From 931b2732b5fb115a702bceb287cb9a3773f59877 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 18 Aug 2017 13:24:04 +0200 Subject: gnutls: CVE-2017-7869 GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. This issue affects only applications which utilize the OpenPGP certificate functionality of GnuTLS. References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7869 Upstream patch: https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-support/gnutls/gnutls/CVE-2017-7868.patch | 59 +++++++++++++++++++++++ recipes-support/gnutls/gnutls_%.bbappend | 5 ++ 2 files changed, 64 insertions(+) create mode 100644 recipes-support/gnutls/gnutls/CVE-2017-7868.patch create mode 100644 recipes-support/gnutls/gnutls_%.bbappend diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch new file mode 100644 index 0000000..dca7861 --- /dev/null +++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch @@ -0,0 +1,59 @@ +From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 20 Feb 2017 11:13:08 +0100 +Subject: [PATCH] cdk_pkt_read: enforce packet limits + +That ensures that there are no overflows in the subsequent +calculations. + +Resolves the oss-fuzz found bug: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 + +Relates: #159 + +CVE: CVE-2017-7869 +Upstream-Status: Backport + +Signed-off-by: Nikos Mavrogiannopoulos +Signed-off-by: Sona Sarmadi +--- + lib/opencdk/read-packet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c +index 8055a63..ead6480 100644 +--- a/lib/opencdk/read-packet.c ++++ b/lib/opencdk/read-packet.c +@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) + return 0; + } + ++#define MAX_PACKET_LEN (1<<24) + + /** + * cdk_pkt_read: +@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + else + read_old_length(inp, ctb, &pktlen, &pktsize); + ++ /* enforce limits to ensure that the following calculations ++ * do not overflow */ ++ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { ++ _cdk_log_info("cdk_pkt_read: too long packet\n"); ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } ++ + pkt->pkttype = pkttype; + pkt->pktlen = pktlen; + pkt->pktsize = pktsize + pktlen; +@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + break; + + case CDK_PKT_USER_ID: ++ + pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id + + pkt->pktlen + 1); + if (!pkt->pkt.user_id) +-- +libgit2 0.26.0 + diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend new file mode 100644 index 0000000..d2d927c --- /dev/null +++ b/recipes-support/gnutls/gnutls_%.bbappend @@ -0,0 +1,5 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://CVE-2017-7868.patch \ + " -- cgit v1.2.3-54-g00ecf