pad > ((int) ciphertext.size - hash_size);
|
||||
if (pad_failed)
|
||||
pad = 0;
|
||||
length = ciphertext.size - hash_size - pad - 1;
|
||||
12
gnutls.spec
12
gnutls.spec
|
|
@ -1,7 +1,7 @@
|
|||
Summary: A TLS protocol implementation
|
||||
Name: gnutls
|
||||
Version: 2.12.22
|
||||
Release: 1%{?dist}
|
||||
Version: 2.12.23
|
||||
Release: 2%{?dist}
|
||||
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
|
||||
License: GPLv3+ and LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -25,6 +25,7 @@ Patch4: gnutls-2.12.7-dsa-skiptests.patch
|
|||
Patch6: gnutls-2.12.20-cli-debug-manpage.patch
|
||||
# Use only FIPS approved ciphers in the FIPS mode
|
||||
Patch7: gnutls-2.12.21-fips-algorithms.patch
|
||||
Patch8: gnutls-2.12.23-cve-2013-2116.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: libgcrypt >= 1.2.2
|
||||
|
|
@ -97,6 +98,7 @@ This package contains Guile bindings for the library.
|
|||
%patch4 -p1 -b .skiptests
|
||||
%patch6 -p1 -b .cli-debug
|
||||
%patch7 -p1 -b .fips
|
||||
%patch8 -p1 -b .overread
|
||||
|
||||
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
|
||||
touch lib/$i
|
||||
|
|
@ -198,6 +200,12 @@ fi
|
|||
%{_datadir}/guile/site/gnutls.scm
|
||||
|
||||
%changelog
|
||||
* Fri May 31 2013 Tomas Mraz <tmraz@redhat.com> 2.12.23-2
|
||||
- fix CVE-2013-2116 - regression from the TLS-CBC timing attack fix (#966754)
|
||||
|
||||
* Thu Feb 21 2013 Tomas Mraz <tmraz@redhat.com> 2.12.23-1
|
||||
- new upstream version fixing TLS-CBC timing attack
|
||||
|
||||
* Tue Jan 8 2013 Tomas Mraz <tmraz@redhat.com> 2.12.22-1
|
||||
- new upstream version
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue