diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-08-18 13:24:04 +0200 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-08-21 10:55:46 +0200 |
| commit | 931b2732b5fb115a702bceb287cb9a3773f59877 (patch) | |
| tree | 3346824a700251bf859eee2b151bb474be6adf3d | |
| parent | 0ddff430004474009489094aa65e7679e26d35df (diff) | |
| download | meta-el-common-931b2732b5fb115a702bceb287cb9a3773f59877.tar.gz | |
gnutls: CVE-2017-7869
GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer
overflow and heap-based buffer overflow related to the cdk_pkt_read
function in opencdk/read-packet.c. This issue (which is a
subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
This issue affects only applications which utilize the OpenPGP certificate
functionality of GnuTLS.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7869
Upstream patch:
https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
| -rw-r--r-- | recipes-support/gnutls/gnutls/CVE-2017-7868.patch | 59 | ||||
| -rw-r--r-- | recipes-support/gnutls/gnutls_%.bbappend | 5 |
2 files changed, 64 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch new file mode 100644 index 0000000..dca7861 --- /dev/null +++ b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
| 3 | Date: Mon, 20 Feb 2017 11:13:08 +0100 | ||
| 4 | Subject: [PATCH] cdk_pkt_read: enforce packet limits | ||
| 5 | |||
| 6 | That ensures that there are no overflows in the subsequent | ||
| 7 | calculations. | ||
| 8 | |||
| 9 | Resolves the oss-fuzz found bug: | ||
| 10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 | ||
| 11 | |||
| 12 | Relates: #159 | ||
| 13 | |||
| 14 | CVE: CVE-2017-7869 | ||
| 15 | Upstream-Status: Backport | ||
| 16 | |||
| 17 | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
| 18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 19 | --- | ||
| 20 | lib/opencdk/read-packet.c | 9 +++++++++ | ||
| 21 | 1 file changed, 9 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c | ||
| 24 | index 8055a63..ead6480 100644 | ||
| 25 | --- a/lib/opencdk/read-packet.c | ||
| 26 | +++ b/lib/opencdk/read-packet.c | ||
| 27 | @@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) | ||
| 28 | return 0; | ||
| 29 | } | ||
| 30 | |||
| 31 | +#define MAX_PACKET_LEN (1<<24) | ||
| 32 | |||
| 33 | /** | ||
| 34 | * cdk_pkt_read: | ||
| 35 | @@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) | ||
| 36 | else | ||
| 37 | read_old_length(inp, ctb, &pktlen, &pktsize); | ||
| 38 | |||
| 39 | + /* enforce limits to ensure that the following calculations | ||
| 40 | + * do not overflow */ | ||
| 41 | + if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { | ||
| 42 | + _cdk_log_info("cdk_pkt_read: too long packet\n"); | ||
| 43 | + return gnutls_assert_val(CDK_Inv_Packet); | ||
| 44 | + } | ||
| 45 | + | ||
| 46 | pkt->pkttype = pkttype; | ||
| 47 | pkt->pktlen = pktlen; | ||
| 48 | pkt->pktsize = pktsize + pktlen; | ||
| 49 | @@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) | ||
| 50 | break; | ||
| 51 | |||
| 52 | case CDK_PKT_USER_ID: | ||
| 53 | + | ||
| 54 | pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id | ||
| 55 | + pkt->pktlen + 1); | ||
| 56 | if (!pkt->pkt.user_id) | ||
| 57 | -- | ||
| 58 | libgit2 0.26.0 | ||
| 59 | |||
diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend new file mode 100644 index 0000000..d2d927c --- /dev/null +++ b/recipes-support/gnutls/gnutls_%.bbappend | |||
| @@ -0,0 +1,5 @@ | |||
| 1 | # look for files in the layer first | ||
| 2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
| 3 | |||
| 4 | SRC_URI += "file://CVE-2017-7868.patch \ | ||
| 5 | " | ||
