Debian Bug report logs - #709301
libgnutls26: segfaults during handshake

version graph

Package: libgnutls26; Maintainer for libgnutls26 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libgnutls26 is src:gnutls26.

Reported by: rodrifra <sable_laser@yahoo.es>

Date: Wed, 22 May 2013 11:39:06 UTC

Severity: important

Found in versions gnutls26/2.12.23-4, gnutls26/2.12.20-6

Fixed in versions gnutls26/2.12.23-5, gnutls26/2.12.20-7

Done: Andreas Metzler <ametzler@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#709292; Package curl. (Wed, 22 May 2013 11:39:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to rodrifra <sable_laser@yahoo.es>:
New Bug report received and forwarded. Copy sent to Alessandro Ghedini <ghedo@debian.org>. (Wed, 22 May 2013 11:39:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: rodrifra <sable_laser@yahoo.es>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: curl: Connection to https server produces SSL error.
Date: Wed, 22 May 2013 13:37:35 +0200
Package: curl
Version: 7.26.0-1+wheezy2
Severity: normal

Dear Maintainer,

   Executing the following:
	curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
   Produced the next error:
	error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

   Forcing SSLv3 solves the problem:
	curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html

   wget has same problem in latest stable version, but oldstable works fine.


-- System Information:
Debian Release: 7.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages curl depends on:
ii  libc6     2.13-38
ii  libcurl3  7.26.0-1+wheezy2
ii  zlib1g    1:1.2.7.dfsg-13

curl recommends no packages.

curl suggests no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#709292; Package curl. (Wed, 22 May 2013 12:36:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <ghedo@debian.org>:
Extra info received and forwarded to list. (Wed, 22 May 2013 12:36:17 GMT) Full text and rfc822 format available.

Message #10 received at 709292@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <ghedo@debian.org>
To: rodrifra <sable_laser@yahoo.es>, 709292@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#709292: curl: Connection to https server produces SSL error.
Date: Wed, 22 May 2013 14:32:29 +0200
[Message part 1 (text/plain, inline)]
reassign 709292 libssl1.0.0
retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during handshake
clone 709292 -1
reassign -1 libgnutls26
retitle -1 libgnutls26: segfaults during handshake
severity -1 important
affects -1 wget
kthxbye

On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote:
> Package: curl
> Version: 7.26.0-1+wheezy2
> Severity: normal
> 
> Dear Maintainer,
> 
>    Executing the following:
> 	curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
>    Produced the next error:
> 	error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> 
>    Forcing SSLv3 solves the problem:
> 	curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html

If there's any bug, it's probably in the server's SSL implementation, since it
can't do a proper TLS handshake, in any case it's not curl's fault. I'm
reassigning this to openssl (which is what curl uses) to make sure there's
nothing wrong with it.

>    wget has same problem in latest stable version, but oldstable works fine.

Hmm, if I try with wget (from sid), it segfaults, same with gnutls-cli. Seems
to be a bug in gnutls:

> % gnutls-cli sede.dgt.gob.es -p 443
> Resolving 'sede.dgt.gob.es'...
> Connecting to '213.4.59.219:443'...
> zsh: segmentation fault  gnutls-cli sede.dgt.gob.es -p 443

Backtrace:

