diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2021-06-04 17:54:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-06-11 22:45:27 +0100 |
commit | 3cd9587ba6a5168a620339867197b1eef3953d80 (patch) | |
tree | ba75f0be90a9904cc473e48e772d598f41efc9f6 /meta/recipes-support | |
parent | 4ad8edab0bce7e41a671f32cdddc32ee322d33b8 (diff) | |
download | poky-3cd9587ba6a5168a620339867197b1eef3953d80.tar.gz |
gnutls: fix CVE-2021-20231 CVE-2021-20232
(From OE-Core rev: 38a0c77bf576caa3ac54934d141e489599d1b906)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch | 67 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch | 65 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.6.14.bb | 2 |
3 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch new file mode 100644 index 0000000000..6fe7a21e33 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:32 +0100 | ||
4 | Subject: [PATCH] key_share: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20231 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/key_share.c | 12 +++++------- | ||
14 | 1 file changed, 5 insertions(+), 7 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c | ||
17 | index ab8abf8fe6..a8c4bb5cff 100644 | ||
18 | --- a/lib/ext/key_share.c | ||
19 | +++ b/lib/ext/key_share.c | ||
20 | @@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, | ||
21 | { | ||
22 | unsigned i; | ||
23 | int ret; | ||
24 | - unsigned char *lengthp; | ||
25 | - unsigned int cur_length; | ||
26 | unsigned int generated = 0; | ||
27 | const gnutls_group_entry_st *group; | ||
28 | const version_entry_st *ver; | ||
29 | |||
30 | /* this extension is only being sent on client side */ | ||
31 | if (session->security_parameters.entity == GNUTLS_CLIENT) { | ||
32 | + unsigned int length_pos; | ||
33 | + | ||
34 | ver = _gnutls_version_max(session); | ||
35 | if (unlikely(ver == NULL || ver->key_shares == 0)) | ||
36 | return 0; | ||
37 | @@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, | ||
38 | if (!have_creds_for_tls13(session)) | ||
39 | return 0; | ||
40 | |||
41 | - /* write the total length later */ | ||
42 | - lengthp = &extdata->data[extdata->length]; | ||
43 | + length_pos = extdata->length; | ||
44 | |||
45 | ret = | ||
46 | _gnutls_buffer_append_prefix(extdata, 16, 0); | ||
47 | if (ret < 0) | ||
48 | return gnutls_assert_val(ret); | ||
49 | |||
50 | - cur_length = extdata->length; | ||
51 | - | ||
52 | if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ | ||
53 | group = get_group(session); | ||
54 | if (unlikely(group == NULL)) | ||
55 | @@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, | ||
56 | } | ||
57 | |||
58 | /* copy actual length */ | ||
59 | - _gnutls_write_uint16(extdata->length - cur_length, lengthp); | ||
60 | + _gnutls_write_uint16(extdata->length - length_pos - 2, | ||
61 | + &extdata->data[length_pos]); | ||
62 | |||
63 | } else { /* server */ | ||
64 | ver = get_version(session); | ||
65 | -- | ||
66 | GitLab | ||
67 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch new file mode 100644 index 0000000000..e13917cddb --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:50 +0100 | ||
4 | Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3 | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20232 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/pre_shared_key.c | 15 ++++++++++++--- | ||
14 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c | ||
17 | index a042c6488e..380bf39ed5 100644 | ||
18 | --- a/lib/ext/pre_shared_key.c | ||
19 | +++ b/lib/ext/pre_shared_key.c | ||
20 | @@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, | ||
21 | size_t spos; | ||
22 | gnutls_datum_t username = {NULL, 0}; | ||
23 | gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; | ||
24 | - gnutls_datum_t client_hello; | ||
25 | + unsigned client_hello_len; | ||
26 | unsigned next_idx; | ||
27 | const mac_entry_st *prf_res = NULL; | ||
28 | const mac_entry_st *prf_psk = NULL; | ||
29 | @@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, | ||
30 | assert(extdata->length >= sizeof(mbuffer_st)); | ||
31 | assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); | ||
32 | ext_offset -= sizeof(mbuffer_st); | ||
33 | - client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
34 | - client_hello.size = extdata->length-sizeof(mbuffer_st); | ||
35 | + client_hello_len = extdata->length-sizeof(mbuffer_st); | ||
36 | |||
37 | next_idx = 0; | ||
38 | |||
39 | @@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, | ||
40 | } | ||
41 | |||
42 | if (prf_res && rkey.size > 0) { | ||
43 | + gnutls_datum_t client_hello; | ||
44 | + | ||
45 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
46 | + client_hello.size = client_hello_len; | ||
47 | + | ||
48 | ret = compute_psk_binder(session, prf_res, | ||
49 | binders_len, binders_pos, | ||
50 | ext_offset, &rkey, &client_hello, 1, | ||
51 | @@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, | ||
52 | } | ||
53 | |||
54 | if (prf_psk && user_key.size > 0 && info) { | ||
55 | + gnutls_datum_t client_hello; | ||
56 | + | ||
57 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
58 | + client_hello.size = client_hello_len; | ||
59 | + | ||
60 | ret = compute_psk_binder(session, prf_psk, | ||
61 | binders_len, binders_pos, | ||
62 | ext_offset, &user_key, &client_hello, 0, | ||
63 | -- | ||
64 | GitLab | ||
65 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 903bb5503a..0c68da7c54 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb | |||
@@ -23,6 +23,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
23 | file://arm_eabi.patch \ | 23 | file://arm_eabi.patch \ |
24 | file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ | 24 | file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ |
25 | file://CVE-2020-24659.patch \ | 25 | file://CVE-2020-24659.patch \ |
26 | file://CVE-2021-20231.patch \ | ||
27 | file://CVE-2021-20232.patch \ | ||
26 | " | 28 | " |
27 | 29 | ||
28 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" | 30 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" |