summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Tran <dantran@microsoft.com>2019-10-08 18:20:02 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-15 15:54:01 +0100
commitab318acf535fe20c52bdde2e7f3fc17b1dc22dbd (patch)
treecfb72b77c485d9a8282bddd9a88a16ffa8bb81b4
parentdba05668f7eaa391c1f635d1605c4f68878ef82c (diff)
downloadpoky-ab318acf535fe20c52bdde2e7f3fc17b1dc22dbd.tar.gz
gnutls: Fix CVE-2019-3829 and CVE-2019-3836
(From OE-Core rev: 54c6892543319c4b8f7248e95966e956053c97b7) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch39
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch871
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch36
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch35
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.4.bb4
5 files changed, 985 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch
new file mode 100644
index 0000000000..823869e85e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch
@@ -0,0 +1,39 @@
1From 367688c05988bc7257d7e1801c5acf17ef7e854d Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
3Date: Tue, 12 Feb 2019 15:09:11 +0100
4Subject: [PATCH 1/3] Automatically NULLify after gnutls_free()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This method prevents direct use-after-free and
10double-free issues.
11
12Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
13
14CVE: CVE-2019-3829
15Upstream-Status: Backport
16[https://gitlab.com/gnutls/gnutls/commit/d39778e43d1674cb3ab3685157fd299816d535c0]
17
18Signed-off-by: Dan Tran <dantran@microsoft.com>
19---
20 lib/includes/gnutls/gnutls.h.in | 4 ++++
21 1 file changed, 4 insertions(+)
22
23diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
24index 49990b5f5..fa77fd0df 100644
25--- a/lib/includes/gnutls/gnutls.h.in
26+++ b/lib/includes/gnutls/gnutls.h.in
27@@ -2132,6 +2132,10 @@ extern _SYM_EXPORT gnutls_realloc_function gnutls_realloc;
28 extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc;
29 extern _SYM_EXPORT gnutls_free_function gnutls_free;
30
31+#ifdef GNUTLS_INTERNAL_BUILD
32+#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL
33+#endif
34+
35 extern _SYM_EXPORT char *(*gnutls_strdup) (const char *);
36
37 /* a variant of memset that doesn't get optimized out */
38--
392.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch
new file mode 100644
index 0000000000..b3cd047798
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch
@@ -0,0 +1,871 @@
1From a57509ef7c4983721193ac325ad5fb1783ea0f57 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
3Date: Tue, 12 Feb 2019 15:14:07 +0100
4Subject: [PATCH 2/3] Remove redundant resets of variables after free()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
10
11CVE: CVE-2019-3829
12Upstream-Status: Backport
13[https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392]
14
15Signed-off-by: Dan Tran <dantran@microsoft.com>
16---
17 lib/auth.c | 3 ---
18 lib/auth/rsa.c | 2 ++
19 lib/auth/rsa_psk.c | 1 -
20 lib/auth/srp_sb64.c | 2 --
21 lib/cert-cred-x509.c | 3 ---
22 lib/cert-cred.c | 3 ---
23 lib/hello_ext.c | 5 ++---
24 lib/mpi.c | 1 -
25 lib/nettle/mpi.c | 2 --
26 lib/nettle/pk.c | 3 ---
27 lib/ocsp-api.c | 1 -
28 lib/pk.c | 2 --
29 lib/pkcs11.c | 1 -
30 lib/pkcs11_privkey.c | 6 +-----
31 lib/pkcs11_write.c | 1 -
32 lib/session_pack.c | 2 --
33 lib/srp.c | 1 -
34 lib/str.c | 2 +-
35 lib/tls13/certificate_request.c | 2 --
36 lib/tpm.c | 2 --
37 lib/x509/ocsp.c | 15 +++------------
38 lib/x509/pkcs12_bag.c | 1 -
39 lib/x509/pkcs7-crypt.c | 1 -
40 lib/x509/pkcs7.c | 6 ------
41 lib/x509/privkey_pkcs8.c | 1 -
42 lib/x509/verify-high2.c | 1 -
43 lib/x509/virt-san.c | 1 -
44 lib/x509/x509.c | 4 ----
45 lib/x509/x509_ext.c | 1 -
46 lib/x509_b64.c | 1 -
47 tests/cert.c | 2 --
48 tests/name-constraints-ip.c | 3 +--
49 tests/pkcs11/pkcs11-import-url-privkey.c | 2 --
50 tests/pkcs11/pkcs11-privkey-always-auth.c | 2 --
51 tests/pkcs11/pkcs11-privkey-fork-reinit.c | 1 -
52 tests/pkcs11/pkcs11-privkey-fork.c | 1 -
53 tests/pkcs11/pkcs11-privkey-safenet-always-auth.c | 2 --
54 tests/pkcs7.c | 2 --
55 tests/resume-dtls.c | 1 -
56 tests/resume.c | 1 -
57 tests/sign-verify-data.c | 1 -
58 tests/sign-verify-ext.c | 2 --
59 tests/sign-verify-ext4.c | 2 --
60 tests/sign-verify.c | 1 -
61 tests/x509-extensions.c | 1 -
62 tests/x509sign-verify-error.c | 1 -
63 46 files changed, 10 insertions(+), 92 deletions(-)
64
65diff --git a/lib/auth.c b/lib/auth.c
66index 4bdedda38..5f9b8c427 100644
67--- a/lib/auth.c
68+++ b/lib/auth.c
69@@ -349,8 +349,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
70
71 gnutls_free(info->raw_certificate_list);
72 gnutls_free(info->raw_ocsp_list);
73- info->raw_certificate_list = NULL;
74- info->raw_ocsp_list = NULL;
75 info->ncerts = 0;
76 info->nocsp = 0;
77
78@@ -367,7 +365,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
79 }
80
81 gnutls_free(session->key.auth_info);
82- session->key.auth_info = NULL;
83 session->key.auth_info_size = 0;
84 session->key.auth_info_type = 0;
85
86diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
87index 6afc91ae6..df6bd7bc6 100644
88--- a/lib/auth/rsa.c
89+++ b/lib/auth/rsa.c
90@@ -196,6 +196,8 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
91 ret = gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
92 rndkey.size);
93 if (ret < 0) {
94+ gnutls_free(session->key.key.data);
95+ session->key.key.size = 0;
96 gnutls_assert();
97 goto cleanup;
98 }
99diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
100index 5a29f9183..590ff0f71 100644
101--- a/lib/auth/rsa_psk.c
102+++ b/lib/auth/rsa_psk.c
103@@ -341,7 +341,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
104 ("auth_rsa_psk: Possible PKCS #1 format attack\n");
105 if (ret >= 0) {
106 gnutls_free(plaintext.data);
107- plaintext.data = NULL;
108 }
109 randomize_key = 1;
110 } else {
111diff --git a/lib/auth/srp_sb64.c b/lib/auth/srp_sb64.c
112index 1177e7671..7bfffdf07 100644
113--- a/lib/auth/srp_sb64.c
114+++ b/lib/auth/srp_sb64.c
115@@ -263,7 +263,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
116 tmp = decode(tmpres, datrev);
117 if (tmp < 0) {
118 gnutls_free((*result));
119- *result = NULL;
120 return tmp;
121 }
122
123@@ -277,7 +276,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
124 tmp = decode(tmpres, (uint8_t *) & data[i]);
125 if (tmp < 0) {
126 gnutls_free((*result));
127- *result = NULL;
128 return tmp;
129 }
130 memcpy(&(*result)[j], tmpres, tmp);
131diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c
132index f342a420b..da9cd647e 100644
133--- a/lib/cert-cred-x509.c
134+++ b/lib/cert-cred-x509.c
135@@ -296,7 +296,6 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res,
136 gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, GNUTLS_X509_CRT_LIST_SORT);
137 if (ret < 0) {
138 gnutls_free(pcerts);
139- pcerts = NULL;
140 gnutls_assert();
141 goto cleanup;
142 }
143@@ -540,7 +539,6 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const
144 goto cleanup;
145 }
146 gnutls_free(t.data);
147- t.data = NULL;
148 }
149
150 ret = certificate_credential_append_crt_list(res, key, names, ccert, count);
151@@ -991,7 +989,6 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
152 while (i--)
153 gnutls_x509_crt_deinit((*crt_list)[i]);
154 gnutls_free(*crt_list);
155- *crt_list = NULL;
156
157 return gnutls_assert_val(ret);
158 }
159diff --git a/lib/cert-cred.c b/lib/cert-cred.c
160index 2150e903f..190a8b3a2 100644
161--- a/lib/cert-cred.c
162+++ b/lib/cert-cred.c
163@@ -63,7 +63,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
164
165 for (j = 0; j < sc->certs[i].ocsp_data_length; j++) {
166 gnutls_free(sc->certs[i].ocsp_data[j].response.data);
167- sc->certs[i].ocsp_data[j].response.data = NULL;
168 }
169 _gnutls_str_array_clear(&sc->certs[i].names);
170 gnutls_privkey_deinit(sc->certs[i].pkey);
171@@ -71,8 +70,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
172
173 gnutls_free(sc->certs);
174 gnutls_free(sc->sorted_cert_idx);
175- sc->certs = NULL;
176- sc->sorted_cert_idx = NULL;
177
178 sc->ncerts = 0;
179 }
180diff --git a/lib/hello_ext.c b/lib/hello_ext.c
181index c4907aace..fb2b4db67 100644
182--- a/lib/hello_ext.c
183+++ b/lib/hello_ext.c
184@@ -464,9 +464,8 @@ void _gnutls_hello_ext_deinit(void)
185 continue;
186
187 if (extfunc[i]->free_struct != 0) {
188- gnutls_free((void*)extfunc[i]->name);
189- gnutls_free((void*)extfunc[i]);
190- extfunc[i] = NULL;
191+ gnutls_free(((hello_ext_entry_st *)extfunc[i])->name);
192+ gnutls_free(extfunc[i]);
193 }
194 }
195 }
196diff --git a/lib/mpi.c b/lib/mpi.c
197index 2bc970d7c..ed208d511 100644
198--- a/lib/mpi.c
199+++ b/lib/mpi.c
200@@ -88,7 +88,6 @@ _gnutls_mpi_random_modp(bigint_t r, bigint_t p,
201
202 if (buf_release != 0) {
203 gnutls_free(buf);
204- buf = NULL;
205 }
206
207 if (r != NULL) {
208diff --git a/lib/nettle/mpi.c b/lib/nettle/mpi.c
209index 8a93ac278..96bec4aa4 100644
210--- a/lib/nettle/mpi.c
211+++ b/lib/nettle/mpi.c
212@@ -122,7 +122,6 @@ static int wrap_nettle_mpi_init_multi(bigint_t *w, ...)