> Resolving 'sede.dgt.gob.es'...
> Connecting to '213.4.59.219:443'...
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7b3908e in _gnutls_ciphertext2compressed (
>     session=session@entry=0x6224f0, 
>     compress_data=compress_data@entry=0x625e60 "\001", 
>     compress_size=compress_size@entry=16384, ciphertext=..., type=21 '\025', 
>     params=params@entry=0x623630) at gnutls_cipher.c:572
> 572	gnutls_cipher.c: File o directory non esistente.
> (gdb) bt
> #0  0x00007ffff7b3908e in _gnutls_ciphertext2compressed (
>     session=session@entry=0x6224f0, 
>     compress_data=compress_data@entry=0x625e60 "\001", 
>     compress_size=compress_size@entry=16384, ciphertext=..., type=21 '\025', 
>     params=params@entry=0x623630) at gnutls_cipher.c:572
> #1  0x00007ffff7b392a3 in _gnutls_decrypt (session=session@entry=0x6224f0, 
>     ciphertext=ciphertext@entry=0x6232b5 "\327\343'\214?\266\230I$P:uS\027e\026\245\276Q\322vӤG\373U\215;X\310<\224", ciphertext_size=ciphertext_size@entry=32, 
>     data=data@entry=0x625e60 "\001", max_data_size=16384, 
>     type=type@entry=GNUTLS_ALERT, params=0x623630) at gnutls_cipher.c:148
> #2  0x00007ffff7b36cd1 in _gnutls_recv_int (session=session@entry=0x6224f0, 
>     type=type@entry=GNUTLS_HANDSHAKE, htype=htype@entry=GNUTLS_HANDSHAKE_FINISHED, 
>     data=data@entry=0x622ad0 "\016", sizeofdata=sizeofdata@entry=1)
>     at gnutls_record.c:1068
> #3  0x00007ffff7b3aa0c in _gnutls_handshake_io_recv_int (
>     session=session@entry=0x6224f0, type=type@entry=GNUTLS_HANDSHAKE, 
>     htype=htype@entry=GNUTLS_HANDSHAKE_FINISHED, iptr=iptr@entry=0x622ad0, 
>     sizeOfPtr=sizeOfPtr@entry=1) at gnutls_buffers.c:893
> #4  0x00007ffff7b3db1d in _gnutls_recv_handshake_header (
>     recv_type=<synthetic pointer>, type=type@entry=GNUTLS_HANDSHAKE_FINISHED, 
>     session=session@entry=0x6224f0) at gnutls_handshake.c:1285
> #5  _gnutls_recv_handshake (session=session@entry=0x6224f0, 
>     data=data@entry=0x7fffffffcec8, datalen=datalen@entry=0x7fffffffcec4, 
>     type=type@entry=GNUTLS_HANDSHAKE_FINISHED, 
>     optional=optional@entry=MANDATORY_PACKET) at gnutls_handshake.c:1447
> #6  0x00007ffff7b3e55c in _gnutls_recv_finished (session=0x6224f0)
>     at gnutls_handshake.c:748
> #7  _gnutls_recv_handshake_final (session=session@entry=0x6224f0, 
>     init=init@entry=0) at gnutls_handshake.c:2956
> #8  0x00007ffff7b3e954 in _gnutls_handshake_common (session=session@entry=0x6224f0)
>     at gnutls_handshake.c:3138
> #9  0x00007ffff7b400ba in gnutls_handshake (session=0x6224f0)
>     at gnutls_handshake.c:2690
> #10 0x0000000000406a6e in ?? ()
> #11 0x0000000000405734 in ?? ()
> #12 0x00007ffff6ca6a55 in __libc_start_main (main=0x404fd0, argc=4, 
>     ubp_av=0x7fffffffe1d8, init=<optimized out>, fini=<optimized out>, 
>     rtld_fini=<optimized out>, stack_end=0x7fffffffe1c8) at libc-start.c:260
> #13 0x00000000004060e1 in ?? ()
> #14 0x00007fffffffe1c8 in ?? ()
> #15 0x0000000000000000 in ?? ()

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'curl' to 'libssl1.0.0'. Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:19 GMT) Full text and rfc822 format available.

No longer marked as found in versions curl/7.26.0-1+wheezy2. Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:20 GMT) Full text and rfc822 format available.

Changed Bug title to 'libssl1.0.0: "decryption failed or bad record mac" during handshake' from 'curl: Connection to https server produces SSL error.' Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:21 GMT) Full text and rfc822 format available.

Bug 709292 cloned as bug 709301 Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:22 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libssl1.0.0' to 'libgnutls26'. Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:23 GMT) Full text and rfc822 format available.

Changed Bug title to 'libgnutls26: segfaults during handshake' from 'libssl1.0.0: "decryption failed or bad record mac" during handshake' Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:24 GMT) Full text and rfc822 format available.

