[buster] Backport fix for CVE-2020-13645 from upstream
The tls/tests/connection.c test is disabled by d/p/debian/10_connection_test.patch because various other test-cases were already failing or unreliable, but if I run it manually in a buster chroot, skipping the test-cases that already failed, I can get a successful run of the new /tls/connection/missing-server-identity test-case. To repeat this, apply the patch to upstream's glib-2-58 branch (with aa4dd4f8 "gnutls: Handle new GNUTLS_E_CERTIFICATE_REQUIRED" but without d/p/debian/10_connection_test.patch) and then run:
$ meson _build
$ ninja -C _build
$ env \
GIO_MODULE_DIR=$(pwd)/_build/tls/gnutls \
G_TEST_SRCDIR=$(pwd)/tls/tests \
G_TEST_BUILDDIR=$(pwd)/_build/tls/tests \
./_build/tls/tests/connection \
-s /tls/connection/client-auth-failure \
-s /tls/connection/client-auth-request-fail \
-s /tls/connection/client-auth-fail-missing-client-private-key \
-s /tls/connection/fallbackCloses: #961756
This is a non-trivial backport, so I'd appreciate review/testing. The part that is used in practice appears to be equivalent to what's in the security update for Ubuntu 18.04, which seems like a good sign.
The security team indicated that they do not plan to do a DSA for this, so this is for buster-pu.
Contrary to what I previously said on #961756, I now think we don't need to update balsa in buster, because @dkg pointed out that the version in buster doesn't use glib-networking for TLS; so I don't think we need Breaks either.
I do not intend to backport this to stretch, which is almost at EOL anyway.