213 fail:
214 mpz_clear(TOMPZ(*w));
215 gnutls_free(*w);
216- *w = NULL;
217
218 va_start(args, w);
219
220@@ -131,7 +130,6 @@ fail:
221 if (next != last_failed) {
222 mpz_clear(TOMPZ(*next));
223 gnutls_free(*next);
224- *next = NULL;
225 }
226 } while(next != last_failed);
227
228diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
229index 6dcd2fdd0..f010493c0 100644
230--- a/lib/nettle/pk.c
231+++ b/lib/nettle/pk.c
232@@ -371,7 +371,6 @@ dh_cleanup:
233
234 if (_gnutls_mem_is_zero(out->data, out->size)) {
235 gnutls_free(out->data);
236- out->data = NULL;
237 gnutls_assert();
238 ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
239 goto cleanup;
240@@ -2203,8 +2202,6 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
241 params->params_nr = 0;
242 gnutls_free(params->raw_priv.data);
243 gnutls_free(params->raw_pub.data);
244- params->raw_priv.data = NULL;
245- params->raw_pub.data = NULL;
246
247 FAIL_IF_LIB_ERROR;
248 return ret;
249diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
250index d18a1f0c2..a0005e99d 100644
251--- a/lib/ocsp-api.c
252+++ b/lib/ocsp-api.c
253@@ -473,7 +473,6 @@ gnutls_certificate_set_ocsp_status_request_mem(gnutls_certificate_credentials_t
254 nresp++;
255
256 gnutls_free(der.data);
257- der.data = NULL;
258
259 p.data++;
260 p.size--;
261diff --git a/lib/pk.c b/lib/pk.c
262index 1f137f71c..a5bb58b73 100644
263--- a/lib/pk.c
264+++ b/lib/pk.c
265@@ -537,8 +537,6 @@ void gnutls_pk_params_release(gnutls_pk_params_st * p)
266 }
267 gnutls_free(p->raw_priv.data);
268 gnutls_free(p->raw_pub.data);
269- p->raw_priv.data = NULL;
270- p->raw_pub.data = NULL;
271
272 p->params_nr = 0;
273 }
274diff --git a/lib/pkcs11.c b/lib/pkcs11.c
275index 990912790..fa1b65884 100644
276--- a/lib/pkcs11.c
277+++ b/lib/pkcs11.c
278@@ -1233,7 +1233,6 @@ int gnutls_pkcs11_obj_init(gnutls_pkcs11_obj_t * obj)
279 (*obj)->info = p11_kit_uri_new();
280 if ((*obj)->info == NULL) {
281 gnutls_free(*obj);
282- *obj = NULL;
283 gnutls_assert();
284 return GNUTLS_E_MEMORY_ERROR;
285 }
286diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
287index b721ed125..560a732e3 100644
288--- a/lib/pkcs11_privkey.c
289+++ b/lib/pkcs11_privkey.c
290@@ -443,7 +443,6 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs11_privkey_t key,
291 }
292
293 gnutls_free(tmp.data);
294- tmp.data = NULL;
295 } else {
296 signature->size = siglen;
297 signature->data = tmp.data;
298@@ -521,10 +520,8 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
299
300 memset(&pkey->sinfo, 0, sizeof(pkey->sinfo));
301
302- if (pkey->url) {
303+ if (pkey->url)
304 gnutls_free(pkey->url);
305- pkey->url = NULL;
306- }
307
308 if (pkey->uinfo) {
309 p11_kit_uri_free(pkey->uinfo);
310@@ -613,7 +610,6 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
311 pkey->uinfo = NULL;
312 }
313 gnutls_free(pkey->url);
314- pkey->url = NULL;
315
316 return ret;
317 }
318diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
319index 35207d554..6e866e2d4 100644
320--- a/lib/pkcs11_write.c
321+++ b/lib/pkcs11_write.c
322@@ -268,7 +268,6 @@ static void clean_pubkey(struct ck_attribute *a, unsigned a_val)
323 case CKA_EC_PARAMS:
324 case CKA_EC_POINT:
325 gnutls_free(a[i].value);
326- a[i].value = NULL;
327 break;
328 }
329 }
330diff --git a/lib/session_pack.c b/lib/session_pack.c
331index c5801fb32..5d475ea59 100644
332--- a/lib/session_pack.c
333+++ b/lib/session_pack.c
334@@ -562,8 +562,6 @@ unpack_certificate_auth_info(gnutls_session_t session,
335
336 gnutls_free(info->raw_certificate_list);
337 gnutls_free(info->raw_ocsp_list);
338- info->raw_certificate_list = NULL;
339- info->raw_ocsp_list = NULL;
340 }
341
342 return ret;
343diff --git a/lib/srp.c b/lib/srp.c
344index c3eb8e684..670642d64 100644
345--- a/lib/srp.c
346+++ b/lib/srp.c
347@@ -608,7 +608,6 @@ gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t res,