Severity set to 'important' from 'normal' Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:25 GMT) Full text and rfc822 format available.

Added indication that 709301 affects wget Request was from Alessandro Ghedini <ghedo@debian.org> to control@bugs.debian.org. (Wed, 22 May 2013 12:36:26 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#709301; Package libgnutls26. (Thu, 23 May 2013 15:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Caronte Estigia <sable_laser@yahoo.es>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 23 May 2013 15:42:04 GMT) Full text and rfc822 format available.

Message #31 received at 709301@bugs.debian.org (full text, mbox):

From: Caronte Estigia <sable_laser@yahoo.es>
To: "709301@bugs.debian.org" <709301@bugs.debian.org>
Subject: RE: Bug #709301: libgnutls26: segfaults during handshake
Date: Thu, 23 May 2013 16:40:07 +0100 (BST)
[Message part 1 (text/plain, inline)]
Hello.

In my case, version 1.12 (ii  wget 1.12-2.1  amd64 ) of wget works just fine. 

Version 1.13 (ii  wget  1.13.4-3  amd64  ) segfaults.

If we specify protocol as either TLSv1 or auto wget segfaults. After trying gnutls-cli command a couple of times, something curious happens when we run wget again:

$wget --secure-protocol=auto https://sede.dgt.gob.es
--2013-05-23 17:33:47--  https://sede.dgt.gob.es/
Resolviendo sede.dgt.gob.es (sede.dgt.gob.es)... 213.4.59.219
Conectando con sede.dgt.gob.es (sede.dgt.gob.es)[213.4.59.219]:443... conectado.
GnuTLS: Decryption has failed.
No se pudo establecer la conexión SSL.


$wget --secure-protocol=auto https://sede.dgt.gob.es
--2013-05-23 17:33:57--  https://sede.dgt.gob.es/
Resolviendo sede.dgt.gob.es (sede.dgt.gob.es)... 213.4.59.219
Conectando con sede.dgt.gob.es (sede.dgt.gob.es)[213.4.59.219]:443... conectado.
Violación de segmento (segmentation fault in Spanish)


As you can see the first run produces an error, the second run  (and succesives) produces the segfault.

If we specify protocol as either SSLv2 or SSLv3 program fails with the next error message:

GnuTLS: GnuTLS internal error.

Regards.
Francisco
[Message part 2 (text/html, inline)]

Marked as found in versions gnutls26/2.12.20-6. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Thu, 23 May 2013 16:09:23 GMT) Full text and rfc822 format available.

Marked as found in versions gnutls26/2.12.23-4. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Thu, 23 May 2013 16:09:27 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#709301; Package libgnutls26. (Thu, 23 May 2013 17:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 23 May 2013 17:09:08 GMT) Full text and rfc822 format available.

Message #40 received at 709301@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Caronte Estigia <sable_laser@yahoo.es>, 709301@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#709292: closed by Kurt Roeckx <kurt@roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
Date: Thu, 23 May 2013 19:05:29 +0200
Hi,

I get this:
$ wget https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
--2013-05-23 19:02:18--  https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
Resolving sede.dgt.gob.es (sede.dgt.gob.es)... 213.4.59.219
Connecting to sede.dgt.gob.es (sede.dgt.gob.es)|213.4.59.219|:443... connected.
[1157675.268577] wget[14792]: segfault at 1013c4ad4 ip 00007f0ece581fee sp 00007fff855b2670 error 4 in libgnutls.so.26.22.4[7f0ece564000+b9000]
Segmentation fault

That clearly looks like a real bug somewhere, and still open against libgnutls26.


