Hi, On 30/08/17 20:48, Salvatore Bonaccorso wrote: > Control: retitle mbedtls: CVE-2017-14032: authentication bypass > > Hi > > On Tue, Aug 29, 2017 at 12:09:30AM +0100, James Cowgill wrote: >> Source: mbedtls >> Version: 2.1.2-1 >> Severity: grave >> Tags: security >> >> Hi, >> >> The following security advisory was published for mbedtls: >> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 > > MITRE has assigned CVE-2017-14032 for this issue.
Does the attached patch look OK for stretch? I did a bit of testing with it and it seems to fix the issue for me. Thanks, James
diff -Nru mbedtls-2.4.2/debian/changelog mbedtls-2.4.2/debian/changelog --- mbedtls-2.4.2/debian/changelog 2017-03-14 10:54:33.000000000 +0000 +++ mbedtls-2.4.2/debian/changelog 2017-09-01 09:29:59.000000000 +0100 @@ -1,3 +1,12 @@ +mbedtls (2.4.2-1+deb9u1) stretch-security; urgency=high + + * Fix CVE-2017-14032: + If optional authentication is configured, allows remote attackers to + bypass peer authentication via an X.509 certificate chain with many + intermediates. (Closes: #873557) + + -- James Cowgill <jcowg...@debian.org> Fri, 01 Sep 2017 09:29:59 +0100 + mbedtls (2.4.2-1) unstable; urgency=high * New upstream version. diff -Nru mbedtls-2.4.2/debian/patches/CVE-2017-14032.patch mbedtls-2.4.2/debian/patches/CVE-2017-14032.patch --- mbedtls-2.4.2/debian/patches/CVE-2017-14032.patch 1970-01-01 01:00:00.000000000 +0100 +++ mbedtls-2.4.2/debian/patches/CVE-2017-14032.patch 2017-09-01 09:29:59.000000000 +0100 @@ -0,0 +1,149 @@ +Description: Fix CVE-2017-14032: authentication bypass + If a malicious peer supplies an X.509 certificate chain that has more + than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is + 8), it could bypass authentication of the certificates, when the + authentication mode was set to 'optional' eg. + MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by + both the client and server sides. + . + Fix by backporting two patches from the upstream 2.6 branch: + d15795acd507 = Improve behaviour on fatal errors + 31458a18788b = Only return VERIFY_FAILED from a single point +Author: Manuel Pégourié-Gonnard <manuel.pegourie-gonn...@arm.com> +Origin: backport, https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc +Origin: backport, https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32 +Bug-Debian: https://bugs.debian.org/873557 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -2055,8 +2055,8 @@ static int x509_crt_verify_child( + /* path_cnt is 0 for the first intermediate CA */ + if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) + { +- *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; +- return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); ++ /* return immediately as the goal is to avoid unbounded recursion */ ++ return( MBEDTLS_ERR_X509_FATAL_ERROR ); + } + + if( mbedtls_x509_time_is_past( &child->valid_to ) ) +@@ -2200,11 +2200,14 @@ int mbedtls_x509_crt_verify_with_profile + mbedtls_x509_sequence *cur = NULL; + mbedtls_pk_type_t pk_type; + +- if( profile == NULL ) +- return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); +- + *flags = 0; + ++ if( profile == NULL ) ++ { ++ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; ++ goto exit; ++ } ++ + if( cn != NULL ) + { + name = &crt->subject; +@@ -2278,7 +2281,7 @@ int mbedtls_x509_crt_verify_with_profile + ret = x509_crt_verify_top( crt, parent, ca_crl, profile, + pathlen, selfsigned, flags, f_vrfy, p_vrfy ); + if( ret != 0 ) +- return( ret ); ++ goto exit; + } + else + { +@@ -2293,17 +2296,28 @@ int mbedtls_x509_crt_verify_with_profile + ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile, + pathlen, selfsigned, flags, f_vrfy, p_vrfy ); + if( ret != 0 ) +- return( ret ); ++ goto exit; + } + else + { + ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, + pathlen, selfsigned, flags, f_vrfy, p_vrfy ); + if( ret != 0 ) +- return( ret ); ++ goto exit; + } + } + ++exit: ++ /* prevent misuse of the vrfy callback */ ++ if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) ++ ret = MBEDTLS_ERR_X509_FATAL_ERROR; ++ ++ if( ret != 0 ) ++ { ++ *flags = (uint32_t) -1; ++ return( ret ); ++ } ++ + if( *flags != 0 ) + return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); + +--- a/include/mbedtls/error.h ++++ b/include/mbedtls/error.h +@@ -71,7 +71,7 @@ + * Name ID Nr of Errors + * PEM 1 9 + * PKCS#12 1 4 (Started from top) +- * X509 2 19 ++ * X509 2 20 + * PKCS5 2 4 (Started from top) + * DHM 3 9 + * PK 3 14 (Started from top) +--- a/include/mbedtls/ssl.h ++++ b/include/mbedtls/ssl.h +@@ -1042,7 +1042,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ + * + * If set, the verify callback is called for each + * certificate in the chain. For implementation +- * information, please see \c x509parse_verify() ++ * information, please see \c mbedtls_x509_crt_verify() + * + * \param conf SSL configuration + * \param f_vrfy verification function +--- a/include/mbedtls/x509.h ++++ b/include/mbedtls/x509.h +@@ -76,6 +76,7 @@ + #define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 /**< Allocation of memory failed. */ + #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /**< Read/write of file failed. */ + #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 /**< Destination buffer is too small. */ ++#define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */ + /* \} name */ + + /** +--- a/include/mbedtls/x509_crt.h ++++ b/include/mbedtls/x509_crt.h +@@ -267,7 +267,13 @@ int mbedtls_x509_crt_verify_info( char * + * + * All flags left after returning from the callback + * are also returned to the application. The function should +- * return 0 for anything but a fatal error. ++ * return 0 for anything (including invalid certificates) ++ * other than fatal error, as a non-zero return code ++ * immediately aborts the verification process. For fatal ++ * errors, a specific error code should be used (different ++ * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not ++ * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR ++ * can be used if no better code is available. + * + * \note In case verification failed, the results can be displayed + * using \c mbedtls_x509_crt_verify_info() +--- a/library/error.c ++++ b/library/error.c +@@ -480,6 +480,8 @@ void mbedtls_strerror( int ret, char *bu + mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" ); + if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) ) + mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" ); ++ if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) ) ++ mbedtls_snprintf( buf, buflen, "X509 - A fatal error occured, eg the chain is too long or the vrfy callback failed" ); + #endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */ + // END generated code + diff -Nru mbedtls-2.4.2/debian/patches/series mbedtls-2.4.2/debian/patches/series --- mbedtls-2.4.2/debian/patches/series 2017-03-14 10:54:33.000000000 +0000 +++ mbedtls-2.4.2/debian/patches/series 2017-09-01 09:29:59.000000000 +0100 @@ -1 +1,2 @@ 01_config.patch +CVE-2017-14032.patch
signature.asc
Description: OpenPGP digital signature
