diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-04-11 13:10:14 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-04-11 13:28:14 +0000 |
commit | 47656f3ce258fd3968b8f4dc2c27c2fa4e71a70d (patch) | |
tree | 1a7e73b6231545f5a2d492ec887cb4ac3dbab03d | |
parent | ce3adccd9865fd634d89940731b9c81c178a9b4c (diff) | |
download | aports-47656f3ce258fd3968b8f4dc2c27c2fa4e71a70d.tar.bz2 aports-47656f3ce258fd3968b8f4dc2c27c2fa4e71a70d.tar.xz |
main/gnutls: security fix (CVE-2013-1619)
Patch from ubuntu:
https://launchpadlibrarian.net/132499561/gnutls26_2.10.5-1ubuntu3.2_2.10.5-1ubuntu3.3.diff.gz
fixes #1657
-rw-r--r-- | main/gnutls/APKBUILD | 10 | ||||
-rw-r--r-- | main/gnutls/CVE-2011-4128.patch | 24 | ||||
-rw-r--r-- | main/gnutls/CVE-2012-1573.patch | 27 | ||||
-rw-r--r-- | main/gnutls/CVE-2013-1619.patch | 178 | ||||
-rw-r--r-- | main/gnutls/cve-2012-1573.patch | 22 |
5 files changed, 236 insertions, 25 deletions
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 4eb2c53630..31999f7f6a 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gnutls pkgver=2.10.5 -pkgrel=3 +pkgrel=4 pkgdesc="A library which provides a secure connection" url="http://www.gnu.org/software/gnutls/" arch="all" @@ -13,7 +13,9 @@ makedepends="$depends_dev perl" install= subpackages="$pkgname-doc $pkgname-dev" source="http://ftp.gnu.org/pub/gnu/gnutls/$pkgname-$pkgver.tar.bz2 - cve-2012-1573.patch + CVE-2011-4128.patch + CVE-2012-1573.patch + CVE-2013-1619.patch " prepare() { @@ -42,4 +44,6 @@ package() { } md5sums="1b032e07ccd22f71a5df78aa73bd91f2 gnutls-2.10.5.tar.bz2 -b37bbb419598cf04d3cc9b9d9d5dd79e cve-2012-1573.patch" +fce93a1175f9af9bc8db02e4fe2eeabf CVE-2011-4128.patch +6c3fbdd0fe2cb7519284350363edc432 CVE-2012-1573.patch +846e66213a5b854053151f1ef8e6f097 CVE-2013-1619.patch" diff --git a/main/gnutls/CVE-2011-4128.patch b/main/gnutls/CVE-2011-4128.patch new file mode 100644 index 0000000000..2e9c5f88a9 --- /dev/null +++ b/main/gnutls/CVE-2011-4128.patch @@ -0,0 +1,24 @@ +Description: Check buffer size passed in from caller prior to overwriting it +Origin: upstream, http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=190cef6eed37d0e73a73c1e205eb31d45ab60a3c +Origin: upstream, http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=e82ef4545e9e98cbcb032f55d7c750b81e3a0450 + +Index: gnutls26-2.10.5/lib/gnutls_session.c +=================================================================== +--- gnutls26-2.10.5.orig/lib/gnutls_session.c 2010-08-01 15:37:30.000000000 -0500 ++++ gnutls26-2.10.5/lib/gnutls_session.c 2012-04-04 03:25:20.382796666 -0500 +@@ -65,13 +65,14 @@ + gnutls_assert (); + return ret; + } +- *session_data_size = psession.size; + + if (psession.size > *session_data_size) + { ++ *session_data_size = psession.size; + ret = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto error; + } ++ *session_data_size = psession.size; + + if (session_data != NULL) + memcpy (session_data, psession.data, psession.size); diff --git a/main/gnutls/CVE-2012-1573.patch b/main/gnutls/CVE-2012-1573.patch new file mode 100644 index 0000000000..4cd5fe9ff8 --- /dev/null +++ b/main/gnutls/CVE-2012-1573.patch @@ -0,0 +1,27 @@ +Description: Validate record size when parsing GenericBlockCipher structure +Origin: backport, http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=422214868061370aeeb0ac9cd0f021a5c350a57d + +Index: gnutls26-2.10.5/lib/gnutls_cipher.c +=================================================================== +--- gnutls26-2.10.5.orig/lib/gnutls_cipher.c 2012-04-04 04:17:33.902871139 -0500 ++++ gnutls26-2.10.5/lib/gnutls_cipher.c 2012-04-04 04:17:56.666871679 -0500 +@@ -515,14 +515,13 @@ + { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; +- +- if (ciphertext.size == 0) +- { +- gnutls_assert (); +- return GNUTLS_E_DECRYPTION_FAILED; +- } + } + ++ if (ciphertext.size < hash_size) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_DECRYPTION_FAILED; ++ } + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + + if ((int) pad > (int) ciphertext.size - hash_size) diff --git a/main/gnutls/CVE-2013-1619.patch b/main/gnutls/CVE-2013-1619.patch new file mode 100644 index 0000000000..7b9938c600 --- /dev/null +++ b/main/gnutls/CVE-2013-1619.patch @@ -0,0 +1,178 @@ +Description: fix "Lucky Thirteen" timing side-channel TLS attack +Origin: backport, https://gitorious.org/gnutls/gnutls/commit/7b65049a81ea02a92fef934318a680afd55e98d2 +Origin: backport, https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 +Origin: backport, https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e + +Index: gnutls26-2.10.5/lib/gnutls_cipher.c +=================================================================== +--- gnutls26-2.10.5.orig/lib/gnutls_cipher.c 2013-02-25 11:52:27.670965684 -0500 ++++ gnutls26-2.10.5/lib/gnutls_cipher.c 2013-02-25 12:04:38.642984400 -0500 +@@ -447,6 +447,49 @@ + return length; + } + ++static void dummy_wait(gnutls_session_t session, gnutls_datum_t* plaintext, ++ unsigned pad_failed, unsigned int pad, unsigned total, int ver) ++{ ++ /* this hack is only needed on CBC ciphers */ ++ if (_gnutls_cipher_is_block (session->security_parameters.read_bulk_cipher_algorithm) == CIPHER_BLOCK) ++ { ++ uint8_t MAC[MAX_HASH_SIZE]; ++ unsigned len; ++ digest_hd_st td; ++ int ret; ++ ++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm, ++ session->connection_state.read_mac_secret.data, ++ session->connection_state.read_mac_secret.size, ver); ++ ++ if (ret < 0) ++ return; ++ ++ /* force an additional hash compression function evaluation to prevent timing ++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. ++ */ ++ if (pad_failed == 0 && pad > 0) ++ { ++ len = _gnutls_get_hash_block_len(session->security_parameters.read_mac_algorithm); ++ if (len > 0) ++ { ++ /* This is really specific to the current hash functions. ++ * It should be removed once a protocol fix is in place. ++ */ ++ if ((pad+total) % len > len-9 && total % len <= len-9) ++ { ++ if (len < plaintext->size) ++ mac_hash (&td, plaintext->data, len, ver); ++ else ++ mac_hash (&td, plaintext->data, plaintext->size, ver); ++ } ++ } ++ } ++ ++ mac_deinit (&td, MAC, ver); ++ } ++} ++ + /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. + * Returns the actual compressed packet size. + */ +@@ -458,12 +501,12 @@ + { + uint8_t MAC[MAX_HASH_SIZE]; + uint16_t c_length; +- uint8_t pad; ++ unsigned int pad = 0; + int length; + uint16_t blocksize; + int ret, i, pad_failed = 0; + opaque preamble[PREAMBLE_SIZE]; +- int preamble_size; ++ int preamble_size = 0; + int ver = gnutls_protocol_get_version (session); + int hash_size = + _gnutls_hash_get_algo_len (session-> +@@ -522,31 +565,23 @@ + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } +- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ ++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */ + +- if ((int) pad > (int) ciphertext.size - hash_size) +- { +- gnutls_assert (); +- _gnutls_record_log +- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", +- session, pad, ciphertext.size, hash_size); +- /* We do not fail here. We check below for the +- * the pad_failed. If zero means success. +- */ +- pad_failed = GNUTLS_E_DECRYPTION_FAILED; +- } +- +- length = ciphertext.size - hash_size - pad; +- +- /* Check the pading bytes (TLS 1.x) ++ /* Check the pading bytes (TLS 1.x). ++ * Note that we access all 256 bytes of ciphertext for padding check ++ * because there is a timing channel in that memory access (in certain CPUs). + */ + if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0) +- for (i = 2; i < pad; i++) ++ for (i = 2; i <= pad; i++) + { +- if (ciphertext.data[ciphertext.size - i] != +- ciphertext.data[ciphertext.size - 1]) ++ if (ciphertext.data[ciphertext.size - i] != pad) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } ++ ++ if (pad_failed) ++ pad = 0; ++ length = ciphertext.size - hash_size - pad - 1; ++ + break; + default: + gnutls_assert (); +@@ -585,24 +620,19 @@ + mac_deinit (&td, MAC, ver); + } + +- /* This one was introduced to avoid a timing attack against the TLS +- * 1.0 protocol. +- */ +- if (pad_failed != 0) +- { +- gnutls_assert (); +- return pad_failed; +- } +- + /* HMAC was not the same. + */ +- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) ++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0) + { ++ gnutls_datum_t compressed = {compress_data, compress_size}; ++ /* HMAC was not the same. */ ++ dummy_wait(session, &compressed, pad_failed, pad, length+preamble_size, ver); ++ + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } + +- /* copy the decrypted stuff to compress_data. ++ /* copy the decrypted stuff to compressed_data. + */ + if (compress_size < length) + { +Index: gnutls26-2.10.5/lib/gnutls_hash_int.h +=================================================================== +--- gnutls26-2.10.5.orig/lib/gnutls_hash_int.h 2013-02-25 11:52:27.670965684 -0500 ++++ gnutls26-2.10.5/lib/gnutls_hash_int.h 2013-02-25 11:52:27.666965683 -0500 +@@ -98,4 +98,25 @@ + + int _gnutls_hash_copy (digest_hd_st * dst_handle, digest_hd_st * src_handle); + ++/* We shouldn't need to know that, but a work-around in decoding ++ * TLS record padding requires that. ++ */ ++inline static size_t ++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo) ++{ ++ switch (algo) ++ { ++ case GNUTLS_DIG_MD5: ++ case GNUTLS_DIG_SHA1: ++ case GNUTLS_DIG_RMD160: ++ case GNUTLS_DIG_SHA256: ++ case GNUTLS_DIG_SHA384: ++ case GNUTLS_DIG_SHA512: ++ case GNUTLS_DIG_SHA224: ++ return 64; ++ default: ++ return 0; ++ } ++} ++ + #endif /* GNUTLS_HASH_INT_H */ diff --git a/main/gnutls/cve-2012-1573.patch b/main/gnutls/cve-2012-1573.patch deleted file mode 100644 index b377c391c2..0000000000 --- a/main/gnutls/cve-2012-1573.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- ./lib/gnutls_cipher.c.orig -+++ ./lib/gnutls_cipher.c -@@ -515,14 +515,13 @@ - { - ciphertext.size -= blocksize; - ciphertext.data += blocksize; -- -- if (ciphertext.size == 0) -- { -- gnutls_assert (); -- return GNUTLS_E_DECRYPTION_FAILED; -- } - } - -+ if (ciphertext.size < hash_size) -+ { -+ gnutls_assert (); -+ return GNUTLS_E_DECRYPTION_FAILED; -+ } - pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - - if ((int) pad > (int) ciphertext.size - hash_size) |