gnutls: CVE-2015-3308

Fixes use-after-free flaw in CRL distribution points parsing Reference: https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9 https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 http://www.openwall.com/lists/oss-security/2015/04/15/6 (From OE-Core rev: 4db630c0cd7988c923eb3f48153a6cedafd6a139) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-03 13:54:21 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-09-18 19:22:23 +0100
commit: 6516ecd07507c917f1f46e26eed7826015f1d1ec (patch)
tree: cfff2cfa2842e00181a28472b3a3834a89df0427 /meta
parent: d6dcddbb3d720ae641bc1218a7cbd73a5c9f31ca (diff)
download: poky-6516ecd07507c917f1f46e26eed7826015f1d1ec.tar.gz
3 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
new file mode 100644
index 0000000000..8824729d2f
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+        int len, ret;
+        uint8_t reasons[2];
+        unsigned i, type, rflags, j;
+-       gnutls_datum_t san;
+       gnutls_datum_t san = {NULL, 0};
+ 
+        result = asn1_create_element
+            (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+        i = 0;
+        do {
+-               san.data = NULL;
+-               san.size = 0;
+-
+                snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+ 
+                len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+                j = 0;
+                do {
+                       san.data = NULL;
+                       san.size = 0;
+
+                        ret =
+                            _gnutls_parse_general_name2(c2, name, j, &san,
+                                                        &type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+                        ret = crl_dist_points_set(cdp, type, &san, rflags);
+                        if (ret < 0)
+                                break;
+                       san.data = NULL; /* it is now in cdp */
+ 
+                        j++;
+                } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+        if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+                gnutls_assert();
+               gnutls_free(san.data);
+                goto cleanup;
+        }
+ 
+-- 
+1.9.1
diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
new file mode 100644
index 0000000000..628103ff6b
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Reported by Robert Święcki.
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+        if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+                gnutls_assert();
+-               gnutls_free(san.data);
+                goto cleanup;
+        }
+ 
+-- 
+1.9.1
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.12.bb b/meta/recipes-support/gnutls/gnutls_3.3.12.bb
index b310be0e58..62cd2d066d 100644
--- a/meta/recipes-support/gnutls/gnutls_3.3.12.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.3.12.bb
@@ -3,6 +3,8 @@ require gnutls.inc
 SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
            file://configure.ac-fix-sed-command.patch \
            file://use-pkg-config-to-locate-zlib.patch \
+            file://eliminated-double-free-CVE-2015-3308.patch \
+            file://better-fix-for-double-free-CVE-2015-3308.patch \
           "
 SRC_URI[md5sum] = "a37b20b4352a5f542367ded904729c90"
 SRC_URI[sha256sum] = "67ab3e92c5d48f3323b897d7c1aa0bb2af6f3a84f5bd9931cda163a7ff32299b"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-03 13:54:21 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-09-18 19:22:23 +0100
commit	6516ecd07507c917f1f46e26eed7826015f1d1ec (patch)
tree	cfff2cfa2842e00181a28472b3a3834a89df0427 /meta
parent	d6dcddbb3d720ae641bc1218a7cbd73a5c9f31ca (diff)
download	poky-6516ecd07507c917f1f46e26eed7826015f1d1ec.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch new file mode 100644 index 0000000000..8824729d2f --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
		1	From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
		2	From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
		3	Date: Sat, 28 Mar 2015 22:41:03 +0100
		4	Subject: [PATCH] Better fix for the double free in dist point parsing
		5
		6	Fixes CVE-2015-3308
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		10	---
		11	lib/x509/x509_ext.c \| 10 ++++++----
		12	1 file changed, 6 insertions(+), 4 deletions(-)
		13
		14	diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
		15	index 2e69ed0..f974b02 100644
		16	--- a/lib/x509/x509_ext.c
		17	+++ b/lib/x509/x509_ext.c
		18	@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		19	int len, ret;
		20	uint8_t reasons[2];
		21	unsigned i, type, rflags, j;
		22	- gnutls_datum_t san;
		23	+ gnutls_datum_t san = {NULL, 0};
		24
		25	result = asn1_create_element
		26	(_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
		27	@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		28
		29	i = 0;
		30	do {
		31	- san.data = NULL;
		32	- san.size = 0;
		33	-
		34	snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
		35
		36	len = sizeof(reasons);
		37	@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		38
		39	j = 0;
		40	do {
		41	+ san.data = NULL;
		42	+ san.size = 0;
		43	+
		44	ret =
		45	_gnutls_parse_general_name2(c2, name, j, &san,
		46	&type, 0);
		47	@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		48	ret = crl_dist_points_set(cdp, type, &san, rflags);
		49	if (ret < 0)
		50	break;
		51	+ san.data = NULL; /* it is now in cdp */
		52
		53	j++;
		54	} while (ret >= 0);
		55	@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		56
		57	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		58	gnutls_assert();
		59	+ gnutls_free(san.data);
		60	goto cleanup;
		61	}
		62
		63	--
		64	1.9.1
		65


diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch new file mode 100644 index 0000000000..628103ff6b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
		1	From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
		2	From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
		3	Date: Mon, 23 Mar 2015 22:55:29 +0100
		4	Subject: [PATCH] eliminated double-free in the parsing of dist points
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Reported by Robert Święcki.
		10
		11	Fixes CVE-2015-3308
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15	---
		16	lib/x509/x509_ext.c \| 1 -
		17	1 file changed, 1 deletion(-)
		18
		19	diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
		20	index c8d5867..6f09438 100644
		21	--- a/lib/x509/x509_ext.c
		22	+++ b/lib/x509/x509_ext.c
		23	@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
		24
		25	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		26	gnutls_assert();
		27	- gnutls_free(san.data);
		28	goto cleanup;
		29	}
		30
		31	--
		32	1.9.1
		33


diff --git a/meta/recipes-support/gnutls/gnutls_3.3.12.bb b/meta/recipes-support/gnutls/gnutls_3.3.12.bb index b310be0e58..62cd2d066d 100644 --- a/meta/recipes-support/gnutls/gnutls_3.3.12.bb +++ b/meta/recipes-support/gnutls/gnutls_3.3.12.bb
@@ -3,6 +3,8 @@ require gnutls.inc
3	SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \	3	SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
4	file://configure.ac-fix-sed-command.patch \	4	file://configure.ac-fix-sed-command.patch \
5	file://use-pkg-config-to-locate-zlib.patch \	5	file://use-pkg-config-to-locate-zlib.patch \
		6	file://eliminated-double-free-CVE-2015-3308.patch \
		7	file://better-fix-for-double-free-CVE-2015-3308.patch \
6	"	8	"
7	SRC_URI[md5sum] = "a37b20b4352a5f542367ded904729c90"	9	SRC_URI[md5sum] = "a37b20b4352a5f542367ded904729c90"
8	SRC_URI[sha256sum] = "67ab3e92c5d48f3323b897d7c1aa0bb2af6f3a84f5bd9931cda163a7ff32299b"	10	SRC_URI[sha256sum] = "67ab3e92c5d48f3323b897d7c1aa0bb2af6f3a84f5bd9931cda163a7ff32299b"