Kurt

On Thu, May 23, 2013 at 08:25:10AM +0100, Caronte Estigia wrote:
> Good Morning Kurt,
> 
> just one question. I think Alessandro reasigned the bug to both libssl and libgnutls. Am I correct?
> 
> Question is because specifying the protocol solves the problem with libssl, not with libgnutls. When I test wget with --secure-protocol it works fine when compiled with libssl but it keeps failing with libgnutls.
> 
> Could you please confirm the fact that the case is still open in libgnutls or should I file a new bug?
> 
> Best regards.
> Francisco.
> 
> 
> ________________________________
>  De: Debian Bug Tracking System <owner@bugs.debian.org>
> Para: rodrifra <sable_laser@yahoo.es> 
> Enviado: Miércoles 22 de Mayo de 2013 18:21
> Asunto: Bug#709292 closed by Kurt Roeckx <kurt@roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
>  
> 
> This is an automatic notification regarding your Bug report
> which was filed against the libssl1.0.0 package:
> 
> #709292: libssl1.0.0: "decryption failed or bad record mac" during handshake
> 
> It has been closed by Kurt Roeckx <kurt@roeckx.be>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Kurt Roeckx <kurt@roeckx.be> by
> replying to this email.
> 
> 
> -- 
> 709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems
> On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote:
> > reassign 709292 libssl1.0.0
> > retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during handshake
> > clone 709292 -1
> > reassign -1 libgnutls26
> > retitle -1 libgnutls26: segfaults during handshake
> > severity -1 important
> > affects -1 wget
> > kthxbye
> > 
> > On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote:
> > > Package: curl
> > > Version: 7.26.0-1+wheezy2
> > > Severity: normal
> > > 
> > > Dear Maintainer,
> > > 
> > >    Executing the following:
> > >     curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > >    Produced the next error:
> > >     error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> > > 
> > >    Forcing SSLv3 solves the problem:
> > >     curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > 
> > If there's any bug, it's probably in the server's SSL implementation, since it
> > can't do a proper TLS handshake, in any case it's not curl's fault. I'm
> > reassigning this to openssl (which is what curl uses) to make sure there's
> > nothing wrong with it.
> 
> Yes, this is the server's problems, nothing you can do about it
> other than downgrading to a lower TLS version.  TLS 1.0
> should work in most cases.  About 1% of the servers are known to
> have this problem.
> 
> The problem is that we announce that we support TLS 1.2 to the server,
> and the server should reply that it only supports 1.0, but just
> closes the connection or does something else weird.  This is why
> you also see this with gnutls.
> 
> There is nothing we can do in openssl or gnutls about this.  What
> could be done is that something like curl or wget tries to connect
> again with a lower TLS version.  But if you automate this, you
> also need to think about version downgrade attacks.
> 
> Since we can't actually fix anything, and curl and wget have
> options to use a lower protocol version, I'm just going to
> close this bug.
> 
> 
> KurtPackage: curl
> Version: 7.26.0-1+wheezy2
> Severity: normal
> 
> Dear Maintainer,
> 
>    Executing the following:
>     curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
>    Produced the next error:
>     error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> 
>    Forcing SSLv3 solves the problem:
>     curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> 
>    wget has same problem in latest stable version, but oldstable works fine.
> 
> 
> -- System Information:
> Debian Release: 7.0
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages curl depends on:
> ii  libc6     2.13-38
> ii  libcurl3  7.26.0-1+wheezy2
> ii  zlib1g    1:1.2.7.dfsg-13
> 
> curl recommends no packages.
> 
> curl suggests no packages.
> 
> -- no debconf information

> _______________________________________________
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-openssl-devel




Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility. (Thu, 23 May 2013 18:21:11 GMT) Full text and rfc822 format available.

Notification sent to rodrifra <sable_laser@yahoo.es>:
Bug acknowledged by developer. (Thu, 23 May 2013 18:21:11 GMT) Full text and rfc822 format available.

