diff -Nru gnutls26-2.12.23/debian/changelog gnutls26-2.12.23/debian/changelog
--- gnutls26-2.12.23/debian/changelog	2016-02-05 13:51:02.000000000 +0000
+++ gnutls26-2.12.23/debian/changelog	2017-01-26 18:44:13.000000000 +0000
@@ -1,3 +1,20 @@
+gnutls26 (2.12.23-12ubuntu2.6) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: out of memory error in stream reading functions
+    - debian/patches/CVE-2017-5335.patch: add error checking to
+      lib/opencdk/read-packet.c.
+    - CVE-2017-5335
+  * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid
+    - debian/patches/CVE-2017-5336.patch: check return code in
+      lib/opencdk/pubkey.c.
+    - CVE-2017-5336
+  * SECURITY UPDATE: heap read overflow when reading streams
+    - debian/patches/CVE-2017-5337.patch: add more precise checks to
+      lib/opencdk/read-packet.c.
+    - CVE-2017-5337
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 26 Jan 2017 13:42:43 -0500
+
 gnutls26 (2.12.23-12ubuntu2.5) trusty-security; urgency=medium
 
   * debian/patches/compare_ca_name_and_key.patch: when comparing a CA
diff -Nru gnutls26-2.12.23/debian/patches/CVE-2017-5335.patch gnutls26-2.12.23/debian/patches/CVE-2017-5335.patch
--- gnutls26-2.12.23/debian/patches/CVE-2017-5335.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/CVE-2017-5335.patch	2017-01-26 18:36:53.000000000 +0000
@@ -0,0 +1,142 @@
+Backport of:
+
+From 785af1ab577f899d2e54172ff120f404709bf172 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 15:22:13 +0100
+Subject: [PATCH] opencdk: added error checking in the stream reading functions
+
+This addresses an out of memory error. Issue found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 5 deletions(-)
+
+Index: gnutls26-2.12.23/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls26-2.12.23.orig/lib/opencdk/read-packet.c	2017-01-26 13:32:12.432482071 -0500
++++ gnutls26-2.12.23/lib/opencdk/read-packet.c	2017-01-26 13:36:30.839799347 -0500
+@@ -52,13 +52,13 @@
+ read_32 (cdk_stream_t s)
+ {
+   byte buf[4];
+-  size_t nread;
++  size_t nread = 0;
+ 
+   assert (s != NULL);
+ 
+   stream_read (s, buf, 4, &nread);
+   if (nread != 4)
+-    return (u32) - 1;
++    return (u32) -1;
+   return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+ }
+ 
+@@ -68,7 +68,7 @@
+ read_16 (cdk_stream_t s)
+ {
+   byte buf[2];
+-  size_t nread;
++  size_t nread = 0;
+ 
+   assert (s != NULL);
+ 
+@@ -570,7 +570,7 @@
+ static cdk_error_t
+ read_subpkt (cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ {
+-  byte c, c1;
++  int c, c1;
+   size_t size, nread, n;
+   cdk_subpkt_t node;
+   cdk_error_t rc;
+@@ -585,14 +585,21 @@
+   *r_nbytes = 0;
+   c = cdk_stream_getc (inp);
+   n++;
++
+   if (c == 255)
+     {
+       size = read_32 (inp);
++      if (size == (u32)-1)
++        return CDK_Inv_Packet;
++
+       n += 4;
+     }
+   else if (c >= 192 && c < 255)
+     {
+       c1 = cdk_stream_getc (inp);
++      if (c1 == EOF)
++        return CDK_Inv_Packet;
++
+       n++;
+       if (c1 == 0)
+         return 0;
+@@ -860,24 +867,36 @@
+ read_old_length (cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size)
+ {
+   int llen = ctb & 0x03;
++  int c;
+ 
+   if (llen == 0)
+     {
+-      *r_len = cdk_stream_getc (inp);
++      c = cdk_stream_getc(inp);
++      if (c == EOF)
++        goto fail;
++
++      *r_len = c;
+       (*r_size)++;
+     }
+   else if (llen == 1)
+     {
+       *r_len = read_16 (inp);
++      if (*r_len == (u16)-1)
++        goto fail;
+       (*r_size) += 2;
+     }
+   else if (llen == 2)
+     {
+       *r_len = read_32 (inp);
++      if (*r_len == (u32)-1) {
++        goto fail;
++      }
++
+       (*r_size) += 4;
+     }
+   else
+     {
++ fail:
+       *r_len = 0;
+       *r_size = 0;
+     }
+@@ -892,18 +911,28 @@
+   int c, c1;
+ 
+   c = cdk_stream_getc (inp);
++  if (c == EOF)
++    return;
++
+   (*r_size)++;
+   if (c < 192)
+     *r_len = c;
+   else if (c >= 192 && c <= 223)
+     {
+       c1 = cdk_stream_getc (inp);
++      if (c1 == EOF)
++        return;
++
+       (*r_size)++;
+       *r_len = ((c - 192) << 8) + c1 + 192;
+     }
+   else if (c == 255)
+     {
+       *r_len = read_32 (inp);
++      if (*r_len == (u32)-1) {
++        return;
++      }
++
+       (*r_size) += 4;
+     }
+   else