348 if (res->password_conf_file == NULL) {
349 gnutls_assert();
350 gnutls_free(res->password_file);
351- res->password_file = NULL;
352 return GNUTLS_E_MEMORY_ERROR;
353 }
354
355diff --git a/lib/str.c b/lib/str.c
356index c8d742e91..7408ea6ac 100644
357--- a/lib/str.c
358+++ b/lib/str.c
359@@ -81,7 +81,7 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
360 return;
361 gnutls_free(str->allocd);
362
363- str->data = str->allocd = NULL;
364+ str->data = NULL;
365 str->max_length = 0;
366 str->length = 0;
367 }
368diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
369index a7ec0e2fd..823adc87f 100644
370--- a/lib/tls13/certificate_request.c
371+++ b/lib/tls13/certificate_request.c
372@@ -152,7 +152,6 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
373 return gnutls_assert_val(ret);
374
375 gnutls_free(session->internals.post_handshake_cr_context.data);
376- session->internals.post_handshake_cr_context.data = NULL;
377 ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
378 context.data, context.size);
379 if (ret < 0)
380@@ -279,7 +278,6 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
381 }
382
383 gnutls_free(session->internals.post_handshake_cr_context.data);
384- session->internals.post_handshake_cr_context.data = NULL;
385 ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
386 rnd, sizeof(rnd));
387 if (ret < 0) {
388diff --git a/lib/tpm.c b/lib/tpm.c
389index ee53c7154..03565acb0 100644
390--- a/lib/tpm.c
391+++ b/lib/tpm.c
392@@ -1645,10 +1645,8 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
393 gnutls_pubkey_deinit(pub);
394 privkey_cleanup:
395 gnutls_free(privkey->data);
396- privkey->data = NULL;
397 cleanup:
398 gnutls_free(tmpkey.data);
399- tmpkey.data = NULL;
400 err_sa:
401 pTspi_Context_CloseObject(s.tpm_ctx, key_ctx);
402 err_cc:
403diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
404index db54b3ea2..55cae94c3 100644
405--- a/lib/x509/ocsp.c
406+++ b/lib/x509/ocsp.c
407@@ -162,7 +162,6 @@ void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp)
408 asn1_delete_structure(&resp->basicresp);
409
410 resp->resp = NULL;
411- resp->response_type_oid.data = NULL;
412 resp->basicresp = NULL;
413
414 gnutls_free(resp->der.data);
415@@ -299,7 +298,6 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp,
416 }
417
418 gnutls_free(resp->der.data);
419- resp->der.data = NULL;
420 }
421
422 resp->init = 1;
423@@ -1668,18 +1666,12 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp,
424
425 return GNUTLS_E_SUCCESS;
426 fail:
427- if (issuer_name_hash) {
428+ if (issuer_name_hash)
429 gnutls_free(issuer_name_hash->data);
430- issuer_name_hash->data = NULL;
431- }
432- if (issuer_key_hash) {
433+ if (issuer_key_hash)
434 gnutls_free(issuer_key_hash->data);
435- issuer_key_hash->data = NULL;
436- }
437- if (serial_number) {
438+ if (serial_number)
439 gnutls_free(serial_number->data);
440- serial_number->data = NULL;
441- }
442 return ret;
443 }
444
445@@ -1955,7 +1947,6 @@ gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_t resp,
446 }
447
448 gnutls_free(c.data);
449- c.data = NULL;
450 }
451
452 tmpcerts[ctr] = NULL;
453diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
454index 26d2142ea..35d12ac4b 100644
455--- a/lib/x509/pkcs12_bag.c
456+++ b/lib/x509/pkcs12_bag.c
457@@ -62,7 +62,6 @@ static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag)
458 _gnutls_free_datum(&bag->element[i].data);
459 _gnutls_free_datum(&bag->element[i].local_key_id);
460 gnutls_free(bag->element[i].friendly_name);
461- bag->element[i].friendly_name = NULL;
462 bag->element[i].type = 0;
463 }
464
465diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
466index c2b00e61c..39eb7784b 100644
467--- a/lib/x509/pkcs7-crypt.c
468+++ b/lib/x509/pkcs7-crypt.c
469@@ -1269,7 +1269,6 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn,
470 _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
