Commit e7062334 authored by Leonardo Arena's avatar Leonardo Arena

main/gnutls: upgrade to 3.4.17. Security fixes #7419 (CVE-2017-7507)

parent c391ebdf
......@@ -2,7 +2,7 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnutls
pkgver=3.4.15
pkgver=3.4.17
pkgrel=0
pkgdesc="A TLS protocol implementation"
url="http://www.gnutls.org/"
......@@ -18,10 +18,17 @@ case $pkgver in
*.*.*.*) _v=${_v%.*};;
esac
source="ftp://ftp.gnutls.org/gcrypt/gnutls/v${_v}/$pkgname-$pkgver.tar.xz
CVE-2017-7507-1.patch
CVE-2017-7507-2.patch
CVE-2017-7507-3.patch
"
_builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 3.14.17-r1:
# - CVE-2017-7507
prepare() {
cd "$_builddir"
for i in $source; do
......@@ -69,3 +76,15 @@ xx() {
md5sums="4ea5b239bd8bf1b734dda02997b36459 gnutls-3.4.15.tar.xz"
sha256sums="eb2a013905f5f2a0cbf7bcc1d20c85a50065063ee87bd33b496c4e19815e3498 gnutls-3.4.15.tar.xz"
sha512sums="03157f2da22890ecd080ad58144a9aabe933382c0b7e969b7b194a0248bb5e6e25207078c0a92755650d0004970eb1c0cf0140dbdbf2e615808f9978e965a5e5 gnutls-3.4.15.tar.xz"
md5sums="03ea7575a43f58964635a5064cce4dc0 gnutls-3.4.17.tar.xz
28aefc8e42aab54e74a822ff0c853cd3 CVE-2017-7507-1.patch
8a1c1a0973acd3e9a1dfe47570e10a24 CVE-2017-7507-2.patch
c1d5e149d8ea74256dc07b9c3e125a90 CVE-2017-7507-3.patch"
sha256sums="9b50e8a670d5e950425d96935c7ddd415eb6f8079615a36df425f09a3143172e gnutls-3.4.17.tar.xz
0832efdec6e96f71100ed9061a07650ad957d35ebd75915427f4f9c8410bb6e6 CVE-2017-7507-1.patch
82be76e052c1b923dec9b1fc0c5976985d7333d22da5bf14ba5ad6c04c600354 CVE-2017-7507-2.patch
17a1e102b1dec536384922ac68ee68017a46c3251b34c1d45d122b815ac2c308 CVE-2017-7507-3.patch"
sha512sums="a0a578034e8092dd422dc310a655fda3c4a2de5cb06745d9b47bb39734cb983902553b56dfbbabc618b3824defc62489b1b3c8de3b824b97b28273ddedd06ea7 gnutls-3.4.17.tar.xz
7eb981825ea242eda606e0d679aa3a6f6be91835d8828a4ff86e750db71e639869dfc6106be98af92c3963ab5b16ead0d3f135aac186ad4280c2f8f4ca7dec7e CVE-2017-7507-1.patch
d7b14a6da31bb07358850e6e78e9de8db6ae08c85b60dc25c784457a09557044a0a5bb5b5304399ce994447a4cd0b92efe8c01892652aae799ec68f5792f52e5 CVE-2017-7507-2.patch
b67445ede75441e7cee35435292f5345636d90c8ebdb72e03c2658836605b56c3fc85304f650a5bd1984d937bba747839d44c1ae39ddb3ef7f7c39181443be8f CVE-2017-7507-3.patch"
From 4c4d35264fada08b6536425c051fb8e0b05ee86b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 24 May 2017 10:46:03 +0200
Subject: [PATCH] ext/status_request: ensure response IDs are properly deinitialized
That is, do not attempt to loop through the array if there is no array
allocated.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
lib/ext/status_request.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index f5a46dc..049d852 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -69,7 +69,10 @@ typedef struct {
static void deinit_responder_id(status_request_ext_st *priv)
{
-unsigned i;
+ unsigned i;
+
+ if (priv->responder_id == NULL)
+ return;
for (i = 0; i < priv->responder_id_size; i++)
gnutls_free(priv->responder_id[i].data);
@@ -135,6 +138,7 @@ server_recv(gnutls_session_t session,
{
size_t i;
ssize_t data_size = size;
+ unsigned responder_ids = 0;
/* minimum message is type (1) + responder_id_list (2) +
request_extension (2) = 5 */
@@ -153,23 +157,24 @@ server_recv(gnutls_session_t session,
DECR_LEN(data_size, 1);
data++;
- priv->responder_id_size = _gnutls_read_uint16(data);
+ responder_ids = _gnutls_read_uint16(data);
DECR_LEN(data_size, 2);
data += 2;
- if (data_size <= (ssize_t) (priv->responder_id_size * 2))
+ if (data_size <= (ssize_t) (responder_ids * 2))
return
gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
- if (priv->responder_id != NULL)
- deinit_responder_id(priv);
+ deinit_responder_id(priv);
- priv->responder_id = gnutls_calloc(1, priv->responder_id_size
+ priv->responder_id = gnutls_calloc(1, responder_ids
* sizeof(*priv->responder_id));
if (priv->responder_id == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ priv->responder_id_size = responder_ids;
