1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
new file mode 100644
index 0000000000..6fe7a21e33
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
@@ -0,0 +1,67 @@
+From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 29 Jan 2021 14:06:32 +0100
+Subject: [PATCH] key_share: avoid use-after-free around realloc
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e
+Upstream-Status: Backport 
+CVE: CVE-2021-CVE-2021-20231
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/ext/key_share.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index ab8abf8fe6..a8c4bb5cff 100644
+--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
+@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
+ {
+        unsigned i;
+        int ret;
+-       unsigned char *lengthp;
+-       unsigned int cur_length;
+        unsigned int generated = 0;
+        const gnutls_group_entry_st *group;
+        const version_entry_st *ver;
+ 
+        /* this extension is only being sent on client side */
+        if (session->security_parameters.entity == GNUTLS_CLIENT) {
+               unsigned int length_pos;
+
+                ver = _gnutls_version_max(session);
+                if (unlikely(ver == NULL || ver->key_shares == 0))
+                        return 0;
+@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
+                if (!have_creds_for_tls13(session))
+                        return 0;
+ 
+-               /* write the total length later */
+-               lengthp = &extdata->data[extdata->length];
+               length_pos = extdata->length;
+ 
+                ret =
+                    _gnutls_buffer_append_prefix(extdata, 16, 0);
+                if (ret < 0)
+                        return gnutls_assert_val(ret);
+ 
+-               cur_length = extdata->length;
+-
+                if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
+                        group = get_group(session);
+                        if (unlikely(group == NULL))
+@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
+                }
+ 
+                /* copy actual length */
+-               _gnutls_write_uint16(extdata->length - cur_length, lengthp);
+               _gnutls_write_uint16(extdata->length - length_pos - 2,
+                                    &extdata->data[length_pos]);
+ 
+        } else { /* server */
+                ver = get_version(session);
+-- 
+GitLab

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch new file mode 100644 index 0000000000..6fe7a21e33 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
@@ -0,0 +1,67 @@
	1	From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
	2	From: Daiki Ueno <ueno@gnu.org>
	3	Date: Fri, 29 Jan 2021 14:06:32 +0100
	4	Subject: [PATCH] key_share: avoid use-after-free around realloc
	5
	6	Signed-off-by: Daiki Ueno <ueno@gnu.org>
	7
	8	https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e
	9	Upstream-Status: Backport
	10	CVE: CVE-2021-CVE-2021-20231
	11	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	12	---
	13	lib/ext/key_share.c \| 12 +++++-------
	14	1 file changed, 5 insertions(+), 7 deletions(-)
	15
	16	diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
	17	index ab8abf8fe6..a8c4bb5cff 100644
	18	--- a/lib/ext/key_share.c
	19	+++ b/lib/ext/key_share.c
	20	@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
	21	{
	22	unsigned i;
	23	int ret;
	24	- unsigned char *lengthp;
	25	- unsigned int cur_length;
	26	unsigned int generated = 0;
	27	const gnutls_group_entry_st *group;
	28	const version_entry_st *ver;
	29
	30	/* this extension is only being sent on client side */
	31	if (session->security_parameters.entity == GNUTLS_CLIENT) {
	32	+ unsigned int length_pos;
	33	+
	34	ver = _gnutls_version_max(session);
	35	if (unlikely(ver == NULL \|\| ver->key_shares == 0))
	36	return 0;
	37	@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
	38	if (!have_creds_for_tls13(session))
	39	return 0;
	40
	41	- /* write the total length later */
	42	- lengthp = &extdata->data[extdata->length];
	43	+ length_pos = extdata->length;
	44
	45	ret =
	46	_gnutls_buffer_append_prefix(extdata, 16, 0);
	47	if (ret < 0)
	48	return gnutls_assert_val(ret);
	49
	50	- cur_length = extdata->length;
	51	-
	52	if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
	53	group = get_group(session);
	54	if (unlikely(group == NULL))
	55	@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
	56	}
	57
	58	/* copy actual length */
	59	- _gnutls_write_uint16(extdata->length - cur_length, lengthp);
	60	+ _gnutls_write_uint16(extdata->length - length_pos - 2,
	61	+ &extdata->data[length_pos]);
	62
	63	} else { /* server */
	64	ver = get_version(session);
	65	--
	66	GitLab
	67