Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2012-04-20 15:16:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2012-02-21 12:38:10.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2012-04-20 15:16:39.000000000 +0200 @@ -1,0 +2,9 @@ +Thu Apr 12 05:17:04 UTC 2012 - [email protected] + +- fix bug[bnc#753301] - VUL-0: gnutls/libtasn1 + "asn1_get_length_der()" DER decoding issue + CVE-2012-1569 + and bug[bnc#754223] - GenericBlockCipher heap corruption DoS + CVE-2012-1573 + +------------------------------------------------------------------- New: ---- CVE-2012-1569.patch CVE-2012-1573.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.wWhYRo/_old 2012-04-20 15:16:41.000000000 +0200 +++ /var/tmp/diff_new_pack.wWhYRo/_new 2012-04-20 15:16:41.000000000 +0200 @@ -36,6 +36,8 @@ Patch1: gnutls-fix-crash-on-strcat.patch Patch2: CVE-2011-4128.patch Patch3: CVE-2012-0390.patch +Patch4: CVE-2012-1569.patch +Patch5: CVE-2012-1573.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libnettle-devel >= 2.2 @@ -160,6 +162,8 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %configure \ ++++++ CVE-2012-1569.patch ++++++ Index: gnutls-3.0.3/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.0.3.orig/lib/minitasn1/decoding.c +++ gnutls-3.0.3/lib/minitasn1/decoding.c @@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_ * Extract a length field from DER data. * * Returns: Return the decoded length value, or -1 on indefinite - * length, or -2 when the value was too big. + * length, or -2 when the value was too big to fit in a int, or -4 + * when the decoded length value plus @len would exceed @der_len. **/ signed long asn1_get_length_der (const unsigned char *der, int der_len, int *len) { - unsigned long ans; + int ans; int k, punt; *len = 0; @@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char ans = 0; while (punt <= k && punt < der_len) { - unsigned long last = ans; + int last = ans; ans = ans * 256 + der[punt++]; if (ans < last) @@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char } else { /* indefinite length method */ - ans = -1; + *len = punt; + return -1; } *len = punt; + if (ans + *len < ans || ans + *len > der_len) + return -4; return ans; } } ++++++ CVE-2012-1573.patch ++++++ Index: gnutls-3.0.3/lib/gnutls_cipher.c =================================================================== --- gnutls-3.0.3.orig/lib/gnutls_cipher.c +++ gnutls-3.0.3/lib/gnutls_cipher.c @@ -502,7 +502,7 @@ ciphertext_to_compressed (gnutls_session break; case CIPHER_BLOCK: - if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0)) + if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); /* ignore the IV in TLS 1.1+ @@ -514,14 +514,11 @@ ciphertext_to_compressed (gnutls_session ciphertext->size -= blocksize; ciphertext->data += blocksize; - - if (ciphertext->size == 0) - { - gnutls_assert (); - return GNUTLS_E_DECRYPTION_FAILED; - } } + if (ciphertext->size < tag_size) + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + /* we don't use the auth_cipher interface here, since * TLS with block ciphers is impossible to be used under such * an API. (the length of plaintext is required to calculate -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
