main/libtasn1: fix CVE-2018-1000654

fixes #10521

2 files changed, 189 insertions, 3 deletions

diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD
index f00bed5706..fecfe0bae2 100644
--- a/main/libtasn1/APKBUILD
+++ b/main/libtasn1/APKBUILD
@@ -2,20 +2,23 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libtasn1
 pkgver=4.12
-pkgrel=3
+pkgrel=4
 pkgdesc="The ASN.1 library used in GNUTLS"
 url="https://www.gnu.org/software/gnutls/"
 arch="all"
 license="GPL3 LGPL"
 makedepends="texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
 	CVE-2017-10790.patch
 	CVE-2018-6003.patch
+	CVE-2018-1000654.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.12-r4:
+#     - CVE-2018-1000654
 #   4.12-r3:
 #     - CVE-2018-6003
 #   4.12-r1:
@@ -44,4 +47,5 @@ package() {
 }
 sha512sums="6c551670949881193e39122f72948e4999ff1ba377f9ee5963d0a4ad1b84256e4fe42e9f6d6a2aa9f7d4ef7acc0e5174fb5cc3df5298524cdeda92f4b8c104f7  libtasn1-4.12.tar.gz
 8e9dad0a1ee7cb7a8ed3d2a60c1c1bcb3e1ef689dbd2879992d4098f36edbae3bb962b9c87a0a9a77335e83abf10fd72bd78bde99989421c35f4434a9e1d08cc  CVE-2017-10790.patch
-ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d  CVE-2018-6003.patch"
+ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d  CVE-2018-6003.patch
+c0bf6265c0318af0348d0ce24375977afd9abbce66683a1e7ddf06fea34d018aff6e0cbc670eb3097960bb9a6f9e1058eea457aabff3db74df3181e9a70c5b05  CVE-2018-1000654.patch"
diff --git a/main/libtasn1/CVE-2018-1000654.patch b/main/libtasn1/CVE-2018-1000654.patch
new file mode 100644
index 0000000000..9738995ffc
--- /dev/null
+++ b/main/libtasn1/CVE-2018-1000654.patch
@@ -0,0 +1,182 @@
+diff --git a/lib/ASN1.c b/lib/ASN1.c
+index 586dcca..47074f0 100644
+--- a/lib/ASN1.c
++++ b/lib/ASN1.c
+@@ -2811,7 +2811,12 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+               /* Convert into DER coding the value assign to INTEGER constants */
+               _asn1_change_integer_value (p_tree);
+               /* Expand the IDs of OBJECT IDENTIFIER constants */
+-              _asn1_expand_object_id (p_tree);
++              result_parse = _asn1_expand_object_id (p_tree);
++              if (result_parse != ASN1_SUCCESS)
++                {
++                  _asn1_delete_list_and_nodes ();
++                  goto error;
++	        }
+ 
+               *definitions = p_tree;
+             }
+@@ -2824,6 +2829,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+         _asn1_delete_list_and_nodes ();
+     }
+ 
++ error:
+   _asn1_create_errorDescription (result_parse, error_desc);
+ 
+   return result_parse;
+diff --git a/lib/ASN1.y b/lib/ASN1.y
+index 534a9f1..0b81b5b 100644
+--- a/lib/ASN1.y
++++ b/lib/ASN1.y
+@@ -701,7 +701,9 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+               /* Convert into DER coding the value assign to INTEGER constants */
+               _asn1_change_integer_value (p_tree);
+               /* Expand the IDs of OBJECT IDENTIFIER constants */
+-              _asn1_expand_object_id (p_tree);
++              result_parse = _asn1_expand_object_id (p_tree);
++              if (result_parse != ASN1_SUCCESS)
++                goto error;
+ 
+               *definitions = p_tree;
+             }
+@@ -714,6 +716,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+         _asn1_delete_list_and_nodes ();
+     }
+ 
++ error:
+   _asn1_create_errorDescription (result_parse, error_desc);
+ 
+   return result_parse;
+diff --git a/lib/errors.c b/lib/errors.c
+index fef45ae..cee74da 100644
+--- a/lib/errors.c
++++ b/lib/errors.c
+@@ -53,6 +53,7 @@ static const libtasn1_error_entry error_algorithms[] = {
+   LIBTASN1_ERROR_ENTRY (ASN1_ARRAY_ERROR),
+   LIBTASN1_ERROR_ENTRY (ASN1_ELEMENT_NOT_EMPTY),
+   LIBTASN1_ERROR_ENTRY (ASN1_TIME_ENCODING_ERROR),
++  LIBTASN1_ERROR_ENTRY (ASN1_RECURSION),
+   {0, 0}
+ };
+ 
+diff --git a/lib/libtasn1.h b/lib/libtasn1.h