471
472 gnutls_free(key);
473- key = NULL;
474
475 if (ret < 0) {
476 gnutls_assert();
477diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
478index 955cb5ae9..8ae7b3e78 100644
479--- a/lib/x509/pkcs7.c
480+++ b/lib/x509/pkcs7.c
481@@ -692,7 +692,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
482
483 ret = gnutls_pkcs7_add_attr(&info->signed_attrs, oid, &tmp, 0);
484 gnutls_free(tmp.data);
485- tmp.data = NULL;
486
487 if (ret < 0) {
488 gnutls_assert();
489@@ -730,7 +729,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
490 ret =
491 gnutls_pkcs7_add_attr(&info->unsigned_attrs, oid, &tmp, 0);
492 gnutls_free(tmp.data);
493- tmp.data = NULL;
494
495 if (ret < 0) {
496 gnutls_assert();
497@@ -842,9 +840,7 @@ static int verify_hash_attr(gnutls_pkcs7_t pkcs7, const char *root,
498 }
499
500 gnutls_free(tmp.data);
501- tmp.data = NULL;
502 gnutls_free(tmp2.data);
503- tmp2.data = NULL;
504 }
505
506 if (msg_digest_ok)
507@@ -1087,7 +1083,6 @@ static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
508 gnutls_x509_crt_deinit(issuer);
509 issuer = NULL;
510 gnutls_free(tmp.data);
511- tmp.data = NULL;
512 continue;
513 }
514
515@@ -1204,7 +1199,6 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
516 gnutls_x509_crt_deinit(crt);
517 crt = NULL;
518 gnutls_free(tmpdata.data);
519- tmpdata.data = NULL;
520 continue;
521 }
522 } else {
523diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
524index 92dea06b0..56000ff12 100644
525--- a/lib/x509/privkey_pkcs8.c
526+++ b/lib/x509/privkey_pkcs8.c
527@@ -600,7 +600,6 @@ gnutls_pkcs8_info(const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format,
528 cleanup:
529 if (ret != GNUTLS_E_UNKNOWN_CIPHER_TYPE && oid) {
530 gnutls_free(*oid);
531- *oid = NULL;
532 }
533 if (need_free)
534 _gnutls_free_datum(&_data);
535diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
536index 8ba2f2a3e..b9aed5cf4 100644
537--- a/lib/x509/verify-high2.c
538+++ b/lib/x509/verify-high2.c
539@@ -178,7 +178,6 @@ int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file)
540 {
541 if (strcmp(ca_file, list->pkcs11_token) == 0) {
542 gnutls_free(list->pkcs11_token);
543- list->pkcs11_token = NULL;
544 }
545 return 0;
546 }
547diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
548index f3b87135b..a81337e25 100644
549--- a/lib/x509/virt-san.c
550+++ b/lib/x509/virt-san.c
551@@ -70,7 +70,6 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type, gnutl
552 if (ret < 0)
553 return gnutls_assert_val(ret);
554 gnutls_free(san->data);
555- san->data = NULL;
556
557 if (othername_oid) {
558 name->othername_oid.data = (uint8_t *) othername_oid;
559diff --git a/lib/x509/x509.c b/lib/x509/x509.c
560index 4aff55eba..c149881f6 100644
561--- a/lib/x509/x509.c
562+++ b/lib/x509/x509.c
563@@ -383,7 +383,6 @@ static int cache_alt_names(gnutls_x509_crt_t cert)
564 if (ret >= 0) {
565 ret = gnutls_x509_ext_import_subject_alt_names(&tmpder, cert->san, 0);
566 gnutls_free(tmpder.data);
567- tmpder.data = NULL;
568 if (ret < 0)
569 return gnutls_assert_val(ret);
570 }
571@@ -3680,7 +3679,6 @@ gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs,
572
573 if (ret < 0) {
574 gnutls_free(*certs);
575- *certs = NULL;
576 return ret;
577 }
578
579@@ -4310,7 +4308,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
580
581 if (gnutls_x509_crt_equals2(crts[i-1], &issuer)) {
582 gnutls_free(issuer.data);
583- issuer.data = NULL;
584 break;
585 }
586
587@@ -4331,7 +4328,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
588 }
589
590 gnutls_free(issuer.data);
591- issuer.data = NULL;
592 }
593
594 *certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t));
595diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
596index 58c3263d1..477cf03c4 100644
597--- a/lib/x509/x509_ext.c
598+++ b/lib/x509/x509_ext.c
599@@ -1994,7 +1994,6 @@ int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext,
