Addressed various CVEs

Resolves: CVE-2017-5337, CVE-2017-5334, CVE-2017-5336, CVE-2017-5335
2017-01-11 17:08:37 +01:00 · 2017-01-11 17:08:37 +01:00 · 67c45431f3
parent b12702e198
commit 67c45431f3
2 changed files with 276 additions and 1 deletions
--- a/gnutls-3.4.17-various-flaws1.patch
+++ b/gnutls-3.4.17-various-flaws1.patch
@ -0,0 +1,270 @@
+diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
+index 6e753bd..da43129 100644
+--- a/lib/opencdk/pubkey.c
+++ b/lib/opencdk/pubkey.c
+@@ -518,6 +518,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ {
+ 	u32 lowbits = 0;
+ 	byte buf[24];
+	int rc;
+ 
+ 	if (pk && (!pk->keyid[0] || !pk->keyid[1])) {
+ 		if (pk->version < 4 && is_RSA(pk->pubkey_algo)) {
+@@ -525,7 +526,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ 			size_t n;
+ 
+ 			n = MAX_MPI_BYTES;
+-			_gnutls_mpi_print(pk->mpi[0], p, &n);
+			rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
+			if (rc < 0 || n < 8) {
+				keyid[0] = keyid[1] = (u32)-1;
+				return (u32)-1;
+			}
+
+ 			pk->keyid[0] =
+ 			    p[n - 8] << 24 | p[n - 7] << 16 | p[n -
+ 								6] << 8 |
+diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
+index 932c95e..a9b9855 100644
+--- a/lib/opencdk/read-packet.c
+++ b/lib/opencdk/read-packet.c
+@@ -50,13 +50,13 @@ stream_read(cdk_stream_t s, void *buf, size_t buflen, size_t * r_nread)
+ static u32 read_32(cdk_stream_t s)
+ {
+ 	byte buf[4];
+-	size_t nread;
+	size_t nread = 0;
+ 
+ 	assert(s != NULL);
+ 
+ 	stream_read(s, buf, 4, &nread);
+ 	if (nread != 4)
+-		return (u32) - 1;
+		return (u32) -1;
+ 	return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+ }
+ 
+@@ -65,7 +65,7 @@ static u32 read_32(cdk_stream_t s)
+ static u16 read_16(cdk_stream_t s)
+ {
+ 	byte buf[2];
+-	size_t nread;
+	size_t nread = 0;
+ 
+ 	assert(s != NULL);
+ 
+@@ -477,44 +477,57 @@ read_attribute(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t attr,
+ 		return CDK_Out_Of_Core;
+ 	rc = stream_read(inp, buf, pktlen, &nread);
+ 	if (rc) {
+-		cdk_free(buf);
+-		return CDK_Inv_Packet;
+		gnutls_assert();
+		rc = CDK_Inv_Packet;
+		goto error;
+ 	}
+ 	p = buf;
+ 	len = *p++;
+ 	pktlen--;
+ 	if (len == 255) {
+		if (pktlen < 4) {
+			gnutls_assert();
+			rc = CDK_Inv_Packet;
+			goto error;
+		}
+ 		len = _cdk_buftou32(p);
+ 		p += 4;
+ 		pktlen -= 4;
+ 	} else if (len >= 192) {
+ 		if (pktlen < 2) {
+-			cdk_free(buf);
+-			return CDK_Inv_Packet;
+			gnutls_assert();
+			rc = CDK_Inv_Packet;
+			goto error;
+ 		}
+ 		len = ((len - 192) << 8) + *p + 192;
+ 		p++;
+ 		pktlen--;
+ 	}
+ 
+-	if (*p != 1) {		/* Currently only 1, meaning an image, is defined. */
+-		cdk_free(buf);
+-		return CDK_Inv_Packet;
+	if (!len || *p != 1) {		/* Currently only 1, meaning an image, is defined. */
+		rc = CDK_Inv_Packet;
+		goto error;
+ 	}
+ 	p++;
+ 	len--;
+ 
+-	if (len >= pktlen)
+-		return CDK_Inv_Packet;
+	if (len >= pktlen) {
+		rc = CDK_Inv_Packet;
+		goto error;
+	}
+ 	attr->attrib_img = cdk_calloc(1, len);
+ 	if (!attr->attrib_img) {
+-		cdk_free(buf);
+-		return CDK_Out_Of_Core;
+		rc = CDK_Out_Of_Core;
+		goto error;
+ 	}
+ 	attr->attrib_len = len;
+ 	memcpy(attr->attrib_img, p, len);
+ 	cdk_free(buf);
+ 	return rc;
+
+ error:
+	cdk_free(buf);
+	return rc;
+ }
+ 
+ 
+@@ -547,7 +560,7 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id)
+ static cdk_error_t
+ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ {
+-	byte c, c1;
+	int c, c1;
+ 	size_t size, nread, n;
+ 	cdk_subpkt_t node;
+ 	cdk_error_t rc;
+@@ -562,11 +575,18 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ 	*r_nbytes = 0;
+ 	c = cdk_stream_getc(inp);
+ 	n++;
+
+ 	if (c == 255) {
+ 		size = read_32(inp);
+		if (size == (u32)-1)
+			return CDK_Inv_Packet;
+
+ 		n += 4;
+ 	} else if (c >= 192 && c < 255) {
+ 		c1 = cdk_stream_getc(inp);
+		if (c1 == EOF)
+			return CDK_Inv_Packet;
+
