diff -Nru gnutls26-2.12.14/debian/changelog gnutls26-2.12.14/debian/changelog --- gnutls26-2.12.14/debian/changelog 2013-05-27 12:41:31.000000000 +0000 +++ gnutls26-2.12.14/debian/changelog 2014-02-24 19:01:03.000000000 +0000 @@ -1,3 +1,20 @@ +gnutls26 (2.12.14-5ubuntu3.6) precise-security; urgency=medium + + * SECURITY UPDATE: incorrect v1 intermediate cert handling + - debian/patches/CVE-2014-1959.patch: don't consider a v1 intermediate + cert to be a valid CA by default in lib/x509/verify.c. + - CVE-2014-1959 + + -- Marc Deslauriers Mon, 24 Feb 2014 14:01:03 -0500 + +gnutls26 (2.12.14-5ubuntu3.5) precise-proposed; urgency=low + + * debian/patches/26_ignore_key_usage_violation.patch: + Prints debug message on key usage violation rather than treating + the violation as fatal. (LP: #1207123) + + -- Adam Stokes Mon, 05 Aug 2013 11:57:10 -0400 + gnutls26 (2.12.14-5ubuntu3.4) precise-security; urgency=low * SECURITY UPDATE: denial of service via incorrect pad diff -Nru gnutls26-2.12.14/debian/patches/26_ignore_key_usage_violation.patch gnutls26-2.12.14/debian/patches/26_ignore_key_usage_violation.patch --- gnutls26-2.12.14/debian/patches/26_ignore_key_usage_violation.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls26-2.12.14/debian/patches/26_ignore_key_usage_violation.patch 2013-08-05 15:54:52.000000000 +0000 @@ -0,0 +1,23 @@ +## Description: Print debug on key usage violation error rather than treating as fatal +## Origin/Author: Adam Stokes +## Bug: http://pad.lv/1207123 +--- a/lib/gnutls_sig.c ++++ b/lib/gnutls_sig.c +@@ -222,7 +222,7 @@ + if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) + { + gnutls_assert (); +- return GNUTLS_E_KEY_USAGE_VIOLATION; ++ _gnutls_debug_log("Key usage violation was detected (ignored).\n"); + } + + /* External signing. */ +@@ -292,7 +292,7 @@ + if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) + { + gnutls_assert (); +- return GNUTLS_E_KEY_USAGE_VIOLATION; ++ _gnutls_debug_log("Key usage violation was detected (ignored).\n"); + } + + if (pk_algo == GNUTLS_PK_UNKNOWN) diff -Nru gnutls26-2.12.14/debian/patches/CVE-2014-1959.patch gnutls26-2.12.14/debian/patches/CVE-2014-1959.patch --- gnutls26-2.12.14/debian/patches/CVE-2014-1959.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls26-2.12.14/debian/patches/CVE-2014-1959.patch 2014-02-24 19:00:58.000000000 +0000 @@ -0,0 +1,28 @@ +Backport of: + +From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 12 Feb 2014 16:11:58 +0100 +Subject: [PATCH] Fix bug that prevented the rejection of v1 intermediate CA certificates. + +Reported by Suman Jana. +--- + lib/x509/verify.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +Index: gnutls26-2.12.23/lib/x509/verify.c +=================================================================== +--- gnutls26-2.12.23.orig/lib/x509/verify.c 2014-02-24 13:54:39.320147502 -0500 ++++ gnutls26-2.12.23/lib/x509/verify.c 2014-02-24 13:56:11.532148997 -0500 +@@ -644,8 +644,10 @@ + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ +- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) ++ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, diff -Nru gnutls26-2.12.14/debian/patches/series gnutls26-2.12.14/debian/patches/series --- gnutls26-2.12.14/debian/patches/series 2013-05-27 12:41:18.000000000 +0000 +++ gnutls26-2.12.14/debian/patches/series 2014-02-24 19:00:58.000000000 +0000 @@ -9,3 +9,5 @@ CVE-2013-1619.patch lp1095052.patch CVE-2013-2116.patch +26_ignore_key_usage_violation.patch +CVE-2014-1959.patch