summaryrefslogtreecommitdiffstats
path: root/recipes-support
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-08-18 13:24:04 +0200
committerAdrian Dudau <adrian.dudau@enea.com>2017-08-21 10:55:46 +0200
commit931b2732b5fb115a702bceb287cb9a3773f59877 (patch)
tree3346824a700251bf859eee2b151bb474be6adf3d /recipes-support
parent0ddff430004474009489094aa65e7679e26d35df (diff)
downloadmeta-nfv-access-common-931b2732b5fb115a702bceb287cb9a3773f59877.tar.gz
gnutls: CVE-2017-7869
GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. This issue affects only applications which utilize the OpenPGP certificate functionality of GnuTLS. References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7869 Upstream patch: https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support')
-rw-r--r--recipes-support/gnutls/gnutls/CVE-2017-7868.patch59
-rw-r--r--recipes-support/gnutls/gnutls_%.bbappend5
2 files changed, 64 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
new file mode 100644
index 0000000..dca7861
--- /dev/null
+++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
@@ -0,0 +1,59 @@
1From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001
2From: Nikos Mavrogiannopoulos <nmav@redhat.com>
3Date: Mon, 20 Feb 2017 11:13:08 +0100
4Subject: [PATCH] cdk_pkt_read: enforce packet limits
5
6That ensures that there are no overflows in the subsequent
7calculations.
8
9Resolves the oss-fuzz found bug:
10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
11
12Relates: #159
13
14CVE: CVE-2017-7869
15Upstream-Status: Backport
16
17Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
18Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19---
20 lib/opencdk/read-packet.c | 9 +++++++++
21 1 file changed, 9 insertions(+)
22
23diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
24index 8055a63..ead6480 100644
25--- a/lib/opencdk/read-packet.c
26+++ b/lib/opencdk/read-packet.c
27@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
28 return 0;
29 }
30
31+#define MAX_PACKET_LEN (1<<24)
32
33 /**
34 * cdk_pkt_read:
35@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
36 else
37 read_old_length(inp, ctb, &pktlen, &pktsize);
38
39+ /* enforce limits to ensure that the following calculations
40+ * do not overflow */
41+ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) {
42+ _cdk_log_info("cdk_pkt_read: too long packet\n");
43+ return gnutls_assert_val(CDK_Inv_Packet);
44+ }
45+
46 pkt->pkttype = pkttype;
47 pkt->pktlen = pktlen;
48 pkt->pktsize = pktsize + pktlen;
49@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
50 break;
51
52 case CDK_PKT_USER_ID:
53+
54 pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id
55 + pkt->pktlen + 1);
56 if (!pkt->pkt.user_id)
57--
58libgit2 0.26.0
59
diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend
new file mode 100644
index 0000000..d2d927c
--- /dev/null
+++ b/recipes-support/gnutls/gnutls_%.bbappend
@@ -0,0 +1,5 @@
1# look for files in the layer first
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4SRC_URI += "file://CVE-2017-7868.patch \
5 "