diff -Nru gnutls26-2.12.23/debian/patches/CVE-2017-5336.patch gnutls26-2.12.23/debian/patches/CVE-2017-5336.patch
--- gnutls26-2.12.23/debian/patches/CVE-2017-5336.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/CVE-2017-5336.patch	2017-01-26 18:42:24.000000000 +0000
@@ -0,0 +1,41 @@
+Backport of:
+
+From 7dec871f82e205107a81281e3286f0aa9caa93b3 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:56:50 +0100
+Subject: [PATCH] opencdk: cdk_pk_get_keyid: fix stack overflow
+
+Issue found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+Index: gnutls26-2.12.23/lib/opencdk/pubkey.c
+===================================================================
+--- gnutls26-2.12.23.orig/lib/opencdk/pubkey.c	2017-01-26 13:37:35.380629600 -0500
++++ gnutls26-2.12.23/lib/opencdk/pubkey.c	2017-01-26 13:38:29.909331575 -0500
+@@ -537,6 +537,7 @@
+ {
+   u32 lowbits = 0;
+   byte buf[24];
++  int rc;
+ 
+   if (pk && (!pk->keyid[0] || !pk->keyid[1]))
+     {
+@@ -546,7 +547,12 @@
+           size_t n;
+ 
+           n = MAX_MPI_BYTES;
+-          _gnutls_mpi_print (pk->mpi[0], p, &n);
++          rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
++          if (rc < 0 || n < 8) {
++            keyid[0] = keyid[1] = (u32)-1;
++            return (u32)-1;
++          }
++
+           pk->keyid[0] =
+             p[n - 8] << 24 | p[n - 7] << 16 | p[n - 6] << 8 | p[n - 5];
+           pk->keyid[1] =
diff -Nru gnutls26-2.12.23/debian/patches/CVE-2017-5337.patch gnutls26-2.12.23/debian/patches/CVE-2017-5337.patch
--- gnutls26-2.12.23/debian/patches/CVE-2017-5337.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/CVE-2017-5337.patch	2017-01-26 18:42:15.000000000 +0000
@@ -0,0 +1,102 @@
+Backport of:
+
+From 6231a4a087f9fdbd5f5f274e80c7a71e3e45b9c8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:42:03 +0100
+Subject: [PATCH] opencdk: read_attribute: added more precise checks when reading stream
+
+That addresses heap read overflows found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+Index: gnutls26-2.12.23/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls26-2.12.23.orig/lib/opencdk/read-packet.c	2017-01-26 13:38:47.945563869 -0500
++++ gnutls26-2.12.23/lib/opencdk/read-packet.c	2017-01-26 13:41:56.363993565 -0500
+@@ -495,14 +495,23 @@
+   rc = stream_read (inp, buf, pktlen, &nread);
+   if (rc)
+     {
+-      cdk_free (buf);
+-      return CDK_Inv_Packet;
++      gnutls_assert();
++      rc = CDK_Inv_Packet;
++      goto error;
+     }
++
+   p = buf;
+   len = *p++;
+   pktlen--;
++
+   if (len == 255)
+     {
++      if (pktlen < 4) {
++        gnutls_assert();
++        rc = CDK_Inv_Packet;
++        goto error;
++      }
++
+       len = _cdk_buftou32 (p);
+       p += 4;
+       pktlen -= 4;
+@@ -511,34 +520,44 @@
+     {
+       if (pktlen < 2)
+         {
+-          cdk_free (buf);
+-          return CDK_Inv_Packet;
++          gnutls_assert();
++          rc = CDK_Inv_Packet;
++          goto error;
+         }
++
+       len = ((len - 192) << 8) + *p + 192;
+       p++;
+       pktlen--;
+     }
+ 
+-  if (*p != 1)                  /* Currently only 1, meaning an image, is defined. */
+-    {
+-      cdk_free (buf);
+-      return CDK_Inv_Packet;
+-    }
++  if (!len || *p != 1) {		/* Currently only 1, meaning an image, is defined. */
++    rc = CDK_Inv_Packet;
++    goto error;
++  }
++
+   p++;
+   len--;
+ 
+-  if (len >= pktlen)
+-    return CDK_Inv_Packet;
++  if (len >= pktlen) {
++    rc = CDK_Inv_Packet;
++    goto error;
++  }
++
+   attr->attrib_img = cdk_calloc (1, len);
+   if (!attr->attrib_img)
+     {
+-      cdk_free (buf);
+-      return CDK_Out_Of_Core;
++      rc = CDK_Out_Of_Core;
++      goto error;
+     }
++
+   attr->attrib_len = len;
+   memcpy (attr->attrib_img, p, len);
+   cdk_free (buf);
+   return rc;
++
++ error:
++  cdk_free(buf);
++  return rc;
+ }
+ 
+ 
diff -Nru gnutls26-2.12.23/debian/patches/series gnutls26-2.12.23/debian/patches/series
--- gnutls26-2.12.23/debian/patches/series	2016-02-05 12:49:16.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/series	2017-01-26 18:38:44.000000000 +0000
@@ -15,3 +15,6 @@
 fix_tls_poodle.patch
 CVE-2015-7575.patch
 compare_ca_name_and_key.patch
+CVE-2017-5335.patch
+CVE-2017-5336.patch
+CVE-2017-5337.patch