gnutls.pc should not directly link to libz.so in Libs.private

Bug #1660915 reported by Matthieu Gautier
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

# Description
In /usr/lib/x86_64-linux-gnu/pkgconfig/gnutls.pc installed by libgnutls-dev :

Libs.private is used by pkg-config to give link flags when using the "--static" option.

So Libs.private should contains internal libs used by gnutls to allow user to link statically with
gnutls.

If there is a direct link to a .so file, it's break static compilation.

The direct path to libz.so should be replace by "-lz"

# Ubuntu version
Ubuntu 16.04, 16.10

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnutls28 (Ubuntu):
status: New → Confirmed
Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

Now also reported as https://bugs.debian.org/857943 and forwarded upstream.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package gnutls28 - 3.5.17-1ubuntu1

---------------
gnutls28 (3.5.17-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/patches/disable_global_init_override_test.patch: disable
      failing test.
    - debian/patches/add-openssl-test-link.patch: add link for libssl
  * Build with --with-included-unistring for now as our libunistring is
    too old and needs a transition.

gnutls28 (3.5.17-1) unstable; urgency=low

  * New upstream version.
    + When verifying against a self signed certificate ignore issuer. That
      is, ignore issuer when checking the issuer's parameters strength,
      resolving issue #347 which caused self signed certificates to be
      additionally marked as of insufficient security level.
      Closes: #885127

gnutls28 (3.5.16-1) unstable; urgency=medium

  * New upstream version.
    + Fixes interoperability issue with openssl when safe renegotiation was
      used. Closes: #873055
  * 35_modernize_gtkdoc.diff from upstream GIT master: Modernize gtk-doc
    support. Update gtk-doc.make, m4/gtk-doc.m4 and doc/reference/Makefile.am
    from gtk-doc git head (that is 1.26 +
    c08cc78562c59082fc83b55b58747177510b7a70). Disable gtkdoc-check.
    Closes: #876587

gnutls28 (3.5.15-2) unstable; urgency=medium

  * Upload to unstable.

gnutls28 (3.5.15-1) experimental; urgency=medium

  * New upstream version. Drop unneeded patches.
    (31_arm64ilp32-unaccelerated.patch
    35_record-added-sanity-checking-in-the-record-layer-ver.patch
    36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch)

gnutls28 (3.5.14-3) unstable; urgency=low

  * 35_record-added-sanity-checking-in-the-record-layer-ver.patch from
    upstream gnutls_3_5_x branch: Prevent crash on calling gnutls_bye() on an
    already terminated or deinitialized session. Closes: #867303
  * 36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch from
    upstream gnutls_3_5_x branch: parse_pem_cert_mem: fixed issue resulting
    to accessing past the input data.
  * 31_arm64ilp32-unaccelerated.patch by Wookey: Disable assembly
    code on arm64ilp32 to fix FTBFS. Closes: #872454
  * Use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog, except for
    the compatibility code for setting SOURCE_DATE_EPOCH with dpkg << 1.18.8.
  * Standards-Version 4.0.1, update priorities (extra->optional).

gnutls28 (3.5.14-2) unstable; urgency=medium

  * Upload to unstable.

gnutls28 (3.5.14-1) experimental; urgency=low

  [ Dan Nicholson ]
  * Build with --disable-rpath. Closes: #865674

  [ Andreas Metzler ]
  * New upstream version.
  * Build against external libunistring.

gnutls28 (3.5.13-2) unstable; urgency=medium

  * Upload to unstable, merge changelogs.

gnutls28 (3.5.13-1) experimental; urgency=low

  * New upstream version.
    + Drop 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch.
    + Fixes GNUTLS-SA-2017-4/CVE-2017-7507 - Crash due to a null pointer
      dereference. #864560

gnutls28 (3.5.12-2) experimental; urgency=medium

  * 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch: Correct
    typo preventing the run of openpgp test.
  * Stop ...

Read more...

Changed in gnutls28 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.