600 ret =
601 decode_user_notice(td.data, td.size, &txt);
602 gnutls_free(td.data);
603- td.data = NULL;
604
605 if (ret < 0) {
606 gnutls_assert();
607diff --git a/lib/x509_b64.c b/lib/x509_b64.c
608index 9a1037405..3117843be 100644
609--- a/lib/x509_b64.c
610+++ b/lib/x509_b64.c
611@@ -302,7 +302,6 @@ _gnutls_base64_decode(const uint8_t * data, size_t data_size,
612
613 fail:
614 gnutls_free(result->data);
615- result->data = NULL;
616
617 cleanup:
618 gnutls_free(pdata.data);
619diff --git a/tests/cert.c b/tests/cert.c
620index da0ab23df..ec566a4a4 100644
621--- a/tests/cert.c
622+++ b/tests/cert.c
623@@ -89,7 +89,6 @@ static int getnextcert(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
624 *exp_ret = atoi((char*)local.data);
625 success("expecting error code %d\n", *exp_ret);
626 gnutls_free(local.data);
627- local.data = NULL;
628 }
629
630 return 0;
631@@ -135,7 +134,6 @@ void doit(void)
632
633 gnutls_x509_crt_deinit(cert);
634 gnutls_free(der.data);
635- der.data = NULL;
636 der.size = 0;
637 exp_ret = -1;
638 }
639diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c
640index 3dd4ff2cb..ed96109c7 100644
641--- a/tests/name-constraints-ip.c
642+++ b/tests/name-constraints-ip.c
643@@ -78,7 +78,6 @@ static void check_test_result(int ret, int expected_outcome,
644 static void parse_cidr(const char* cidr, gnutls_datum_t *datum) {
645 if (datum->data != NULL) {
646 gnutls_free(datum->data);
647- datum->data = NULL;
648 }
649 int ret = gnutls_x509_cidr_to_rfc5280(cidr, datum);
650 check_for_error(ret);
651@@ -699,7 +698,7 @@ static int teardown(void **state) {
652 gnutls_free(test_vars->ip.data);
653 gnutls_x509_name_constraints_deinit(test_vars->nc);
654 gnutls_x509_name_constraints_deinit(test_vars->nc2);
655- gnutls_free(test_vars);
656+ gnutls_free(*state);
657 return 0;
658 }
659
660diff --git a/tests/pkcs11/pkcs11-import-url-privkey.c b/tests/pkcs11/pkcs11-import-url-privkey.c
661index cb44fb1e5..c7e06eb1a 100644
662--- a/tests/pkcs11/pkcs11-import-url-privkey.c
663+++ b/tests/pkcs11/pkcs11-import-url-privkey.c
664@@ -85,7 +85,6 @@ void doit(void)
665 for (i=0;i<obj_list_size;i++)
666 gnutls_pkcs11_obj_deinit(obj_list[i]);
667 gnutls_free(obj_list);
668- obj_list = NULL;
669 obj_list_size = 0;
670
671 #ifndef _WIN32
672@@ -116,7 +115,6 @@ void doit(void)
673 for (i=0;i<obj_list_size;i++)
674 gnutls_pkcs11_obj_deinit(obj_list[i]);
675 gnutls_free(obj_list);
676- obj_list = NULL;
677 obj_list_size = 0;
678 }
679 #endif
680diff --git a/tests/pkcs11/pkcs11-privkey-always-auth.c b/tests/pkcs11/pkcs11-privkey-always-auth.c
681index 3561c412f..441f63722 100644
682--- a/tests/pkcs11/pkcs11-privkey-always-auth.c
683+++ b/tests/pkcs11/pkcs11-privkey-always-auth.c
684@@ -175,7 +175,6 @@ void doit(void)
685 pin_called = 0;
686
687 gnutls_free(sig.data);
688- sig.data = NULL;
689
690 /* call again - should re-authenticate */
691 ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
692@@ -190,7 +189,6 @@ void doit(void)
693 pin_called = 0;
694
695 gnutls_free(sig.data);
696- sig.data = NULL;
697
698 if (debug)
699 printf("done\n\n\n");
700diff --git a/tests/pkcs11/pkcs11-privkey-fork-reinit.c b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
701index 1535d644f..a72584225 100644
702--- a/tests/pkcs11/pkcs11-privkey-fork-reinit.c
703+++ b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
704@@ -123,7 +123,6 @@ void doit(void)
705 }
706
707 gnutls_free(sig.data);
708- sig.data = NULL;
709
710 pid = fork();
711 if (pid != 0) {
712diff --git a/tests/pkcs11/pkcs11-privkey-fork.c b/tests/pkcs11/pkcs11-privkey-fork.c
713index 9d301d7d6..b99755c73 100644
714--- a/tests/pkcs11/pkcs11-privkey-fork.c
715+++ b/tests/pkcs11/pkcs11-privkey-fork.c
716@@ -123,7 +123,6 @@ void doit(void)
717 }
718
719 gnutls_free(sig.data);
720- sig.data = NULL;
721
722 pid = fork();
723 if (pid != 0) {