Message #45 received at 709301-close@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@debian.org>
To: 709301-close@bugs.debian.org
Subject: Bug#709301: fixed in gnutls26 2.12.23-5
Date: Thu, 23 May 2013 18:19:06 +0000
Source: gnutls26
Source-Version: 2.12.23-5

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 709301@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Thu, 23 May 2013 19:04:28 +0200
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls26-doc libgnutlsxx27 libgnutls-openssl27
Architecture: source all amd64
Version: 2.12.23-5
Distribution: unstable
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 gnutls26-doc - GNU TLS library 2.x - documentation and examples
 libgnutls-dev - GNU TLS library - development files
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutls26 - GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
 libgnutlsxx27 - GNU TLS library - C++ runtime library
Closes: 709301
Changes: 
 gnutls26 (2.12.23-5) unstable; urgency=high
 .
   * [21_sanitycheck.diff] Fix out of bounds data access.
     Closes: #709301
Checksums-Sha1: 
 593f1a5282243e94102df076fb4fdb8f8719e37d 1911 gnutls26_2.12.23-5.dsc
 156866eb6ec3b84e8b42fc8432b0c21f98a774a3 25195 gnutls26_2.12.23-5.debian.tar.gz
 6dedad3926d3d49cf104c4db0a377479da44bcff 2636522 gnutls26-doc_2.12.23-5_all.deb
 6ca8dfd28372dd5072426790831182c96f3a474c 749180 libgnutls-dev_2.12.23-5_amd64.deb
 41f6fb1a3d8e71f2a2c2758bec1d958cfc548292 616684 libgnutls26_2.12.23-5_amd64.deb
 690367ea5a3728586b3b85cc1e7ff50ae8948818 1948374 libgnutls26-dbg_2.12.23-5_amd64.deb
 90c911be3230fda976b0bc54cc4e44af9587be51 222410 libgnutlsxx27_2.12.23-5_amd64.deb
 9646d9ee8e6748c7e86477ab6176f12cdae84f7d 221360 libgnutls-openssl27_2.12.23-5_amd64.deb
Checksums-Sha256: 
 eeade4593e8f05d97d3723512439f42f354814374e55470784b6bd29c80aa74d 1911 gnutls26_2.12.23-5.dsc
 7df37a1d1319eaafdcfa0e34a2e6af35c6f916db67bff4b43b10e98830e32f6b 25195 gnutls26_2.12.23-5.debian.tar.gz
 7f4aa229b436f845fa7060f675a19795c4628ca7da9831cfa310140aa9dffc4d 2636522 gnutls26-doc_2.12.23-5_all.deb
 a86a3d2b84661dec3ecc15e74e6fc90a4cbc82e7873b454324a2bc0ebf139090 749180 libgnutls-dev_2.12.23-5_amd64.deb
 71824a4930e323c590c2c10cee4b042016f6ad2b6c00ebc11c0139668ca66c06 616684 libgnutls26_2.12.23-5_amd64.deb
 fddeef5eb1a7d3e0a9e6ab69527eb2412525960171c8268901a7957b5cc5d6a6 1948374 libgnutls26-dbg_2.12.23-5_amd64.deb
 b9a55342b1fcc89667e9552509ab88eb062c03a292ad69b78d567a61c87b6ae5 222410 libgnutlsxx27_2.12.23-5_amd64.deb
 3c5469760f61bc92280eb205d7f9be12768db85767814e02d0fbbcb579c24beb 221360 libgnutls-openssl27_2.12.23-5_amd64.deb
Files: 
 25d0172ff805278e6c03acbc06646b76 1911 libs optional gnutls26_2.12.23-5.dsc
 570c96a144941fc4f8543bb994f76835 25195 libs optional gnutls26_2.12.23-5.debian.tar.gz
 79ffd248a2d9c05afb63361c2bd48628 2636522 doc optional gnutls26-doc_2.12.23-5_all.deb
 1c661c185ab3697dc0408fd20b3b66d4 749180 libdevel optional libgnutls-dev_2.12.23-5_amd64.deb
 8997ddec0e6d5162912d02843d17d250 616684 libs standard libgnutls26_2.12.23-5_amd64.deb
 c990851c93669d560c5dd0ee1b04fa31 1948374 debug extra libgnutls26-dbg_2.12.23-5_amd64.deb
 81be3f32067f9afb4ed4030205315db8 222410 libs extra libgnutlsxx27_2.12.23-5_amd64.deb
 dbfec3d022c26df75f6d08adf23068ea 221360 libs standard libgnutls-openssl27_2.12.23-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEAREDAAYFAlGeUkAACgkQHTOcZYuNdmNOUgCbBO4SH2khyPGtBcIxO8FdiRVL
qckAoJDCHCojvKvdbrigDLrWCaiBwPPI
=5qC7
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#709301; Package libgnutls26. (Thu, 23 May 2013 20:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 23 May 2013 20:12:04 GMT) Full text and rfc822 format available.

