From 90425002c408b60bf68ded2924a337eb15487e47 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 13 May 2015 08:47:28 +0000 Subject: main/libtasn1: security fix for CVE-2015-2806 fixes #4159 --- main/libtasn1/APKBUILD | 26 +++++++++++++----- main/libtasn1/CVE-2015-2806.patch | 55 +++++++++++++++++++++++++++++++++++++++ main/libtasn1/CVE-2015-3622.patch | 44 +++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+), 6 deletions(-) create mode 100644 main/libtasn1/CVE-2015-2806.patch create mode 100644 main/libtasn1/CVE-2015-3622.patch diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD index 57a969fa7b..79e4d0afb9 100644 --- a/main/libtasn1/APKBUILD +++ b/main/libtasn1/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libtasn1 pkgver=3.6 -pkgrel=0 +pkgrel=1 pkgdesc="The ASN.1 library used in GNUTLS" url="http://www.gnu.org/software/gnutls/" arch="all" @@ -10,10 +10,21 @@ subpackages="$pkgname-dev $pkgname-doc" depends= makedepends="texinfo" install= -source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2015-2806.patch + " _builddir="$srcdir"/$pkgname-$pkgver -build() { +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { cd "$_builddir" ./configure --prefix=/usr || return 1 make || return 1 @@ -24,6 +35,9 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="6ed38e161e11013054f2a2bb4c4da449 libtasn1-3.6.tar.gz" -sha256sums="19e34766a38abc74cec1863cc30c8a4e13f763310ecaf7a5e861ba1d143ea430 libtasn1-3.6.tar.gz" -sha512sums="c682cd7502c687e3a304216366fdbb9de62052cb5f3394bbe1172ccb5eae8fd00bbf7282ad642c58a6be5f1ad224353a4a3f7d9a6bad14ab7016d530883a5d9e libtasn1-3.6.tar.gz" +md5sums="6ed38e161e11013054f2a2bb4c4da449 libtasn1-3.6.tar.gz +4a0e850f458a1ae1a94f419e47e2390b CVE-2015-2806.patch" +sha256sums="19e34766a38abc74cec1863cc30c8a4e13f763310ecaf7a5e861ba1d143ea430 libtasn1-3.6.tar.gz +203076736bcac3e31bc0f6e2c6b16db28d0e66e9e734656d27d2ee938443f4c2 CVE-2015-2806.patch" +sha512sums="c682cd7502c687e3a304216366fdbb9de62052cb5f3394bbe1172ccb5eae8fd00bbf7282ad642c58a6be5f1ad224353a4a3f7d9a6bad14ab7016d530883a5d9e libtasn1-3.6.tar.gz +7107e5a25208118994f508731f0d219734dc1f61d3ae991d6bacdcacf5759dbecf21b10e2ff49b7dc9f22af405fcd7480feeb93cc5d2854ff9311497431ca9f8 CVE-2015-2806.patch" diff --git a/main/libtasn1/CVE-2015-2806.patch b/main/libtasn1/CVE-2015-2806.patch new file mode 100644 index 0000000000..43ba6e4b89 --- /dev/null +++ b/main/libtasn1/CVE-2015-2806.patch @@ -0,0 +1,55 @@ +From 4d4f992826a4962790ecd0cce6fbba4a415ce149 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 26 Mar 2015 18:34:57 +0100 +Subject: [PATCH] increased size of LTOSTR_MAX_SIZE to account for sign and null byte +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +This address an overflow found by Hanno Böck in DER decoding. +--- + lib/parser_aux.c | 4 ++-- + lib/parser_aux.h | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index d3e9009..da9a388 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -543,7 +543,7 @@ _asn1_delete_list_and_nodes (void) + + + char * +-_asn1_ltostr (long v, char *str) ++_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]) + { + long d, r; + char temp[LTOSTR_MAX_SIZE]; +@@ -567,7 +567,7 @@ _asn1_ltostr (long v, char *str) + count++; + v = d; + } +- while (v); ++ while (v && ((start+count) < LTOSTR_MAX_SIZE-1)); + + for (k = 0; k < count; k++) + str[k + start] = temp[start + count - k - 1]; +diff --git a/lib/parser_aux.h b/lib/parser_aux.h +index 55d9061..437f1c8 100644 +--- a/lib/parser_aux.h ++++ b/lib/parser_aux.h +@@ -52,8 +52,9 @@ void _asn1_delete_list (void); + + void _asn1_delete_list_and_nodes (void); + +-#define LTOSTR_MAX_SIZE 20 +-char *_asn1_ltostr (long v, char *str); ++/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */ ++#define LTOSTR_MAX_SIZE 22 ++char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]); + + asn1_node _asn1_find_up (asn1_node node); + +-- +1.7.2.5 + diff --git a/main/libtasn1/CVE-2015-3622.patch b/main/libtasn1/CVE-2015-3622.patch new file mode 100644 index 0000000000..b14b042983 --- /dev/null +++ b/main/libtasn1/CVE-2015-3622.patch @@ -0,0 +1,44 @@ +From f979435823a02f842c41d49cd41cc81f25b5d677 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 20 Apr 2015 14:56:27 +0200 +Subject: [PATCH] _asn1_extract_der_octet: prevent past of boundary access +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Reported by Hanno Böck. +--- + lib/decoding.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 7fbd931..42ddc6b 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -732,6 +732,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, + return ASN1_DER_ERROR; + + counter = len3 + 1; ++ DECR_LEN(der_len, len3); + + if (len2 == -1) + counter_end = der_len - 2; +@@ -740,6 +741,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, + + while (counter < counter_end) + { ++ DECR_LEN(der_len, 1); + len2 = asn1_get_length_der (der + counter, der_len, &len3); + + if (IS_ERR(len2, flags)) +@@ -764,7 +766,6 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, + len2 = 0; + } + +- DECR_LEN(der_len, 1); + counter += len2 + len3 + 1; + } + +-- +1.7.2.5 + -- cgit v1.2.3