724diff --git a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
725index 1b5b34054..a4ab5b5aa 100644
726--- a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
727+++ b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
728@@ -157,7 +157,6 @@ void doit(void)
729 pin_called = 0;
730
731 gnutls_free(sig.data);
732- sig.data = NULL;
733
734 /* call again - should re-authenticate */
735 ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
736@@ -172,7 +171,6 @@ void doit(void)
737 pin_called = 0;
738
739 gnutls_free(sig.data);
740- sig.data = NULL;
741
742 if (debug)
743 printf("done\n\n\n");
744diff --git a/tests/pkcs7.c b/tests/pkcs7.c
745index a490976fc..2d5a5548d 100644
746--- a/tests/pkcs7.c
747+++ b/tests/pkcs7.c
748@@ -90,7 +90,6 @@ static int getnextfile(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
749 *exp_ret = atoi((char*)local.data);
750 success("expecting error code %d\n", *exp_ret);
751 gnutls_free(local.data);
752- local.data = NULL;
753 }
754
755 return 0;
756@@ -134,7 +133,6 @@ void doit(void)
757
758 gnutls_pkcs7_deinit(cert);
759 gnutls_free(der.data);
760- der.data = NULL;
761 der.size = 0;
762 exp_ret = -1;
763 }
764diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c
765index 9e6327c7f..b5b214313 100644
766--- a/tests/resume-dtls.c
767+++ b/tests/resume-dtls.c
768@@ -363,7 +363,6 @@ static void server(int sds[], struct params_res *params)
769 }
770
771 gnutls_free(session_ticket_key.data);
772- session_ticket_key.data = NULL;
773 gnutls_anon_free_server_credentials(anoncred);
774
775 if (debug)
776diff --git a/tests/resume.c b/tests/resume.c
777index 84314b836..3dc225136 100644
778--- a/tests/resume.c
779+++ b/tests/resume.c
780@@ -873,7 +873,6 @@ static void server(int sds[], struct params_res *params)
781 }
782
783 gnutls_free(session_ticket_key.data);
784- session_ticket_key.data = NULL;
785
786 if (debug)
787 success("server: finished\n");
788diff --git a/tests/sign-verify-data.c b/tests/sign-verify-data.c
789index 3aa261175..558ad2253 100644
790--- a/tests/sign-verify-data.c
791+++ b/tests/sign-verify-data.c
792@@ -153,7 +153,6 @@ void doit(void)
793
794 /* test the raw interface */
795 gnutls_free(signature.data);
796- signature.data = NULL;
797
798 gnutls_free(signature.data);
799 gnutls_x509_crt_deinit(crt);
800diff --git a/tests/sign-verify-ext.c b/tests/sign-verify-ext.c
801index eecb1f357..cc80bf907 100644
802--- a/tests/sign-verify-ext.c
803+++ b/tests/sign-verify-ext.c
804@@ -186,9 +186,7 @@ void doit(void)
805
806 /* test the raw interface */
807 gnutls_free(signature.data);
808- signature.data = NULL;
809 gnutls_free(signature2.data);
810- signature2.data = NULL;
811
812 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
813 GNUTLS_PK_RSA) {
814diff --git a/tests/sign-verify-ext4.c b/tests/sign-verify-ext4.c
815index 81aa345bf..be582ec14 100644
816--- a/tests/sign-verify-ext4.c
817+++ b/tests/sign-verify-ext4.c
818@@ -227,7 +227,6 @@ void doit(void)
819 testfail("gnutls_pubkey_verify_data2\n");
820
821 gnutls_free(signature.data);
822- signature.data = NULL;
823
824
825 if (!tests[i].data_only) {
826@@ -243,7 +242,6 @@ void doit(void)
827 testfail("gnutls_pubkey_verify_hash2-1 (hashed data)\n");
828
829 gnutls_free(signature2.data);
830- signature2.data = NULL;
831 }
832
833 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
834diff --git a/tests/sign-verify.c b/tests/sign-verify.c
835index 1fbed5ece..5a14741fc 100644
836--- a/tests/sign-verify.c
837+++ b/tests/sign-verify.c
838@@ -206,7 +206,6 @@ void doit(void)
839
840 /* test the raw interface */
841 gnutls_free(signature.data);
842- signature.data = NULL;
843
844 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
845 GNUTLS_PK_RSA) {
846diff --git a/tests/x509-extensions.c b/tests/x509-extensions.c
847index d480f8364..a062c1ba8 100644
848--- a/tests/x509-extensions.c