+
for (i = 0; i < priv->responder_id_size; i++) {
size_t l;
--
libgit2 0.25.0
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 45281af..5abc3a4 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -66,21 +66,6 @@ typedef struct {
opaque Extensions<0..2^16-1>;
*/
-static void deinit_responder_id(status_request_ext_st *priv)
-{
- unsigned i;
-
- if (priv->responder_id == NULL)
- return;
-
- for (i = 0; i < priv->responder_id_size; i++)
- gnutls_free(priv->responder_id[i].data);
-
- gnutls_free(priv->responder_id);
- priv->responder_id = NULL;
- priv->responder_id_size = 0;
-}
-
static int
client_send(gnutls_session_t session,
@@ -135,9 +120,8 @@ server_recv(gnutls_session_t session,
status_request_ext_st * priv,
const uint8_t * data, size_t size)
{
- size_t i;
ssize_t data_size = size;
- unsigned responder_ids = 0;
+ unsigned rid_bytes = 0;
/* minimum message is type (1) + responder_id_list (2) +
request_extension (2) = 5 */
@@ -156,44 +140,17 @@ server_recv(gnutls_session_t session,
DECR_LEN(data_size, 1);
data++;
- responder_ids = _gnutls_read_uint16(data);
+ rid_bytes = _gnutls_read_uint16(data);
DECR_LEN(data_size, 2);
- data += 2;
+ /*data += 2;*/
- if (data_size <= (ssize_t) (responder_ids * 2))
+ /* sanity check only, we don't use any of the data below */
+
+ if (data_size < (ssize_t)rid_bytes)
return
gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
- deinit_responder_id(priv);
-
- priv->responder_id = gnutls_calloc(1, responder_ids
- * sizeof(*priv->responder_id));
- if (priv->responder_id == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
- priv->responder_id_size = responder_ids;
-
- for (i = 0; i < priv->responder_id_size; i++) {
- size_t l;
-
- DECR_LEN(data_size, 2);
-
- l = _gnutls_read_uint16(data);
- data += 2;
-
- DECR_LEN(data_size, l);
-
- priv->responder_id[i].data = gnutls_malloc(l);
- if (priv->responder_id[i].data == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
- memcpy(priv->responder_id[i].data, data, l);
- priv->responder_id[i].size = l;
-
- data += l;
- }
-
return 0;
}
@@ -477,11 +434,18 @@ gnutls_certificate_set_ocsp_status_request_file
static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
{
status_request_ext_st *priv = epriv;
+ unsigned i;
if (priv == NULL)
return;
- deinit_responder_id(priv);
+ if (priv->responder_id != NULL) {
+ for (i = 0; i < priv->responder_id_size; i++)
+ gnutls_free(priv->responder_id[i].data);
+
+ gnutls_free(priv->responder_id);
+ }
+
gnutls_free(priv->request_extensions.data);
gnutls_free(priv->response.data);
gnutls_free(priv);
--
2.11.2
From e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 24 May 2017 11:48:24 +0200
Subject: [PATCH] gnutls_ocsp_status_request_enable_client: documented requirements for parameters
That is, the fact that extensions and responder_id parameters must be
allocated, and are assigned to the session.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
lib/ext/status_request.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index e16b15c..5459270 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -294,9 +294,15 @@ _gnutls_status_request_recv_params(gnutls_session_t session,
*
* This function is to be used by clients to request OCSP response
* from the server, using the "status_request" TLS extension. Only
- * OCSP status type is supported. A typical server has a single
- * OCSP response cached, so @responder_id and @extensions
- * should be null.
+ * OCSP status type is supported.
+ *
+ * The @responder_id array, its containing elements as well as
+ * the data of @extensions, must be allocated using gnutls_malloc(). They
+ * will be deinitialized on session cleanup.
+ *
+ * Due to the difficult semantics of the @responder_id and @extensions
+ * parameters, it is recommended to only call this function with these
+ * parameters set to %NULL.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error code is returned.
--
libgit2 0.25.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment