Debian Patches

Status for gnutls28/3.8.9-3+deb13u2

Patch Description Author Forwarded Bugs Origin Last update
14_version_gettextcat.diff Version filename of locale data (gnutls30.mo instead of gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
co-installable.		 Andreas Metzler <ametzler@debian.org> no 2023-06-03
40_srptest_doubletimeout.diff Increase timeout for srp test, fixing build error on mipsel Andreas Metzler <ametzler@debian.org> yes upstream vendor 2023-06-03
41_run_cligen_on_debian.diff Check for python on Debian builds, un-disables running cligen Andreas Metzler <ametzler@debian.org> not-needed vendor 2025-02-08
45_lib-x509-x509_ext.c-Add-gnutls_free-to-avoid-memory-.patch lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
46_lib-hello_ext.c-Add-gnutls_free-to-avoid-memory-leak.patch lib/hello_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
47_0001-x509-fix-read-buffer-overrun-in-SCT-timestamps.patch [PATCH 1/6] x509: fix read buffer overrun in SCT timestamps
Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0002-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch [PATCH 2/6] psk: fix read buffer overrun in the "pre_shared_key" extension

While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0003-x509-reject-zero-length-version-in-certificate-reque.patch [PATCH 3/6] x509: reject zero-length version in certificate request
Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0004-x509-avoid-double-free-when-exporting-othernames-in-.patch [PATCH 4/6] x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.

Reported by OpenAI Security Research Team.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0005-certtool-avoid-1-byte-write-buffer-overrun-when-pars.patch [PATCH 5/6] certtool: avoid 1-byte write buffer overrun when parsing template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0006-handshake-clear-HSK_PSK_SELECTED-is-when-resetting-b.patch [PATCH 6/6] handshake: clear HSK_PSK_SELECTED is when resetting binders

When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.

Reported by Stefan Bühler.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
48_0001-pkcs11-try-to-initialize-modules-in-thread-safe-mode.patch pkcs11: try to initialize modules in thread-safe mode
When modules are initialized without CKF_OS_LOCKING_OK nor custom
locking functions, they may skip their internal locking assuming that
the applications will take care of thread-safety, which is costly and
GnuTLS currently doesn't do that.

To mitigate this, this patch changes the module initialization code to
tell the modules to guarantee thread-safety by themselves. If they are
unable to do that, this falls back to the normal initialization
without C_Initialize parameters. This also omits the custom_init flag,
which indicated whether the module is initialized with
p11_kit_module_initialize or a direct call to C_Initialize, now that
modules are always initialized with C_Initialize.		 Daiki Ueno <ueno@gnu.org> no 2025-09-02
48_0002-pkcs11-avoid-stack-overwrite-when-initializing-a-tok.patch pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.		 Daiki Ueno <ueno@gnu.org> no 2025-11-18
49_x509-fix-incorrect-handling-in-name-constraints-merg.patch x509: fix incorrect handling in name constraints merging
As mentioned in commit ca573d65 ("x509: Fix asymmetry in name
constraints intersection", 2016-07-29), the
_gnutls_name_constraints_intersect function exhibited an
asymmetry in name constraints intersection behavior, specifically
manifested as:
1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were
preserved
2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were
discarded

A 'used' flag was introduced, where if a node from PERMITTED2 was
not used for the intersection, it would be copied to PERMITTED.

However,an unresolved edge case persisted:
- When 'removed.size > 0', the 'used' flag was unconditionally set
to 1
- This prevented copying of PERMITTED2 nodes with unique types		 chenjianhu <chenjianhu@kylinos.cn> no 2025-08-01
50_0001-x509-name_constraints-use-actual-zeroes-in-universal.patch [PATCH 1/9] x509/name_constraints: use actual zeroes in universal exclude IP NC Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0002-tests-name-constraints-ip-stop-swallowing-errors.patch [PATCH 2/9] tests/name-constraints-ip: stop swallowing errors...
... now when it started to pass		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0003-x509-name_constraints-reject-some-malformed-domain-n.patch [PATCH 3/9] x509/name_constraints: reject some malformed domain names Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0004-x509-name_constraints-name_constraints_node_add_-new.patch [PATCH 4/9] x509/name_constraints: name_constraints_node_add_{new,copy} Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-05
50_0005-x509-name_constraints-introduce-a-rich-comparator.patch [PATCH 5/9] x509/name_constraints: introduce a rich comparator
These are preparatory changes before implementing N * log N intersection
over sorted lists of constraints.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0006-x509-name_constraints-add-sorted_view-in-preparation.patch [PATCH 6/9] x509/name_constraints: add sorted_view in preparation...
... for actually using it later for performance gains.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0007-x509-name_constraints-implement-name_constraints_nod.patch [PATCH 7/9] x509/name_constraints: implement name_constraints_node_list_union Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0008-x509-name_constraints-make-types_with_empty_intersec.patch [PATCH 8/9] x509/name_constraints: make types_with_empty_intersection a bitmask Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0009-x509-name_constraints-name_constraints_node_list_int.patch [PATCH 9/9] x509/name_constraints: name_constraints_node_list_intersect over sorted Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04

All known versions for source package 'gnutls28'

Links