[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: please test imminent 2.8.x release
From: |
Tomas Mraz |
Subject: |
Re: please test imminent 2.8.x release |
Date: |
Mon, 10 Aug 2009 16:16:59 +0200 |
On Mon, 2009-08-10 at 15:55 +0200, Simon Josefsson wrote:
> Tomas Hoger <address@hidden> writes:
>
> > Hi Simon!
> >
> > Simon Josefsson <simon <at> josefsson.org> writes:
> >
> >> Because of the NUL in CN/SAN issue we need to release a stable 2.8.x
> >> update quickly.
> >>
> >> Please test the release candidate:
> >>
> >> http://daily.josefsson.org/gnutls-2.8/gnutls-2.8-20090806.tar.gz
> >>
> >> This will be identical with the release unless I hear anything negative.
> >>
> >> You can also help by reviewing the changes since 2.8.1:
> >>
> >> http://git.savannah.gnu.org/cgit/gnutls.git/log/?h=gnutls_2_8_x
> >
> > Is it intentional that 2.8.2 does contain 21bc1439e5, but does not
> > contain 9b0dc81885 and c9dba57f8d? Moreover, is 21bc1439e5 still
> > needed with 74b6d92f96 applied? It seems that if there is NUL,
> > GNUTLS_E_ASN1_DER_ERROR is returned earlier or res is passed through
> > _gnutls_x509_data2hex() and hence should not contain NULs any more.
>
> You are right. 21bc1439e5 is no longer needed and should not have been
> in 2.8.x. I wonder why the self-tests didn't catch that, by reading the
> code it would seem to trigger an out-of-bounds read in some situations.
>
> I'm wondering whether I need to release a 2.8.3 now... or whether the
> out-of-bounds read never happens in the 2.8.x branch for some other
> reason.
>
> See fixes at:
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=c12e7507562d5f168330acf1dd7db7cc2079cdf0
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_8_x&id=e52cbea94e67334c2c8e64c4bbb13d84c9d4433a
Unfortunately this seems to be exposed through public API so 2.8.3 seems
to be necessary.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
- Re: solutions, (continued)
- Re: solutions, Simon Josefsson, 2009/08/04
- Re: solutions, Nikos Mavrogiannopoulos, 2009/08/04
- Re: solutions, Simon Josefsson, 2009/08/05
- Re: solutions, Nikos Mavrogiannopoulos, 2009/08/05
- Re: solutions, Simon Josefsson, 2009/08/06
- please test imminent 2.8.x release, Simon Josefsson, 2009/08/06
- Re: please test imminent 2.8.x release, Tim Kosse, 2009/08/07
- Re: please test imminent 2.8.x release, Simon Josefsson, 2009/08/10
- Re: please test imminent 2.8.x release, Tomas Hoger, 2009/08/10
- Re: please test imminent 2.8.x release, Simon Josefsson, 2009/08/10
- Re: please test imminent 2.8.x release,
Tomas Mraz <=
Re: solutions, Werner Koch, 2009/08/04