main/libtasn1: security fix for CVE-2017-6891. Fixes #7327

2 files changed, 52 insertions, 5 deletions

diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD
index 847342cfc7..a94619b8da 100644
--- a/main/libtasn1/APKBUILD
+++ b/main/libtasn1/APKBUILD
@@ -2,16 +2,21 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libtasn1
 pkgver=4.10
-pkgrel=0
+pkgrel=1
 pkgdesc="The ASN.1 library used in GNUTLS"
 url="http://www.gnu.org/software/gnutls/"
 arch="all"
 license="GPL3 LGPL"
 makedepends="texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2017-6891.patch"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   4.10-r1:
+#     - CVE-2017-6891
+
 build() {
 	cd "$builddir"
 	CFLAGS="-Wno-error=inline" ./configure \
@@ -30,6 +35,5 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }
 
-md5sums="f4faffdf63969d0e4e6df43b9679e8e5  libtasn1-4.10.tar.gz"
-sha256sums="681a4d9a0d259f2125713f2e5766c5809f151b3a1392fd91390f780b4b8f5a02  libtasn1-4.10.tar.gz"
-sha512sums="614e93128e6be8f46a2ad46e2a515e2edfb1f5a2e90c9e5da02d3afc0a882dc956632dd2b1eddd6b0e258e7b58a82d5d745d8ccd23120d94bb0af48132ed1a18  libtasn1-4.10.tar.gz"
+sha512sums="614e93128e6be8f46a2ad46e2a515e2edfb1f5a2e90c9e5da02d3afc0a882dc956632dd2b1eddd6b0e258e7b58a82d5d745d8ccd23120d94bb0af48132ed1a18  libtasn1-4.10.tar.gz
+82972045d29afe8b4a4e240ae45e6417de46f1057ba48026ba5ed5679054dbc469194a34ede9007925bf7bfbc91c93f31aafc1dcdac8ffc4d8c0798e08c7f880  CVE-2017-6891.patch"
diff --git a/main/libtasn1/CVE-2017-6891.patch b/main/libtasn1/CVE-2017-6891.patch
new file mode 100644
index 0000000000..320068b6de
--- /dev/null
+++ b/main/libtasn1/CVE-2017-6891.patch
@@ -0,0 +1,43 @@
+From 5520704d075802df25ce4ffccc010ba1641bd484 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 18 May 2017 18:03:34 +0200
+Subject: [PATCH] asn1_find_node: added safety check on asn1_find_node()
+
+This prevents a stack overflow in asn1_find_node() which
+is triggered by too long variable names in the definitions
+files. That means that applications have to deliberately
+pass a too long 'name' constant to asn1_write_value()
+and friends.  Reported by Jakub Jirasek.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/parser_aux.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index b4a7370..976ab38 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -120,6 +120,9 @@ asn1_find_node (asn1_node pointer, const char *name)
+       if (n_end)
+ 	{
+ 	  nsize = n_end - n_start;
++	  if (nsize >= sizeof(n))
++		return NULL;
++
+ 	  memcpy (n, n_start, nsize);
+ 	  n[nsize] = 0;
+ 	  n_start = n_end;
+@@ -158,6 +161,9 @@ asn1_find_node (asn1_node pointer, const char *name)
+       if (n_end)
+ 	{
+ 	  nsize = n_end - n_start;
++	  if (nsize >= sizeof(n))
++		return NULL;
++
+ 	  memcpy (n, n_start, nsize);
+ 	  n[nsize] = 0;
+ 	  n_start = n_end;
+-- 
+1.9.1
+