in my queue. Thanks, Armin
On 09/03/2015 04:53 AM, Sona Sarmadi wrote: > Fixes use-after-free flaw in CRL distribution points parsing > > Reference: > https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9 > https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 > > http://www.openwall.com/lists/oss-security/2015/04/15/6 > > Signed-off-by: Sona Sarmadi <[email protected]> > --- > .../better-fix-for-double-free-CVE-2015-3308.patch | 65 > ++++++++++++++++++++++ > .../eliminated-double-free-CVE-2015-3308.patch | 33 +++++++++++ > meta/recipes-support/gnutls/gnutls_3.3.5.bb | 2 + > 3 files changed, 100 insertions(+) > create mode 100644 > meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch > create mode 100644 > meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch > > diff --git > a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch > > b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch > new file mode 100644 > index 0000000..8824729 > --- /dev/null > +++ > b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch > @@ -0,0 +1,65 @@ > +From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001 > +From: Nikos Mavrogiannopoulos <[email protected]> > +Date: Sat, 28 Mar 2015 22:41:03 +0100 > +Subject: [PATCH] Better fix for the double free in dist point parsing > + > +Fixes CVE-2015-3308 > +Upstream-Status: Backport > + > +Signed-off-by: Sona Sarmadi <[email protected]> > +--- > + lib/x509/x509_ext.c | 10 ++++++---- > + 1 file changed, 6 insertions(+), 4 deletions(-) > + > +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c > +index 2e69ed0..f974b02 100644 > +--- a/lib/x509/x509_ext.c > ++++ b/lib/x509/x509_ext.c > +@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + int len, ret; > + uint8_t reasons[2]; > + unsigned i, type, rflags, j; > +- gnutls_datum_t san; > ++ gnutls_datum_t san = {NULL, 0}; > + > + result = asn1_create_element > + (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); > +@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + > + i = 0; > + do { > +- san.data = NULL; > +- san.size = 0; > +- > + snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1); > + > + len = sizeof(reasons); > +@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + > + j = 0; > + do { > ++ san.data = NULL; > ++ san.size = 0; > ++ > + ret = > + _gnutls_parse_general_name2(c2, name, j, &san, > + &type, 0); > +@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + ret = crl_dist_points_set(cdp, type, &san, rflags); > + if (ret < 0) > + break; > ++ san.data = NULL; /* it is now in cdp */ > + > + j++; > + } while (ret >= 0); > +@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + > + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { > + gnutls_assert(); > ++ gnutls_free(san.data); > + goto cleanup; > + } > + > +-- > +1.9.1 > + > diff --git > a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch > > b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch > new file mode 100644 > index 0000000..628103f > --- /dev/null > +++ > b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch > @@ -0,0 +1,33 @@ > +From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001 > +From: Nikos Mavrogiannopoulos <[email protected]> > +Date: Mon, 23 Mar 2015 22:55:29 +0100 > +Subject: [PATCH] eliminated double-free in the parsing of dist points > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Reported by Robert Święcki. > + > +Fixes CVE-2015-3308 > +Upstream-Status: Backport > + > +Signed-off-by: Sona Sarmadi <[email protected]> > +--- > + lib/x509/x509_ext.c | 1 - > + 1 file changed, 1 deletion(-) > + > +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c > +index c8d5867..6f09438 100644 > +--- a/lib/x509/x509_ext.c > ++++ b/lib/x509/x509_ext.c > +@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const > gnutls_datum_t * ext, > + > + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { > + gnutls_assert(); > +- gnutls_free(san.data); > + goto cleanup; > + } > + > +-- > +1.9.1 > + > diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb > b/meta/recipes-support/gnutls/gnutls_3.3.5.bb > index b3daa49..9f26470 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.3.5.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.3.5.bb > @@ -1,6 +1,8 @@ > require gnutls.inc > > SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \ > + file://eliminated-double-free-CVE-2015-3308.patch \ > + file://better-fix-for-double-free-CVE-2015-3308.patch \ > " > > SRC_URI[md5sum] = "1f396dcf3c14ea67de7243821006d1a2" > > > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
