gnutls: security bump to version 3.5.8

The 3.5.x has been promoted to stable, hence 3.4.x is deprecated and
3.3.x kept as old-stable.

libdane now specifies LGPLv2.1+ so drop the README kludge (which is also
gone regarding licensing).

libunistring is a new dependency, even though gnutls ships a builtin version
we prefer to use unbundled to avoid duplication with other users and target
size growth.

Fixes:

GNUTLS-SA-2017-01 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted X.509 certificate with
Proxy Certificate Information extension present could lead to a double
free.
GNUTLS-SA-2017-02 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted OpenPGP certificate
could lead to heap and stack overflows.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/gnutls/Config.in b/package/gnutls/Config.in
index 998e213c7d0f8e34cb6f4af7e862c13dd4f7b7d2..cfb7cb3f3b5a72280a0212156078e8d0dd542072 100644 (file)
--- a/package/gnutls/Config.in
+++ b/package/gnutls/Config.in
@@ -1,6 +1,7 @@
 config BR2_PACKAGE_GNUTLS
        bool "gnutls"
        select BR2_PACKAGE_LIBTASN1
+       select BR2_PACKAGE_LIBUNISTRING
        select BR2_PACKAGE_NETTLE
        select BR2_PACKAGE_PCRE
        depends on BR2_USE_WCHAR

diff --git a/package/gnutls/gnutls.hash b/package/gnutls/gnutls.hash
index 897562b770ceebdf2ced14b51205053383378c2a..121f75a70292adfd6cb75fa0cce36b4863833b75 100644 (file)
--- a/package/gnutls/gnutls.hash
+++ b/package/gnutls/gnutls.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 9b50e8a670d5e950425d96935c7ddd415eb6f8079615a36df425f09a3143172e        gnutls-3.4.17.tar.xz
+sha256 0e97f243ae72b70307d684b84c7fe679385aa7a7a0e37e5be810193dcc17d4ff        gnutls-3.5.8.tar.xz

diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index af7621c724a2637e4c997218f810627f006eb5cc..4fab812819d36dca7031167eb44fb1ca0967e2f2 100644 (file)
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -4,17 +4,13 @@
 #
 ################################################################################
 
-GNUTLS_VERSION_MAJOR = 3.4
-GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).17
+GNUTLS_VERSION_MAJOR = 3.5
+GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).8
 GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
 GNUTLS_SITE = ftp://ftp.gnutls.org/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
-# README says that the core library is under LGPLv2.1+, but a few
-# files in libdane specify LGPLv3+. It seems to be a mistake, and we
-# therefore trust the README file here. A bug was reported upstream at
-# https://gitlab.com/gnutls/gnutls/issues/109.
 GNUTLS_LICENSE = LGPLv2.1+ (core library), GPLv3+ (gnutls-openssl library)
-GNUTLS_LICENSE_FILES = COPYING COPYING.LESSER README
-GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_LICENSE_FILES = doc/COPYING doc/COPYING.LESSER
+GNUTLS_DEPENDENCIES = host-pkgconf libunistring libtasn1 nettle pcre
 GNUTLS_CONF_OPTS = \
        --disable-doc \
        --disable-guile \
@@ -23,6 +19,7 @@ GNUTLS_CONF_OPTS = \
        --enable-local-libopts \
        --enable-openssl-compatibility \
        --with-libnettle-prefix=$(STAGING_DIR)/usr \
+       --with-libunistring-prefix=$(STAGING_DIR)/usr \
        --with-librt-prefix=$(STAGING_DIR) \
        --without-tpm \
        $(if $(BR2_PACKAGE_GNUTLS_TOOLS),--enable-tools,--disable-tools)