Message #50 received at 709301@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>, Andreas Metzler <ametzler@debian.org>, 709301@bugs.debian.org
Subject: Re: gnutls26_2.12.23-5_amd64.changes ACCEPTED into unstable
Date: Thu, 23 May 2013 16:09:43 -0400
[Message part 1 (text/plain, inline)]
On 05/23/2013 02:19 PM, Debian FTP Masters wrote:
>  gnutls26 (2.12.23-5) unstable; urgency=high
>  .
>    * [21_sanitycheck.diff] Fix out of bounds data access.
>      Closes: #709301

Thanks for doing this, Andreas!  are there plans to fix wheezy as well?

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility. (Mon, 03 Jun 2013 22:18:24 GMT) Full text and rfc822 format available.

Notification sent to rodrifra <sable_laser@yahoo.es>:
Bug acknowledged by developer. (Mon, 03 Jun 2013 22:18:24 GMT) Full text and rfc822 format available.

Message #55 received at 709301-close@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@debian.org>
To: 709301-close@bugs.debian.org
Subject: Bug#709301: fixed in gnutls26 2.12.20-7
Date: Mon, 03 Jun 2013 22:17:12 +0000
Source: gnutls26
Source-Version: 2.12.20-7

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 709301@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Fri, 24 May 2013 19:54:10 +0200
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls26-doc guile-gnutls libgnutlsxx27 libgnutls-openssl27
Architecture: source all amd64
Version: 2.12.20-7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls26-doc - GNU TLS library 2.x - documentation and examples
 guile-gnutls - GNU TLS library - GNU Guile bindings
 libgnutls-dev - GNU TLS library - development files
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutls26 - GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
 libgnutlsxx27 - GNU TLS library - C++ runtime library
Closes: 709301
Changes: 
 gnutls26 (2.12.20-7) wheezy-security; urgency=high
 .
   * [36_sanitycheck.diff] from upstream GIT. - Fix out of bounds data access.
     Closes: #709301
Checksums-Sha1: 
 1e40821570917ddc9fde1d4725ee02dc3b797f27 2038 gnutls26_2.12.20-7.dsc
 a8a7bb1f51b4da45d32242bd2e843ab3a66f63f6 7231438 gnutls26_2.12.20.orig.tar.bz2
 570a7a697ccc0edefbbca52f6f9be6298337eb5f 30571 gnutls26_2.12.20-7.debian.tar.gz
 387f414b31151e7d4aade25b108d56ae92fdb245 2623250 gnutls26-doc_2.12.20-7_all.deb
 2773a2e11746d251118c6e4463f0ecd5cea64c25 747126 libgnutls-dev_2.12.20-7_amd64.deb
 8553fb5fc646844e53c08b4e1aa1e91e5b0c3e61 618584 libgnutls26_2.12.20-7_amd64.deb
 49bb6ece06b9b67f73da226ce4f9beb24a55f16c 1958034 libgnutls26-dbg_2.12.20-7_amd64.deb
 eb0dedea8c157320605987173f736540df82ec64 394318 gnutls-bin_3.0.22-3+really2.12.20-7_amd64.deb
 f7a62298b0f95f9ea659913f9a97f56f93cfe30b 269200 guile-gnutls_3.0.22-3+really2.12.20-7_amd64.deb
