2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch
new file mode 100644
index 0000000000..215be5a8ec
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch
@@ -0,0 +1,35 @@
+CVE: CVE-2016-7444
+Upstream-Status: Backport
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Upstream commit follows:
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+), 0 deletions(-)
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 92db9b6..8181f2e 100644
+--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
+@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
+                gnutls_assert();
+                goto cleanup;
+        }
+       cserial.size = t;
+ 
+        if (rserial.size != cserial.size
+            || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
+--
+libgit2 0.24.0
diff --git a/meta/recipes-support/gnutls/gnutls_3.5.3.bb b/meta/recipes-support/gnutls/gnutls_3.5.3.bb
index 8317eb413a..b2dbb07124 100644
--- a/meta/recipes-support/gnutls/gnutls_3.5.3.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.5.3.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
            file://0001-configure.ac-fix-sed-command.patch \
            file://use-pkg-config-to-locate-zlib.patch \
            file://0001-Use-correct-include-dir-with-minitasn.patch \
+            file://CVE-2016-7444.patch \
           "
 SRC_URI[md5sum] = "6c2c7f40ddf52933ee3ca474cb8cb63c"
 SRC_URI[sha256sum] = "92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef"

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch new file mode 100644 index 0000000000..215be5a8ec --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch
@@ -0,0 +1,35 @@
		1	CVE: CVE-2016-7444
		2	Upstream-Status: Backport
		3	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
		4
		5	Upstream commit follows:
		6
		7
		8	From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
		9	From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
		10	Date: Sat, 27 Aug 2016 17:00:22 +0200
		11	Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response
		12
		13	Previously the OCSP certificate check wouldn't verify the serial length
		14	and could succeed in cases it shouldn't.
		15
		16	Reported by Stefan Buehler.
		17	---
		18	lib/x509/ocsp.c \| 1 +
		19	1 file changed, 1 insertion(+), 0 deletions(-)
		20
		21	diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
		22	index 92db9b6..8181f2e 100644
		23	--- a/lib/x509/ocsp.c
		24	+++ b/lib/x509/ocsp.c
		25	@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
		26	gnutls_assert();
		27	goto cleanup;
		28	}
		29	+ cserial.size = t;
		30
		31	if (rserial.size != cserial.size
		32	\|\| memcmp(cserial.data, rserial.data, rserial.size) != 0) {
		33	--
		34	libgit2 0.24.0
		35


diff --git a/meta/recipes-support/gnutls/gnutls_3.5.3.bb b/meta/recipes-support/gnutls/gnutls_3.5.3.bb index 8317eb413a..b2dbb07124 100644 --- a/meta/recipes-support/gnutls/gnutls_3.5.3.bb +++ b/meta/recipes-support/gnutls/gnutls_3.5.3.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
4	file://0001-configure.ac-fix-sed-command.patch \	4	file://0001-configure.ac-fix-sed-command.patch \
5	file://use-pkg-config-to-locate-zlib.patch \	5	file://use-pkg-config-to-locate-zlib.patch \
6	file://0001-Use-correct-include-dir-with-minitasn.patch \	6	file://0001-Use-correct-include-dir-with-minitasn.patch \
		7	file://CVE-2016-7444.patch \
7	"	8	"
8	SRC_URI[md5sum] = "6c2c7f40ddf52933ee3ca474cb8cb63c"	9	SRC_URI[md5sum] = "6c2c7f40ddf52933ee3ca474cb8cb63c"
9	SRC_URI[sha256sum] = "92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef"	10	SRC_URI[sha256sum] = "92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef"