aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-09-03 13:53:34 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-19 11:52:50 +0100
commit75b25e7d463ed1af0fd9b3dd56e407e6e72b0f6a (patch)
treefc04f7fc0107e39cb3d29ac8d741f57c1b61d2c8
parentb708151b798013119cbc651cd11a534c0cb816af (diff)
downloadopenembedded-core-75b25e7d463ed1af0fd9b3dd56e407e6e72b0f6a.zip
openembedded-core-75b25e7d463ed1af0fd9b3dd56e407e6e72b0f6a.tar.gz
openembedded-core-75b25e7d463ed1af0fd9b3dd56e407e6e72b0f6a.tar.bz2
gnutls: CVE-2015-3308
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch65
-rw-r--r--meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch33
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.3.5.bb2
3 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
new file mode 100644
index 0000000..8824729
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ int len, ret;
+ uint8_t reasons[2];
+ unsigned i, type, rflags, j;
+- gnutls_datum_t san;
++ gnutls_datum_t san = {NULL, 0};
+
+ result = asn1_create_element
+ (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ i = 0;
+ do {
+- san.data = NULL;
+- san.size = 0;
+-
+ snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+
+ len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ j = 0;
+ do {
++ san.data = NULL;
++ san.size = 0;
++
+ ret =
+ _gnutls_parse_general_name2(c2, name, j, &san,
+ &type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ ret = crl_dist_points_set(cdp, type, &san, rflags);
+ if (ret < 0)
+ break;
++ san.data = NULL; /* it is now in cdp */
+
+ j++;
+ } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ gnutls_assert();
++ gnutls_free(san.data);
+ goto cleanup;
+ }
+
+--
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
new file mode 100644
index 0000000..d759b61
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert ?wi?cki.
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+
+ if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ gnutls_assert();
+- gnutls_free(san.data);
+ goto cleanup;
+ }
+
+--
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
index b3daa49..9f26470 100644
--- a/meta/recipes-support/gnutls/gnutls_3.3.5.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
@@ -1,6 +1,8 @@
require gnutls.inc
SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
+ file://eliminated-double-free-CVE-2015-3308.patch \
+ file://better-fix-for-double-free-CVE-2015-3308.patch \
"
SRC_URI[md5sum] = "1f396dcf3c14ea67de7243821006d1a2"