Debian Patches

Status for gnutls28/3.8.9-3

Patch Description Author Forwarded Bugs Origin Last update
14_version_gettextcat.diff Version filename of locale data (gnutls30.mo instead of gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
co-installable.		 Andreas Metzler <ametzler@debian.org> no 2023-06-03
40_srptest_doubletimeout.diff Increase timeout for srp test, fixing build error on mipsel Andreas Metzler <ametzler@debian.org> yes upstream vendor 2023-06-03
41_run_cligen_on_debian.diff Check for python on Debian builds, un-disables running cligen Andreas Metzler <ametzler@debian.org> not-needed vendor 2025-02-08
45_lib-x509-x509_ext.c-Add-gnutls_free-to-avoid-memory-.patch [PATCH] lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
46_lib-hello_ext.c-Add-gnutls_free-to-avoid-memory-leak.patch [PATCH] lib/hello_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
47_0001-x509-fix-read-buffer-overrun-in-SCT-timestamps.patch [PATCH 1/6] x509: fix read buffer overrun in SCT timestamps
Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0002-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch [PATCH 2/6] psk: fix read buffer overrun in the "pre_shared_key" extension

While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0003-x509-reject-zero-length-version-in-certificate-reque.patch [PATCH 3/6] x509: reject zero-length version in certificate request
Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0004-x509-avoid-double-free-when-exporting-othernames-in-.patch [PATCH 4/6] x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.

Reported by OpenAI Security Research Team.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0005-certtool-avoid-1-byte-write-buffer-overrun-when-pars.patch [PATCH 5/6] certtool: avoid 1-byte write buffer overrun when parsing template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0006-handshake-clear-HSK_PSK_SELECTED-is-when-resetting-b.patch [PATCH 6/6] handshake: clear HSK_PSK_SELECTED is when resetting binders

When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.

Reported by Stefan Bühler.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07

All known versions for source package 'gnutls28'

Links