alonbl 14/06/07 18:18:46
Added: gnutls-2.12.23-CVE-2014-3469.patch
gnutls-2.12.23-CVE-2014-3468.patch
gnutls-2.12.23-CVE-2014-3467.patch
gnutls-2.12.23-CVE-2014-3466.patch
Log:
Fix CVE-2014-3466, CVE-2014-3467, CVE-2014-3468, CVE-2014-3469 of 2.12 series
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key
BF20DC51)
Revision Changes Path
1.1 net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3469.patch?rev=1.1&content-type=text/plain
Index: gnutls-2.12.23-CVE-2014-3469.patch
===================================================================
>From 7f5a6256231e278aa7d00b6851c22fb457537262 Mon Sep 17 00:00:00 2001
From: mancha <[email protected]>
Date: Sun, 1 Jun 2014
Subject: CVE-2014-3469
This is a backport adaptation for use with GnuTLS 2.12.23.
Relevant upstream commit(s):
-------------------------
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c
---
lib/minitasn1/decoding.c | 11 ++++++++---
lib/minitasn1/element.c | 27 ++++++++++++++++++---------
2 files changed, 26 insertions(+), 12 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -231,7 +231,6 @@ asn1_get_octet_der (const unsigned char
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
- /* if(str==NULL) return ASN1_SUCCESS; */
*str_len = asn1_get_length_der (der, der_len, &len_len);
if (*str_len < 0)
@@ -239,7 +238,10 @@ asn1_get_octet_der (const unsigned char
*ret_len = *str_len + len_len;
if (str_size >= *str_len)
- memcpy (str, der + len_len, *str_len);
+ {
+ if (*str_len > 0 && str != NULL)
+ memcpy (str, der + len_len, *str_len);
+ }
else
{
return ASN1_MEM_ERROR;
@@ -362,7 +364,10 @@ asn1_get_bit_der (const unsigned char *d
return ASN1_DER_ERROR;
if (str_size >= len_byte)
- memcpy (str, der + len_len + 1, len_byte);
+ {
+ if (len_byte > 0 && str)
+ memcpy (str, der + len_len + 1, len_byte);
+ }
else
{
return ASN1_MEM_ERROR;
--- a/lib/minitasn1/element.c
+++ b/lib/minitasn1/element.c
@@ -112,8 +112,11 @@ _asn1_convert_integer (const unsigned ch
/* VALUE_OUT is too short to contain the value conversion */
return ASN1_MEM_ERROR;
- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
- value_out[k2 - k] = val[k2];
+ if (value_out != NULL)
+ {
+ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+ value_out[k2 - k] = val[k2];
+ }
#if 0
printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
@@ -611,7 +614,8 @@ asn1_write_value (asn1_node node_root, c
if (ptr_size < data_size) { \
return ASN1_MEM_ERROR; \
} else { \
- memcpy( ptr, data, data_size); \
+ if (ptr && data_size > 0) \
+ memcpy( ptr, data, data_size); \
}
#define PUT_STR_VALUE( ptr, ptr_size, data) \
@@ -620,16 +624,19 @@ asn1_write_value (asn1_node node_root, c
return ASN1_MEM_ERROR; \
} else { \
/* this strcpy is checked */ \
- _asn1_strcpy(ptr, data); \
+ if (ptr) { \
+ _asn1_strcpy(ptr, data); \
+ } \
}
#define ADD_STR_VALUE( ptr, ptr_size, data) \
- *len = (int) _asn1_strlen(data) + 1; \
- if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \
+ *len += _asn1_strlen(data); \
+ if (ptr_size < (int) *len) { \
+ (*len)++; \
return ASN1_MEM_ERROR; \
} else { \
/* this strcat is checked */ \
- _asn1_strcat(ptr, data); \
+ if (ptr) _asn1_strcat (ptr, data); \
}
/**
@@ -786,7 +793,9 @@ asn1_read_value (asn1_node root, const c
case TYPE_OBJECT_ID:
if (node->type & CONST_ASSIGN)
{
- value[0] = 0;
+ *len = 0;
+ if (value)
+ value[0] = 0;
p = node->down;
while (p)
{
@@ -800,7 +809,7 @@ asn1_read_value (asn1_node root, const c
}
p = p->right;
}
- *len = _asn1_strlen (value) + 1;
+ (*len)++;
}
else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
{
1.1 net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3468.patch?rev=1.1&content-type=text/plain
Index: gnutls-2.12.23-CVE-2014-3468.patch
===================================================================
>From 24ed1d41707f873f3b7a22159e4bb3942f319fac Mon Sep 17 00:00:00 2001
From: mancha <[email protected]>
Date: Sun, 1 Jun 2014
Subject: CVE-2014-3468
This is a backport adaptation for use with GnuTLS 2.12.23.
