From 649f78102222ec156d490968c13d3222379a1956 Mon Sep 17 00:00:00 2001 From: Yue Tao Date: Tue, 15 Aug 2017 02:55:23 -0700 Subject: libtasn1: CVE-2017-10790 The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. References: https://nvd.nist.gov/vuln/detail/CVE-2017-10790 http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit; h=d8d805e1f2e6799bb2dff4871a8598dc83088a39 (From OE-Core rev: 6176151625c971de031e14c97601ffd75a29772f) Signed-off-by: Yue Tao Signed-off-by: Wenzong Fan Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../gnutls/libtasn1/CVE-2017-10790.patch | 63 ++++++++++++++++++++++ meta/recipes-support/gnutls/libtasn1_4.10.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2017-10790.patch diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2017-10790.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2017-10790.patch new file mode 100644 index 0000000000..be843808a2 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2017-10790.patch @@ -0,0 +1,63 @@ +From d8d805e1f2e6799bb2dff4871a8598dc83088a39 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 22 Jun 2017 16:31:37 +0200 +Subject: [PATCH] _asn1_check_identifier: safer access to values read + +Signed-off-by: Nikos Mavrogiannopoulos + +http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=d8d805e1f2e6799bb2dff4871a8598dc83088a39 +Upstream-Status: Backport + +CVE: CVE-2017-10790 + +Signed-off-by: Yue Tao +Signed-off-by: Wenzong Fan +--- + lib/parser_aux.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 976ab38..786ea64 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -955,7 +955,7 @@ _asn1_check_identifier (asn1_node node) + if (p2 == NULL) + { + if (p->value) +- _asn1_strcpy (_asn1_identifierMissing, p->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p->value); + else + _asn1_strcpy (_asn1_identifierMissing, "(null)"); + return ASN1_IDENTIFIER_NOT_FOUND; +@@ -968,9 +968,15 @@ _asn1_check_identifier (asn1_node node) + if (p2 && (type_field (p2->type) == ASN1_ETYPE_DEFAULT)) + { + _asn1_str_cpy (name2, sizeof (name2), node->name); +- _asn1_str_cat (name2, sizeof (name2), "."); +- _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); +- _asn1_strcpy (_asn1_identifierMissing, p2->value); ++ if (p2->value) ++ { ++ _asn1_str_cat (name2, sizeof (name2), "."); ++ _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); ++ } ++ else ++ _asn1_strcpy (_asn1_identifierMissing, "(null)"); ++ + p2 = asn1_find_node (node, name2); + if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) || + !(p2->type & CONST_ASSIGN)) +@@ -990,7 +996,8 @@ _asn1_check_identifier (asn1_node node) + _asn1_str_cpy (name2, sizeof (name2), node->name); + _asn1_str_cat (name2, sizeof (name2), "."); + _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); +- _asn1_strcpy (_asn1_identifierMissing, p2->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); ++ + p2 = asn1_find_node (node, name2); + if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) + || !(p2->type & CONST_ASSIGN)) +-- +1.7.9.5 + diff --git a/meta/recipes-support/gnutls/libtasn1_4.10.bb b/meta/recipes-support/gnutls/libtasn1_4.10.bb index 33a768dae0..dfc7f12c2e 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.10.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.10.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ file://dont-depend-on-help2man.patch \ file://0001-stdint.m4-reintroduce-GNULIB_OVERRIDES_WINT_T-check.patch \ + file://CVE-2017-10790.patch \ " DEPENDS = "bison-native" -- cgit 1.2.3-korg