 701adcc36b83cb5226bbdb4a96a9eccfae332098 222654 libgnutlsxx27_2.12.20-7_amd64.deb
 3eb6fb6d8ed6edfa256fca6c75759fb378e7a1cd 221216 libgnutls-openssl27_2.12.20-7_amd64.deb
Checksums-Sha256: 
 4a69d1cb0d04157ef7b0dc5912e4fd1132e7d9743c8241625f683b745424e5ac 2038 gnutls26_2.12.20-7.dsc
 4884eafcc8383ed23209199bbc72ad04f4eb94955a50a594125ff34c6889c564 7231438 gnutls26_2.12.20.orig.tar.bz2
 771ac11b6f9f304a57947099ac0ea6b5ea720a196031235f9d740be0d0ae22a4 30571 gnutls26_2.12.20-7.debian.tar.gz
 f0239f195ad4ba2a324c454735a55527d610aaf10c36c72e20a8f40795667fce 2623250 gnutls26-doc_2.12.20-7_all.deb
 620f01bb6db091b2e731d4acbb5c237e883a5bb164429d8c7e1647921ba3e613 747126 libgnutls-dev_2.12.20-7_amd64.deb
 8c8d239ca519e31db147fc5a882f025d8aa4bd24a13f4da39582945b7b05040c 618584 libgnutls26_2.12.20-7_amd64.deb
 da925b2d75dc746847dacee0d2c0dbc94081d10acfbd966ef46f997c493fcc3d 1958034 libgnutls26-dbg_2.12.20-7_amd64.deb
 a7172c0e717fda7f7197b8730f6bd4b9ce165a0f640f56c8f5f47610b6a15553 394318 gnutls-bin_3.0.22-3+really2.12.20-7_amd64.deb
 01c2453978469d81448402c36c865cbf20e88338c97e00a50f27d4d176d19e7a 269200 guile-gnutls_3.0.22-3+really2.12.20-7_amd64.deb
 9e1e24b0e915288af7e837897a915d8bea17fbdd4e3da9e4e483205618f1c01a 222654 libgnutlsxx27_2.12.20-7_amd64.deb
 fb459e62c22facaec5c89fb26325253356ed8dab9da21f48709466f8c87972d9 221216 libgnutls-openssl27_2.12.20-7_amd64.deb
Files: 
 5fc66d89fc7f47a29af3216616ed5eac 2038 libs optional gnutls26_2.12.20-7.dsc
 f1dea97da5d4dcdbc675720c9aad9ee3 7231438 libs optional gnutls26_2.12.20.orig.tar.bz2
 9875bcd28e44d9496d9d920544620429 30571 libs optional gnutls26_2.12.20-7.debian.tar.gz
 e3bf1a597ea768c4c68d7396c85e97f1 2623250 doc optional gnutls26-doc_2.12.20-7_all.deb
 10445e349df22d5c7fcdefacf104879a 747126 libdevel optional libgnutls-dev_2.12.20-7_amd64.deb
 49d10bb73d838d6fa480065460c16872 618584 libs standard libgnutls26_2.12.20-7_amd64.deb
 92baebbb4653c3d9964bd45100d84d74 1958034 debug extra libgnutls26-dbg_2.12.20-7_amd64.deb
 baf2523a7109b3140abe52735d63bc04 394318 net optional gnutls-bin_3.0.22-3+really2.12.20-7_amd64.deb
 f5c0436ff05a9a56ce60778e1991e92f 269200 lisp optional guile-gnutls_3.0.22-3+really2.12.20-7_amd64.deb
 a98d092f37c9a6bc95b0c0ecdf3aab18 222654 libs extra libgnutlsxx27_2.12.20-7_amd64.deb
 ee6f921ee306884fbb9e84c641563326 221216 libs standard libgnutls-openssl27_2.12.20-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEAREDAAYFAlGgVfUACgkQHTOcZYuNdmP+2ACgh+aTDScMjVEGavLE+AiKy2x1
JcAAoKCD/s+gtwHlAJ4uvLUr/f//FN7s
=Ytb/
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 02 Jul 2013 07:25:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:10:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.