Page MenuHomeSolus

Update gnutls to 3.6.7 & convert to ypkg
ClosedPublic

Authored by kyrios123 on May 1 2019, 12:36 PM.

Details

Summary
  • libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
  • libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above.
  • libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages.
  • libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session.
  • libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server.
  • libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
  • libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled.
  • libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11.
  • libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated.
  • gnutls-cli: Added option --logfile to redirect informational messages output.

Reference task: T7770
Depends on PR #15
Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test Plan

Currently rebuilding rev. deps in local

Diff Detail

Repository
R1027 gnutls
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage
kyrios123 created this revision.May 1 2019, 12:36 PM
kyrios123 requested review of this revision.May 1 2019, 12:36 PM
kyrios123 edited the summary of this revision. (Show Details)May 1 2019, 12:40 PM
JoshStrobl requested changes to this revision.May 1 2019, 1:16 PM
JoshStrobl added a subscriber: JoshStrobl.

Nice work on the conversion

package.yml
10

This should not be necessary, we automatically add that component: https://github.com/getsolus/ypkg/blob/master/ypkg2/ypkgspec.py#L261

This revision now requires changes to proceed.May 1 2019, 1:16 PM
kyrios123 updated this revision to Diff 14901.May 1 2019, 2:01 PM

Drop programming.docs component as it's automatically added

DataDrake accepted this revision.May 5 2019, 1:55 PM
DataDrake added a subscriber: DataDrake.

LGTM. Thanks!

This revision was not accepted when it landed; it landed in state Needs Review.May 5 2019, 2:00 PM
This revision was automatically updated to reflect the committed changes.