gnutls: CVE-2017-7869

GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer
overflow and heap-based buffer overflow related to the cdk_pkt_read
function in opencdk/read-packet.c. This issue (which is a
subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.

This issue affects only applications which utilize the OpenPGP certificate
functionality of GnuTLS.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7869

Upstream patch:
https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

2 files changed, 64 insertions, 0 deletions

diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
new file mode 100644
index 0000000..dca7861
--- /dev/null
+++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
@@ -0,0 +1,59 @@
+From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 20 Feb 2017 11:13:08 +0100
+Subject: [PATCH] cdk_pkt_read: enforce packet limits
+
+That ensures that there are no overflows in the subsequent
+calculations.
+
+Resolves the oss-fuzz found bug:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
+
+Relates: #159
+
+CVE: CVE-2017-7869
+Upstream-Status: Backport
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/opencdk/read-packet.c |  9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
+index 8055a63..ead6480 100644
+--- a/lib/opencdk/read-packet.c
++++ b/lib/opencdk/read-packet.c
+@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
+        return 0;
+ }
+ 
++#define MAX_PACKET_LEN (1<<24)
+ 
+ /**
+  * cdk_pkt_read:
+@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+        else
+                read_old_length(inp, ctb, &pktlen, &pktsize);
+ 
++       /* enforce limits to ensure that the following calculations
++        * do not overflow */
++       if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) {
++               _cdk_log_info("cdk_pkt_read: too long packet\n");
++               return gnutls_assert_val(CDK_Inv_Packet);
++       }
++
+        pkt->pkttype = pkttype;
+        pkt->pktlen = pktlen;
+        pkt->pktsize = pktsize + pktlen;
+@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+                break;
+ 
+        case CDK_PKT_USER_ID:
++
+                pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id
+                                              + pkt->pktlen + 1);
+                if (!pkt->pkt.user_id)
+--
+libgit2 0.26.0
+
diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend
new file mode 100644
index 0000000..d2d927c
--- /dev/null
+++ b/recipes-support/gnutls/gnutls_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://CVE-2017-7868.patch \
+           "