1 files changed, 59 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
new file mode 100644
index 0000000..dca7861
--- /dev/null
+++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
@@ -0,0 +1,59 @@
+From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 20 Feb 2017 11:13:08 +0100
+Subject: [PATCH] cdk_pkt_read: enforce packet limits
+That ensures that there are no overflows in the subsequent
+calculations.
+Resolves the oss-fuzz found bug:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
+Relates: #159
+CVE: CVE-2017-7869
+Upstream-Status: Backport
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/opencdk/read-packet.c |  9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
+index 8055a63..ead6480 100644
+--- a/lib/opencdk/read-packet.c
+++ b/lib/opencdk/read-packet.c
+@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
+        return 0;
+ }
+ 
+#define MAX_PACKET_LEN (1<<24)
+ 
+ /**
+  * cdk_pkt_read:
+@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+        else
+                read_old_length(inp, ctb, &pktlen, &pktsize);
+ 
+       /* enforce limits to ensure that the following calculations
+        * do not overflow */
+       if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) {
+               _cdk_log_info("cdk_pkt_read: too long packet\n");
+               return gnutls_assert_val(CDK_Inv_Packet);
+       }
+
+        pkt->pkttype = pkttype;
+        pkt->pktlen = pktlen;
+        pkt->pktsize = pktsize + pktlen;
+@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+                break;
+ 
+        case CDK_PKT_USER_ID:
+
+                pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id
+                                              + pkt->pktlen + 1);
+                if (!pkt->pkt.user_id)
+--
+libgit2 0.26.0

diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch new file mode 100644 index 0000000..dca7861 --- /dev/null +++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch
@@ -0,0 +1,59 @@
	1	From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001
	2	From: Nikos Mavrogiannopoulos <nmav@redhat.com>
	3	Date: Mon, 20 Feb 2017 11:13:08 +0100
	4	Subject: [PATCH] cdk_pkt_read: enforce packet limits
	5
	6	That ensures that there are no overflows in the subsequent
	7	calculations.
	8
	9	Resolves the oss-fuzz found bug:
	10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
	11
	12	Relates: #159
	13
	14	CVE: CVE-2017-7869
	15	Upstream-Status: Backport
	16
	17	Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
	18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	19	---
	20	lib/opencdk/read-packet.c \| 9 +++++++++
	21	1 file changed, 9 insertions(+)
	22
	23	diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
	24	index 8055a63..ead6480 100644
	25	--- a/lib/opencdk/read-packet.c
	26	+++ b/lib/opencdk/read-packet.c
	27	@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
	28	return 0;
	29	}
	30
	31	+#define MAX_PACKET_LEN (1<<24)
	32
	33	/**
	34	* cdk_pkt_read:
	35	@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
	36	else
	37	read_old_length(inp, ctb, &pktlen, &pktsize);
	38
	39	+ /* enforce limits to ensure that the following calculations
	40	+ * do not overflow */
	41	+ if (pktlen >= MAX_PACKET_LEN \|\| pktsize >= MAX_PACKET_LEN) {
	42	+ _cdk_log_info("cdk_pkt_read: too long packet\n");
	43	+ return gnutls_assert_val(CDK_Inv_Packet);
	44	+ }
	45	+
	46	pkt->pkttype = pkttype;
	47	pkt->pktlen = pktlen;
	48	pkt->pktsize = pktsize + pktlen;
	49	@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
	50	break;
	51
	52	case CDK_PKT_USER_ID:
	53	+
	54	pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id
	55	+ pkt->pktlen + 1);
	56	if (!pkt->pkt.user_id)
	57	--
	58	libgit2 0.26.0
	59