+ 		n++;
+ 		if (c1 == 0)
+ 			return 0;
+@@ -831,17 +851,29 @@ static void
+ read_old_length(cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size)
+ {
+ 	int llen = ctb & 0x03;
+	int c;
+ 
+ 	if (llen == 0) {
+-		*r_len = cdk_stream_getc(inp);
+		c = cdk_stream_getc(inp);
+		if (c == EOF)
+			goto fail;
+
+		*r_len = c;
+ 		(*r_size)++;
+ 	} else if (llen == 1) {
+ 		*r_len = read_16(inp);
+		if (*r_len == (u16)-1)
+			goto fail;
+ 		(*r_size) += 2;
+ 	} else if (llen == 2) {
+ 		*r_len = read_32(inp);
+		if (*r_len == (u32)-1) {
+			goto fail;
+		}
+
+ 		(*r_size) += 4;
+ 	} else {
+ fail:
+ 		*r_len = 0;
+ 		*r_size = 0;
+ 	}
+@@ -856,15 +888,25 @@ read_new_length(cdk_stream_t inp,
+ 	int c, c1;
+ 
+ 	c = cdk_stream_getc(inp);
+	if (c == EOF)
+		return;
+
+ 	(*r_size)++;
+ 	if (c < 192)
+ 		*r_len = c;
+ 	else if (c >= 192 && c <= 223) {
+ 		c1 = cdk_stream_getc(inp);
+		if (c1 == EOF)
+			return;
+
+ 		(*r_size)++;
+ 		*r_len = ((c - 192) << 8) + c1 + 192;
+ 	} else if (c == 255) {
+ 		*r_len = read_32(inp);
+		if (*r_len == (u32)-1) {
+			return;
+		}
+
+ 		(*r_size) += 4;
+ 	} else {
+ 		*r_len = 1 << (c & 0x1f);
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 59c3b8e..9d93f0c 100644
+--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
+@@ -1415,7 +1415,8 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
+ {
+ 	ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+ 	int result;
+-	gnutls_datum_t value = { NULL, 0 };
+	gnutls_datum_t value1 = { NULL, 0 };
+	gnutls_datum_t value2 = { NULL, 0 };
+ 
+ 	if ((result = asn1_create_element
+ 	     (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo",
+@@ -1445,20 +1446,18 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
+ 	}
+ 
+ 	result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage",
+-					 &value);
+					 &value1);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
+ 
+ 	if (policyLanguage) {
+-		*policyLanguage = (char *)value.data;
+-	} else {
+-		gnutls_free(value.data);
+-		value.data = NULL;
+		*policyLanguage = (char *)value1.data;
+		value1.data = NULL;
+ 	}
+ 
+-	result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value);
+	result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2);
+ 	if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
+ 		if (policy)
+ 			*policy = NULL;
+@@ -1469,16 +1468,17 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen,
+ 		goto cleanup;
+ 	} else {
+ 		if (policy) {
+-			*policy = (char *)value.data;
+-			value.data = NULL;
+			*policy = (char *)value2.data;
+			value2.data = NULL;
+ 		}
+ 		if (sizeof_policy)
+-			*sizeof_policy = value.size;
+			*sizeof_policy = value2.size;
+ 	}
+ 
+ 	result = 0;
+  cleanup:
+-	gnutls_free(value.data);
+	gnutls_free(value1.data);
+	gnutls_free(value2.data);
+ 	asn1_delete_structure(&c2);
+ 
+ 	return result;
--- a/gnutls.spec
+++ b/gnutls.spec
@ -3,7 +3,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 3.4.17
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@ -37,6 +37,7 @@ Patch1: gnutls-3.2.7-rpath.patch
 Patch3: gnutls-3.1.11-nosrp.patch
 Patch4: gnutls-3.4.1-default-policy.patch
 Patch5: gnutls-3.4.2-no-now-guile.patch
+Patch6: gnutls-3.4.17-various-flaws1.patch

 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@ -140,6 +141,7 @@ This package contains Guile bindings for the library.
 %patch3 -p1 -b .nosrp
 %patch4 -p1 -b .default-policy
 %patch5 -p1 -b .guile
+%patch6 -p1 -b .various-flaws

 sed 's/gnutls_srp.c//g' -i lib/Makefile.in
 sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
@ -275,6 +277,9 @@ fi
 %endif

 %changelog
+* Wed Jan 11 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.4.17-2
+- Addressed various flaws (CVE-2017-5337, CVE-2017-5334, CVE-2017-5336, CVE-2017-5335)
+
 * Thu Dec  8 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.4.17-1
 - New upstream release