diff -Nru gnutls26-2.12.14/debian/changelog gnutls26-2.12.14/debian/changelog --- gnutls26-2.12.14/debian/changelog 2017-01-26 18:45:02.000000000 +0000 +++ gnutls26-2.12.14/debian/changelog 2017-03-15 22:59:53.000000000 +0000 @@ -1,3 +1,13 @@ +gnutls26 (2.12.14-5ubuntu3.14) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via warning alerts + - debian/patches/CVE-2016-8610.patch: set a maximum number of warning + messages in lib/gnutls_int.h, lib/gnutls_handshake.c, + lib/gnutls_state.c. + - CVE-2016-8610 + + -- Marc Deslauriers Wed, 15 Mar 2017 18:59:53 -0400 + gnutls26 (2.12.14-5ubuntu3.13) precise-security; urgency=medium * SECURITY UPDATE: out of memory error in stream reading functions diff -Nru gnutls26-2.12.14/debian/patches/CVE-2016-8610.patch gnutls26-2.12.14/debian/patches/CVE-2016-8610.patch --- gnutls26-2.12.14/debian/patches/CVE-2016-8610.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls26-2.12.14/debian/patches/CVE-2016-8610.patch 2017-03-15 22:59:48.000000000 +0000 @@ -0,0 +1,60 @@ +Description: fix denial of service via warning alerts +Origin: backport, https://gitlab.com/gnutls/gnutls/commit/c97bc4b62a8060222bd5c34925eaf9aa048c3731 +Origin: backport, https://gitlab.com/gnutls/gnutls/commit/42a8bb3bdad73f13425ae18a41addbbc04496101 +Origin: backport, https://gitlab.com/gnutls/gnutls/commit/648bf9b00e1cbf45c6d05fab07e91fad97e6926d + +Index: gnutls26-2.12.23/lib/gnutls_handshake.c +=================================================================== +--- gnutls26-2.12.23.orig/lib/gnutls_handshake.c 2017-03-15 15:05:18.000000000 -0400 ++++ gnutls26-2.12.23/lib/gnutls_handshake.c 2017-03-15 15:19:33.222689373 -0400 +@@ -2713,10 +2713,21 @@ + /* EAGAIN and INTERRUPTED are always non-fatal */ \ + if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \ + return ret; \ +- /* a warning alert might interrupt handshake */ \ +- if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \ ++ if (session->internals.handshake_suspicious_loops < 16) { \ ++ if (ret == GNUTLS_E_LARGE_PACKET) { \ ++ session->internals.handshake_suspicious_loops++; \ ++ return ret; \ ++ } \ ++ /* a warning alert might interrupt handshake */ \ ++ if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) { \ ++ session->internals.handshake_suspicious_loops++; \ ++ return ret; \ ++ } \ ++ } \ + gnutls_assert(); \ + ERR( str, ret); \ ++ if (gnutls_error_is_fatal(ret) == 0) ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); \ ++ session->internals.invalid_connection = 1; \ + _gnutls_handshake_hash_buffers_clear(session); \ + return ret; \ + } } while (0) +Index: gnutls26-2.12.23/lib/gnutls_int.h +=================================================================== +--- gnutls26-2.12.23.orig/lib/gnutls_int.h 2012-11-08 11:11:15.000000000 -0500 ++++ gnutls26-2.12.23/lib/gnutls_int.h 2017-03-15 15:19:56.238976604 -0400 +@@ -728,6 +728,10 @@ + int set:1; + } resumed_extension_int_data[MAX_EXT_TYPES]; + ++ /* Protect from infinite loops due to GNUTLS_E_LARGE_PACKET non-handling ++ * or due to multiple alerts being received. */ ++ unsigned handshake_suspicious_loops; ++ + unsigned int cb_tls_unique_len; + unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE]; + +Index: gnutls26-2.12.23/lib/gnutls_state.c +=================================================================== +--- gnutls26-2.12.23.orig/lib/gnutls_state.c 2012-01-06 14:06:23.000000000 -0500 ++++ gnutls26-2.12.23/lib/gnutls_state.c 2017-03-15 15:20:08.939135096 -0400 +@@ -243,6 +243,7 @@ + session->internals.last_handshake_out = -1; + + session->internals.resumable = RESUME_TRUE; ++ session->internals.handshake_suspicious_loops = 0; + } + + void diff -Nru gnutls26-2.12.14/debian/patches/series gnutls26-2.12.14/debian/patches/series --- gnutls26-2.12.14/debian/patches/series 2017-01-26 18:44:58.000000000 +0000 +++ gnutls26-2.12.14/debian/patches/series 2017-03-15 22:59:48.000000000 +0000 @@ -21,3 +21,4 @@ CVE-2017-5335.patch CVE-2017-5336.patch CVE-2017-5337.patch +CVE-2016-8610.patch