Relevant upstream commit(s):
-------------------------
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1
---
lib/minitasn1/decoding.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -226,7 +226,7 @@ asn1_get_octet_der (const unsigned char
int *ret_len, unsigned char *str, int str_size,
int *str_len)
{
- int len_len;
+ int len_len = 0;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -347,7 +347,7 @@ asn1_get_bit_der (const unsigned char *d
int *ret_len, unsigned char *str, int str_size,
int *bit_len)
{
- int len_len, len_byte;
+ int len_len = 0, len_byte;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -358,6 +358,9 @@ asn1_get_bit_der (const unsigned char *d
*ret_len = len_byte + len_len + 1;
*bit_len = len_byte * 8 - der[len_len];
+ if (*bit_len <= 0)
+ return ASN1_DER_ERROR;
+
if (str_size >= len_byte)
memcpy (str, der + len_len + 1, len_byte);
else
1.1 net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3467.patch?rev=1.1&content-type=text/plain
Index: gnutls-2.12.23-CVE-2014-3467.patch
===================================================================
>From d4ff19de527cd3eb444c560639324cda35bc838e Mon Sep 17 00:00:00 2001
From: mancha <[email protected]>
Date: Sun, 1 Jun 2014
Subject: CVE-2014-3467
This is a backport adaptation for use with GnuTLS 2.12.23.
Relevant upstream commit(s):
-------------------------
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=ff3b5c68cc32e3
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=51612fca32dda4
---
lib/minitasn1/decoding.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *d
/* Long form */
punt = 1;
ris = 0;
- while (punt <= der_len && der[punt] & 128)
+ while (punt < der_len && der[punt] & 128)
{
last = ris;
@@ -259,7 +259,7 @@ _asn1_get_time_der (const unsigned char
if (der_len <= 0 || str == NULL)
return ASN1_DER_ERROR;
str_len = asn1_get_length_der (der, der_len, &len_len);
- if (str_len < 0 || str_size < str_len)
+ if (str_len <= 0 || str_size < str_len)
return ASN1_DER_ERROR;
memcpy (str, der + len_len, str_len);
str[str_len] = 0;
@@ -285,7 +285,7 @@ _asn1_get_objectid_der (const unsigned c
return ASN1_GENERIC_ERROR;
len = asn1_get_length_der (der, der_len, &len_len);
- if (len < 0 || len > der_len || len_len > der_len)
+ if (len <= 0 || len > der_len || len_len > der_len)
return ASN1_DER_ERROR;
val1 = der[len_len] / 40;
1.1 net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-libs/gnutls/files/gnutls-2.12.23-CVE-2014-3466.patch?rev=1.1&content-type=text/plain
Index: gnutls-2.12.23-CVE-2014-3466.patch
===================================================================
>From e47d30e272a0b3977db8dae09327acad45b931d8 Mon Sep 17 00:00:00 2001
From: mancha <[email protected]>
Date: Sun, 1 Jun 2014
Subject: CVE-2014-3466
This is a backport adaptation for use with GnuTLS 2.12.23.
Relevant upstream commit(s):
-------------------------
https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c
https://gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf
---
lib/gnutls_handshake.c | 2
tests/Makefile.am | 2
tests/long-session-id.c | 268 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 270 insertions(+), 2 deletions(-)
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1797,7 +1797,7 @@ _gnutls_read_server_hello (gnutls_sessio
DECR_LEN (len, 1);
session_id_len = data[pos++];
- if (len < session_id_len)
+ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
{
gnutls_assert ();
return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -64,7 +64,7 @@ ctests = simple gc set_pkcs12_cred certd
crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \
crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \
nul-in-x509-names x509_altname pkcs12_encode mini-x509 \
- mini-x509-rehandshake rng-fork x509cert gendh
+ mini-x509-rehandshake rng-fork x509cert gendh long-session-id
if ENABLE_OPENSSL
ctests += openssl
--- /dev/null
+++ b/tests/long-session-id.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main()
+{
+ exit(77);
+}
+
+#else
+
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <signal.h>
+
+static int debug = 0;
+static void terminate(int);
+
+/* This program tests the robustness of record
+ * decoding.