849+++ b/tests/x509-extensions.c
850@@ -767,7 +767,6 @@ void doit(void)
851 }
852 }
853 gnutls_free(ext.data);
854- ext.data = NULL;
855 }
856
857 if (debug)
858diff --git a/tests/x509sign-verify-error.c b/tests/x509sign-verify-error.c
859index 54bdc40ab..97c966685 100644
860--- a/tests/x509sign-verify-error.c
861+++ b/tests/x509sign-verify-error.c
862@@ -181,7 +181,6 @@ void doit(void)
863 fail("gnutls_privkey_sign_hash\n");
864
865 gnutls_free(signature2.data);
866- signature2.data = NULL;
867
868 _gnutls_lib_simulate_error();
869 ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0,
870--
8712.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch
new file mode 100644
index 0000000000..d27ea4a918
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch
@@ -0,0 +1,36 @@
1From bf616850cf20af2bec3d68b82e6ac610ee8fc404 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
3Date: Tue, 12 Feb 2019 15:20:23 +0100
4Subject: [PATCH 3/3] gnutls_x509_crt_init: Fix dereference of NULL pointer
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
10
11CVE: CVE-2019-3829
12Upstream-Status: Backport
13[https://gitlab.com/gnutls/gnutls/commit/6b5cbc9ea5bdca704bdbe2f8fb551f720d634bc6]
14
15Signed-off-by: Dan Tran <dantran@microsoft.com>
16---
17 lib/x509/x509.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/lib/x509/x509.c b/lib/x509/x509.c
21index c149881f6..cc232ea50 100644
22--- a/lib/x509/x509.c
23+++ b/lib/x509/x509.c
24@@ -224,8 +224,8 @@ int gnutls_x509_crt_init(gnutls_x509_crt_t * cert)
25 if (result < 0) {
26 gnutls_assert();
27 asn1_delete_structure(&tmp->cert);
28- gnutls_free(tmp);
29 gnutls_subject_alt_names_deinit(tmp->san);
30+ gnutls_free(tmp);
31 return result;
32 }
33
34--
352.22.0.vfs.1.1.57.gbaf16c8
36
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch b/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch
new file mode 100644
index 0000000000..4aeb689347
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch
@@ -0,0 +1,35 @@
1From c68195f0ff65144d7e0c32f4de5f264c4012983a Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <dueno@redhat.com>
3Date: Mon, 25 Mar 2019 16:06:39 +0100
4Subject: [PATCH] handshake: add missing initialization of local variable
5
6Resolves: #704
7
8Signed-off-by: Daiki Ueno <dueno@redhat.com>
9Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
10
11CVE: CVE-2019-3836
12Upstream-Status: Backport
13[https://gitlab.com/gnutls/gnutls/commit/96e07075e8f105b13e76b11e493d5aa2dd937226]
14
15Signed-off-by: Dan Tran <dantran@microsoft.com>
16---
17 lib/handshake-tls13.c | 2 ++
18 1 file changed, 2 insertions(+)
19
20diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
21index 06c7c01d2..82689b5d8 100644
22--- a/lib/handshake-tls13.c
23+++ b/lib/handshake-tls13.c
24@@ -534,6 +534,8 @@ _gnutls13_recv_async_handshake(gnutls_session_t session)
25 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
26
27 do {
28+ _gnutls_handshake_buffer_init(&hsk);
29+
30 /* the received handshake message has already been pushed into
31 * handshake buffers. As we do not need to use the handshake hash
32 * buffers we call the lower level receive functions */
33--
342.22.0.vfs.1.1.57.gbaf16c8
35
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.4.bb b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
index 6d2a11df34..30873f00db 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
@@ -19,6 +19,10 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
19 19
20SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ 20SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
21 file://arm_eabi.patch \ 21 file://arm_eabi.patch \
22 file://CVE-2019-3829_p1.patch \
23 file://CVE-2019-3829_p2.patch \
24 file://CVE-2019-3829_p3.patch \
25 file://CVE-2019-3836.patch \
22" 26"
23 27
24SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799" 28SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799"