]> code.ossystems Code Review - openembedded-core.git/commitdiff
Code Review / openembedded-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: b708151)
gnutls: CVE-2015-3308
authorSona Sarmadi <sona.sarmadi@enea.com>
Thu, 3 Sep 2015 11:53:34 +0000 (13:53 +0200)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Sat, 19 Sep 2015 10:52:50 +0000 (11:52 +0100)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch [new file with mode: 0644] patch | blob
meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch [new file with mode: 0644] patch | blob
meta/recipes-support/gnutls/gnutls_3.3.5.bb patch | blob | history

diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
new file mode 100644 (file)
index 0000000..8824729
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+       int len, ret;
+       uint8_t reasons[2];
+       unsigned i, type, rflags, j;
+-      gnutls_datum_t san;
++      gnutls_datum_t san = {NULL, 0};
+       result = asn1_create_element
+           (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+       i = 0;
+       do {
+-              san.data = NULL;
+-              san.size = 0;
+-
+               snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+               len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+               j = 0;
+               do {
++                      san.data = NULL;
++                      san.size = 0;
++
+                       ret =
+                           _gnutls_parse_general_name2(c2, name, j, &san,
+                                                       &type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+                       ret = crl_dist_points_set(cdp, type, &san, rflags);
+                       if (ret < 0)
+                               break;
++                      san.data = NULL; /* it is now in cdp */
+                       j++;
+               } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+       if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+               gnutls_assert();
++              gnutls_free(san.data);
+               goto cleanup;
+       }
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
new file mode 100644 (file)
index 0000000..d759b61
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert ?wi?cki.
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+       if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+               gnutls_assert();
+-              gnutls_free(san.data);
+               goto cleanup;
+       }
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
index b3daa49249ed33d212392f4b9f7d97e26d5106e8..9f26470f418c25de21a818cf18ee6239aa6da75c 100644 (file)
--- a/meta/recipes-support/gnutls/gnutls_3.3.5.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
@@ -1,6 +1,8 @@
 require gnutls.inc
 
 SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
+            file://eliminated-double-free-CVE-2015-3308.patch \
+            file://better-fix-for-double-free-CVE-2015-3308.patch \
            "
 
 SRC_URI[md5sum] = "1f396dcf3c14ea67de7243821006d1a2"
Mirror of the official openembedded-core repository