new upstream version

- fix leaks in key generation (#796302)
2012-03-08 18:10:00 +01:00 · 2012-03-08 18:10:00 +01:00 · 4fa9d2f5bd
commit 4fa9d2f5bd
parent 4a3e0235ae
4 changed files with 70 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,4 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-2.12.11-nosrp.tar.bz2
 /gnutls-2.12.12-nosrp.tar.bz2
 /gnutls-2.12.14-nosrp.tar.bz2
+/gnutls-2.12.17-nosrp.tar.xz
--- a/gnutls-2.12.14-leak.patch
+++ b/gnutls-2.12.14-leak.patch
@ -0,0 +1,56 @@
+diff -up gnutls-2.12.14/lib/gcrypt/pk.c.leak gnutls-2.12.14/lib/gcrypt/pk.c
+--- gnutls-2.12.14/lib/gcrypt/pk.c.leak	2011-09-18 00:16:53.000000000 +0200
+++ gnutls-2.12.14/lib/gcrypt/pk.c	2012-03-08 17:54:16.821192070 +0100
+@@ -627,7 +627,6 @@ _rsa_generate_params (bigint_t * resarr,
+ 
+   int ret, i;
+   gcry_sexp_t parms, key, list;
+-  bigint_t tmp;
+ 
+   if (*resarr_len < RSA_PRIVATE_PARAMS)
+     {
+@@ -733,14 +732,6 @@ _rsa_generate_params (bigint_t * resarr,
+ 
+   *resarr_len = 6;
+ 
+-  tmp = _gnutls_mpi_alloc_like (resarr[0]);
+-  if (tmp == NULL)
+-    {
+-      gnutls_assert ();
+-      ret = GNUTLS_E_MEMORY_ERROR;
+-      goto cleanup;
+-    }
+-
+   ret = _gnutls_calc_rsa_exp (resarr, 2 + *resarr_len);
+   if (ret < 0)
+     {
+diff -up gnutls-2.12.14/lib/gnutls_pk.c.leak gnutls-2.12.14/lib/gnutls_pk.c
+--- gnutls-2.12.14/lib/gnutls_pk.c.leak	2011-09-18 00:16:53.000000000 +0200
+++ gnutls-2.12.14/lib/gnutls_pk.c	2012-03-08 17:40:58.725314720 +0100
+@@ -544,6 +544,7 @@ _generate_params (int algo, bigint_t * r
+     }
+   else
+     {
+      gnutls_pk_params_release(&params);
+       gnutls_assert ();
+       return GNUTLS_E_INVALID_REQUEST;
+     }
+diff -up gnutls-2.12.14/lib/x509/privkey.c.leak gnutls-2.12.14/lib/x509/privkey.c
+--- gnutls-2.12.14/lib/x509/privkey.c.leak	2011-09-18 00:16:54.000000000 +0200
+++ gnutls-2.12.14/lib/x509/privkey.c	2012-03-08 17:45:55.467830355 +0100
+@@ -1466,6 +1466,7 @@ gnutls_x509_privkey_generate (gnutls_x50
+         {
+           gnutls_assert ();
+           ret = GNUTLS_E_INTERNAL_ERROR;
+          goto cleanup;
+         }
+ 
+       if (ret < 0)
+@@ -1490,6 +1491,7 @@ gnutls_x509_privkey_generate (gnutls_x50
+         {
+           gnutls_assert ();
+           ret = GNUTLS_E_INTERNAL_ERROR;
+          goto cleanup;
+         }
+       if (ret < 0)
+         {
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,11 +1,11 @@
 Summary: A TLS protocol implementation
 Name: gnutls
-Version: 2.12.14
-Release: 3%{?dist}
+Version: 2.12.17
+Release: 1%{?dist}
 # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
-BuildRequires: libgcrypt-devel >= 1.2.2, p11-kit-devel, gettext
+BuildRequires: libgcrypt-devel >= 1.2.2, p11-kit-devel >= 0.11, gettext
 BuildRequires: zlib-devel, readline-devel, libtasn1-devel
 BuildRequires: lzo-devel, libtool, automake, autoconf
 BuildRequires: guile-devel
@ -13,7 +13,7 @@ URL: http://www.gnutls.org/
 #Source0: ftp://ftp.gnutls.org/pub/gnutls/%{name}-%{version}.tar.gz
 #Source1: ftp://ftp.gnutls.org/pub/gnutls/%{name}-%{version}.tar.gz.sig
 # XXX patent tainted SRP code removed.
-Source0: %{name}-%{version}-nosrp.tar.bz2
+Source0: %{name}-%{version}-nosrp.tar.xz
 Source1: libgnutls-config
 Patch1: gnutls-2.12.11-rpath.patch
 Patch2: gnutls-2.8.6-link-libgcrypt.patch
@ -21,6 +21,7 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
 Patch3: gnutls-2.12.2-nosrp.patch
 # Skip tests that are expected to fail on libgcrypt build
 Patch4: gnutls-2.12.7-dsa-skiptests.patch
+Patch5: gnutls-2.12.14-leak.patch

 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libgcrypt >= 1.2.2
@ -88,6 +89,7 @@ This package contains Guile bindings for the library.
 %patch2 -p1 -b .link
 %patch3 -p1 -b .nosrp
 %patch4 -p1 -b .skiptests
+%patch5 -p1 -b .leak

 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
    touch lib/$i
@ -107,6 +109,8 @@ export LDFLAGS="-Wl,--no-add-needed"
           --disable-largefile \
 %endif
           --with-libgcrypt
+# Note that the arm hack above is not quite right and the proper thing would
+# be to compile guile with largefile support.
 make
 cp lib/COPYING COPYING.LIB

@ -187,6 +191,10 @@ fi
 %{_datadir}/guile/site/gnutls.scm

 %changelog
+* Thu Mar  8 2012 Tomas Mraz <tmraz@redhat.com> 2.12.17-1
+- new upstream version
+- fix leaks in key generation (#796302)
+
 * Fri Feb 03 2012 Kevin Fenzi <kevin@scrye.com> - 2.12.14-3
 - Disable largefile on arm arch. (#787287)

--- a/2
+++ b/2
@ -1 +1 @@
-afdef648e4e77895ce6c15ee622ef061  gnutls-2.12.14-nosrp.tar.bz2
+c4815ceca3e799fc16cbef3f743d3fed  gnutls-2.12.17-nosrp.tar.xz