+ */
+
+static void client_log_func(int level, const char *str)
+{
+ fprintf(stderr, "client|<%d>| %s", level, str);
+}
+
+static unsigned char server_cert_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
+ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
+ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
+ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
+ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
+ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
+ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
+ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
+ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
+ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
+ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
+ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
+ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
+
+const gnutls_datum_t server_cert = { server_cert_pem,
+ sizeof(server_cert_pem)
+};
+
+static unsigned char server_key_pem[] =
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
+ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
+ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
+ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
+ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
+ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
+ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
+ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
+ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
+ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
+ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
+ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
+ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
+ "-----END RSA PRIVATE KEY-----\n";
+
+const gnutls_datum_t server_key = { server_key_pem,
+ sizeof(server_key_pem)
+};
+
+
+/* A very basic TLS client, with anonymous authentication.
+ */
+
+static void client(int fd, const char *prio)
+{
+ int ret;
+ gnutls_anon_client_credentials_t anoncred;
+ gnutls_certificate_credentials_t x509_cred;
+ gnutls_session_t session;
+ /* Need to enable anonymous KX specifically. */
+
+ gnutls_global_init();
+
+ if (debug) {
+ gnutls_global_set_log_function(client_log_func);
+ gnutls_global_set_log_level(7);
+ }
+
+ gnutls_anon_allocate_client_credentials(&anoncred);
+ gnutls_certificate_allocate_credentials(&x509_cred);
+
+ /* Initialize TLS session
+ */
+ gnutls_init(&session, GNUTLS_CLIENT);
+
+ /* Use default priorities */
+ gnutls_priority_set_direct(session, prio, NULL);
+
+ /* put the anonymous credentials to the current session
+ */
+ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
+
+ /* Perform the TLS handshake
+ */
+ do {
+ ret = gnutls_handshake(session);
+ }
+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+ if (ret < 0) {
+ fprintf(stderr, "client: Handshake failed (expected)\n");
+ gnutls_perror(ret);
+ exit(0);
+ } else {
+ if (debug)
+ fprintf(stderr, "client: Handshake was completed\n");
+ }
+
+ close(fd);
+
+ gnutls_deinit(session);
+
+ gnutls_anon_free_client_credentials(anoncred);
+ gnutls_certificate_free_credentials(x509_cred);
+
+ gnutls_global_deinit();
+}
+
+
+/* These are global */
+pid_t child;
+
+static void terminate(int ret)
+{
+ kill(child, SIGTERM);
+ exit(ret);
+}
+
+static void server(int fd, const char *prio)
+{
+ int ret;
+ uint8_t id[255];
+ uint8_t buffer[] = "\x16\x03\x00\x01\x25"
+ "\x02\x00\x01\x21"
+ "\x03\x00"/*Server Version */
+
/*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00"
+ /*SessionID*/"\xfe";
+
+ ret = read(fd, id, sizeof(id));
+ if (ret < 0) {
+ abort();
+ }
+
+ ret = write(fd, buffer, sizeof(buffer));
+ if (ret < 0) {
+ return;
+ }
+
+ memset(id, 0xff, sizeof(id));
+ ret = write(fd, id, sizeof(id));
+ if (ret < 0) {
+ return;
+ }
+
+ memset(id, 0xff, sizeof(id));
+ ret = write(fd, id, sizeof(id));
+ if (ret < 0) {
+ return;
+ }
+ sleep(3);
+
+ return;
+}
+
+static void start(const char *prio)
+{
+ int fd[2];
+ int ret;
+
+ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
+ if (ret < 0) {
+ perror("socketpair");
+ exit(1);
+ }
+
+ child = fork();
+ if (child < 0) {
+ perror("fork");
+ exit(1);
+ }
+
+ if (child) {
+ /* parent */
+ close(fd[1]);
+ server(fd[0], prio);
+ kill(child, SIGTERM);
+ } else {
+ close(fd[0]);
+ client(fd[1], prio);
+ exit(0);
+ }
+}
+
+static void ch_handler(int sig)
+{
+ int status, ret = 0;
+ wait(&status);
+ if (WEXITSTATUS(status) != 0 ||
+ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) {
+ if (WIFSIGNALED(status)) {
+ fprintf(stderr, "Child died with sigsegv\n");
+ ret = 1;
+ } else {
+ fprintf(stderr, "Child died with status %d\n",
+ WEXITSTATUS(status));
+ }
+ terminate(ret);
+ }
+ return;
+}
+
+int main(int argc, char **argv)
+{
+ signal(SIGCHLD, ch_handler);
+
+ if (argc > 1)
+ debug = 1;
+
+ start("NORMAL");
+ return 0;
+}
+
+#endif /* _WIN32 */