+index ea26b78..8c757d6 100644
+--- a/lib/libtasn1.h
++++ b/lib/libtasn1.h
+@@ -79,6 +79,7 @@ extern "C"
+ #define ASN1_ARRAY_ERROR		16
+ #define ASN1_ELEMENT_NOT_EMPTY		17
+ #define ASN1_TIME_ENCODING_ERROR	18
++#define ASN1_RECURSION			19
+ 
+   /*************************************/
+   /* Constants used in asn1_visit_tree */
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index 786ea64..0090157 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -516,6 +516,23 @@ _asn1_find_up (asn1_node node)
+   return p->left;
+ }
+ 
++/******************************************************************/
++/* Function : _asn1_delete_node_from_list                         */
++/* Description: deletes the list element given                    */
++/******************************************************************/
++static void
++_asn1_delete_node_from_list (asn1_node node)
++{
++  list_type *p = firstElement;
++
++  while (p)
++    {
++      if (p->node == node)
++        p->node = NULL;
++      p = p->next;
++    }
++}
++
+ /******************************************************************/
+ /* Function : _asn1_delete_list                                   */
+ /* Description: deletes the list elements (not the elements       */
+@@ -667,15 +684,15 @@ _asn1_change_integer_value (asn1_node node)
+ /* Parameters:                                                    */
+ /*   node: root of an ASN1 element.                               */
+ /* Return:                                                        */
+-/*   ASN1_ELEMENT_NOT_FOUND if NODE is NULL,                       */
+-/*   otherwise ASN1_SUCCESS                                             */
++/*   ASN1_ELEMENT_NOT_FOUND if NODE is NULL,                      */
++/*   otherwise ASN1_SUCCESS                                       */
+ /******************************************************************/
+ int
+ _asn1_expand_object_id (asn1_node node)
+ {
+   asn1_node p, p2, p3, p4, p5;
+   char name_root[ASN1_MAX_NAME_SIZE], name2[2 * ASN1_MAX_NAME_SIZE + 1];
+-  int move, tlen;
++  int move, tlen, tries;
+ 
+   if (node == NULL)
+     return ASN1_ELEMENT_NOT_FOUND;
+@@ -684,6 +701,7 @@ _asn1_expand_object_id (asn1_node node)
+ 
+   p = node;
+   move = DOWN;
++  tries = 0;
+ 
+   while (!((p == node) && (move == UP)))
+     {
+@@ -707,6 +725,7 @@ _asn1_expand_object_id (asn1_node node)
+ 			  || !(p3->type & CONST_ASSIGN))
+ 			return ASN1_ELEMENT_NOT_FOUND;
+ 		      _asn1_set_down (p, p2->right);
++		      _asn1_delete_node_from_list(p2);
+ 		      _asn1_remove_node (p2, 0);
+ 		      p2 = p;
+ 		      p4 = p3->down;
+@@ -738,6 +757,11 @@ _asn1_expand_object_id (asn1_node node)
+ 			  p4 = p4->right;
+ 			}
+ 		      move = DOWN;
++
++		      tries++;
++                      if (tries >= EXPAND_OBJECT_ID_MAX_RECURSION)
++                        return ASN1_RECURSION;
++
+ 		      continue;
+ 		    }
+ 		}
+@@ -747,6 +771,7 @@ _asn1_expand_object_id (asn1_node node)
+       else
+ 	move = RIGHT;
+ 
++      tries = 0;
+       if (move == DOWN)
+ 	{
+ 	  if (p->down)
+diff --git a/lib/parser_aux.h b/lib/parser_aux.h
+index 9f91833..bb05ae8 100644
+--- a/lib/parser_aux.h
++++ b/lib/parser_aux.h
+@@ -60,6 +60,7 @@ asn1_node _asn1_find_up (asn1_node node);
+ 
+ int _asn1_change_integer_value (asn1_node node);
+ 
++#define EXPAND_OBJECT_ID_MAX_RECURSION 16
+ int _asn1_expand_object_id (asn1_node node);
+ 
+ int _asn1_type_set_config (asn1_node node);
+diff --git a/lib/structure.c b/lib/structure.c
+index 01715b1..f6a93fa 100644
+--- a/lib/structure.c
++++ b/lib/structure.c
+@@ -245,7 +245,7 @@ asn1_array2tree (const asn1_static_node * array, asn1_node * definitions,
+       if (result == ASN1_SUCCESS)
+ 	{
+ 	  _asn1_change_integer_value (*definitions);
+-	  _asn1_expand_object_id (*definitions);
++	  result = _asn1_expand_object_id (*definitions);
+ 	}
+     }
+   else
+