Hi On Fri, 2024-02-23 at 13:42 +0530, Ranjitsinh Rathod wrote: > From: Ranjitsinh Rathod <[email protected]> > > A vulnerability was found in GnuTLS, where a cockpit (which uses > gnuTLS) > rejects a certificate chain with distributed trust. This issue occurs > when validating a certificate chain with cockpit-certificate-ensure. > This flaw allows an unauthenticated, remote client or attacker to > initiate a denial of service attack. > > Link: https://nvd.nist.gov/vuln/detail/CVE-2024-0567 > Link: https://gitlab.com/gnutls/gnutls/-/issues/1521
Did you check whether the reproducer in this issue crashes for this version of GnuTLS as well and gets fixed after applying this modified patch? The code looks different so it'd be good to check if you haven't already. It doesn't seem to be reproducible in 3.6.13 for Ubuntu: https://ubuntu.com/security/CVE-2024-0567 Thanks, Anuj > Link: > https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405 > > Signed-off-by: Ranjitsinh Rathod <[email protected]> > Signed-off-by: Ranjitsinh Rathod <[email protected]> > --- > .../gnutls/gnutls/CVE-2024-0567.patch | 190 > ++++++++++++++++++ > meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + > 2 files changed, 191 insertions(+) > create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024- > 0567.patch > > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch > new file mode 100644 > index 0000000000..1580cab277 > --- /dev/null > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch > @@ -0,0 +1,190 @@ > +From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 > 2001 > +From: Daiki Ueno <[email protected]> > +Date: Thu, 11 Jan 2024 15:45:11 +0900 > +Subject: [PATCH] x509: detect loop in certificate chain > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +There can be a loop in a certificate chain, when multiple CA > +certificates are cross-signed with each other, such as A → B, B → C, > +and C → A. Previously, the verification logic was not capable of > +handling this scenario while sorting the certificates in the chain > in > +_gnutls_sort_clist, resulting in an assertion failure. This patch > +properly detects such loop and aborts further processing in a > graceful > +manner. > + > +Signed-off-by: Daiki Ueno <[email protected]> > + > +CVE: CVE-2024-0567 > +Upstream-Status: Backport > [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1 > de44f8de373405] > +Signed-off-by: Ranjitsinh Rathod <[email protected]> > +Comment: Hunks refreshed to fix error during backporting this patch > + > +--- > + lib/x509/common.c | 4 ++ > + tests/test-chains.h | 125 > ++++++++++++++++++++++++++++++++++++++++++++ > + 2 files changed, 129 insertions(+) > + > +diff --git a/lib/x509/common.c b/lib/x509/common.c > +index 861cace4c8..d749a062cd 100644 > +--- a/lib/x509/common.c > ++++ b/lib/x509/common.c > +@@ -1761,6 +1761,11 @@ gnutls_x509_crt_t *_gnutls_sort_clist(gn > + *clist_size = i; > + break; > + } > ++ > ++ if (insorted[prev]) { /* loop detected */ > ++ break; > ++ } > ++ > + sorted[i] = clist[prev]; > + insorted[prev] = 1; > + } > +diff --git a/tests/test-chains.h b/tests/test-chains.h > +index 9ce23764da..3e559fecd5 100644 > +--- a/tests/test-chains.h > ++++ b/tests/test-chains.h > +@@ -4106,6 +4106,129 @@ static const char *superseding_ca[] = { > + NULL > + }; > + > ++static const char *cross_signed[] = { > ++ /* server (signed by A1) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBo > xGDAW\n" > ++ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk > 5MTIz\n" > ++ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgY > DVQQD\n" > ++ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz8 > 2AHrj\n" > ++ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBG > CD3Rl\n" > ++ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8 > EBAMC\n" > ++ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBa > AFPnY\n" > ++ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDw > UYxPA\n" > ++ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0 > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* A1 (signed by A) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBE > xDzAN\n" > ++ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk > 1OVow\n" > ++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz > 973sy\n" > ++ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8 > wDgYD\n" > ++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzA > fBgNV\n" > ++ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVP > d3cTJ\n" > ++ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnk > fyLi0\n" > ++ "TLVBHvUJ\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* A (signed by B) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2h > Bs32p\n" > ++ "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBa > AFJFA\n" > ++ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+ > kQlHU\n" > ++ "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* A (signed by C) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re > VifwM\n" > ++ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa > AFEh/\n" > ++ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb > 0+EBv\n" > ++ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8 > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* B1 (signed by B) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBE > xDzAN\n" > ++ "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk > 1OVow\n" > ++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJW > sweVB\n" > ++ "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8 > wDgYD\n" > ++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jA > fBgNV\n" > ++ "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+l > nYvOK\n" > ++ "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1 > qdewh\n" > ++ "/e+0cgQB\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* B (signed by A) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re > VifwM\n" > ++ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa > AFFti\n" > ++ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPc > PsCHe\n" > ++ "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* B (signed by C) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re > VifwM\n" > ++ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa > AFEh/\n" > ++ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb > 0+EBv\n" > ++ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8 > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* C1 (signed by C) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBE > xDzAN\n" > ++ "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk > 1OVow\n" > ++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1ch > ZlKkV\n" > ++ "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8 > wDgYD\n" > ++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjA > fBgNV\n" > ++ "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WC > TOp0G\n" > ++ "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9D > XKBi0\n" > ++ "725XUUYO\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* C (signed by A) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e > +qZEH\n" > ++ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBa > AFFti\n" > ++ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7 > w92mn\n" > ++ "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ /* C (signed by B) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e > +qZEH\n" > ++ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBa > AFJFA\n" > ++ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwm > Jl0gN\n" > ++ "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4 > =\n" > ++ "-----END CERTIFICATE-----\n", > ++ NULL > ++}; > ++ > ++static const char *cross_signed_ca[] = { > ++ /* A (self-signed) */ > ++ "-----BEGIN CERTIFICATE-----\n" > ++ "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETE > PMA0G\n" > ++ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU > 5WjAR\n" > ++ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2h > Bs32p\n" > ++ "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8 > EBAMC\n" > ++ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHr > Vv7E9\n" > ++ "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2F > apgpL\n" > ++ "bDeZ2XJH+BdVFwg=\n" > ++ "-----END CERTIFICATE-----\n", > ++ NULL > ++}; > ++ > + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && > __GNUC_MINOR__ >= 5) > + # pragma GCC diagnostic push > + # pragma GCC diagnostic ignored "-Wunused-variable" > +@@ -4275,6 +4398,8 @@ static struct > + { "ed448 - ok", ed448, &ed448[0], > GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), > + 0, NULL, 1584352960, 1}, > + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, > 1590928011 }, > ++ { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, > ++ 1704955300 }, > + { NULL, NULL, NULL, 0, 0} > + }; > + > +-- > +GitLab > + > diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb > b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > index a1451daf2c..66700ac1b4 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > @@ -30,6 +30,7 @@ SRC_URI = > "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.ta > r > file://CVE-2023-0361.patch \ > file://CVE-2023-5981.patch \ > file://CVE-2024-0553.patch \ > + file://CVE-2024-0567.patch \ > " > > SRC_URI[sha256sum] = > "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196051): https://lists.openembedded.org/g/openembedded-core/message/196051 Mute This Topic: https://lists.openembedded.org/mt/104524743/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
