From 516129f7e77b1c7def4f3d8aa08d8673e4c4d69f Mon Sep 17 00:00:00 2001 From: Leo Date: Sun, 21 Jul 2019 17:18:53 -0300 Subject: main/libtasn1: fix CVE-2018-1000654 fixes #10521 --- main/libtasn1/APKBUILD | 10 +- main/libtasn1/CVE-2018-1000654.patch | 182 +++++++++++++++++++++++++++++++++++ 2 files changed, 189 insertions(+), 3 deletions(-) create mode 100644 main/libtasn1/CVE-2018-1000654.patch (limited to 'main') diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD index f00bed5706..fecfe0bae2 100644 --- a/main/libtasn1/APKBUILD +++ b/main/libtasn1/APKBUILD @@ -2,20 +2,23 @@ # Maintainer: Natanael Copa pkgname=libtasn1 pkgver=4.12 -pkgrel=3 +pkgrel=4 pkgdesc="The ASN.1 library used in GNUTLS" url="https://www.gnu.org/software/gnutls/" arch="all" license="GPL3 LGPL" makedepends="texinfo" subpackages="$pkgname-dev $pkgname-doc" -source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz +source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz CVE-2017-10790.patch CVE-2018-6003.patch + CVE-2018-1000654.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.12-r4: +# - CVE-2018-1000654 # 4.12-r3: # - CVE-2018-6003 # 4.12-r1: @@ -44,4 +47,5 @@ package() { } sha512sums="6c551670949881193e39122f72948e4999ff1ba377f9ee5963d0a4ad1b84256e4fe42e9f6d6a2aa9f7d4ef7acc0e5174fb5cc3df5298524cdeda92f4b8c104f7 libtasn1-4.12.tar.gz 8e9dad0a1ee7cb7a8ed3d2a60c1c1bcb3e1ef689dbd2879992d4098f36edbae3bb962b9c87a0a9a77335e83abf10fd72bd78bde99989421c35f4434a9e1d08cc CVE-2017-10790.patch -ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d CVE-2018-6003.patch" +ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d CVE-2018-6003.patch +c0bf6265c0318af0348d0ce24375977afd9abbce66683a1e7ddf06fea34d018aff6e0cbc670eb3097960bb9a6f9e1058eea457aabff3db74df3181e9a70c5b05 CVE-2018-1000654.patch" diff --git a/main/libtasn1/CVE-2018-1000654.patch b/main/libtasn1/CVE-2018-1000654.patch new file mode 100644 index 0000000000..9738995ffc --- /dev/null +++ b/main/libtasn1/CVE-2018-1000654.patch @@ -0,0 +1,182 @@ +diff --git a/lib/ASN1.c b/lib/ASN1.c +index 586dcca..47074f0 100644 +--- a/lib/ASN1.c ++++ b/lib/ASN1.c +@@ -2811,7 +2811,12 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + /* Convert into DER coding the value assign to INTEGER constants */ + _asn1_change_integer_value (p_tree); + /* Expand the IDs of OBJECT IDENTIFIER constants */ +- _asn1_expand_object_id (p_tree); ++ result_parse = _asn1_expand_object_id (p_tree); ++ if (result_parse != ASN1_SUCCESS) ++ { ++ _asn1_delete_list_and_nodes (); ++ goto error; ++ } + + *definitions = p_tree; + } +@@ -2824,6 +2829,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + _asn1_delete_list_and_nodes (); + } + ++ error: + _asn1_create_errorDescription (result_parse, error_desc); + + return result_parse; +diff --git a/lib/ASN1.y b/lib/ASN1.y +index 534a9f1..0b81b5b 100644 +--- a/lib/ASN1.y ++++ b/lib/ASN1.y +@@ -701,7 +701,9 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + /* Convert into DER coding the value assign to INTEGER constants */ + _asn1_change_integer_value (p_tree); + /* Expand the IDs of OBJECT IDENTIFIER constants */ +- _asn1_expand_object_id (p_tree); ++ result_parse = _asn1_expand_object_id (p_tree); ++ if (result_parse != ASN1_SUCCESS) ++ goto error; + + *definitions = p_tree; + } +@@ -714,6 +716,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + _asn1_delete_list_and_nodes (); + } + ++ error: + _asn1_create_errorDescription (result_parse, error_desc); + + return result_parse; +diff --git a/lib/errors.c b/lib/errors.c +index fef45ae..cee74da 100644 +--- a/lib/errors.c ++++ b/lib/errors.c +@@ -53,6 +53,7 @@ static const libtasn1_error_entry error_algorithms[] = { + LIBTASN1_ERROR_ENTRY (ASN1_ARRAY_ERROR), + LIBTASN1_ERROR_ENTRY (ASN1_ELEMENT_NOT_EMPTY), + LIBTASN1_ERROR_ENTRY (ASN1_TIME_ENCODING_ERROR), ++ LIBTASN1_ERROR_ENTRY (ASN1_RECURSION), + {0, 0} + }; + +diff --git a/lib/libtasn1.h b/lib/libtasn1.h +index ea26b78..8c757d6 100644 +--- a/lib/libtasn1.h ++++ b/lib/libtasn1.h +@@ -79,6 +79,7 @@ extern "C" + #define ASN1_ARRAY_ERROR 16 + #define ASN1_ELEMENT_NOT_EMPTY 17 + #define ASN1_TIME_ENCODING_ERROR 18 ++#define ASN1_RECURSION 19 + + /*************************************/ + /* Constants used in asn1_visit_tree */ +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 786ea64..0090157 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -516,6 +516,23 @@ _asn1_find_up (asn1_node node) + return p->left; + } + ++/******************************************************************/ ++/* Function : _asn1_delete_node_from_list */ ++/* Description: deletes the list element given */ ++/******************************************************************/ ++static void ++_asn1_delete_node_from_list (asn1_node node) ++{ ++ list_type *p = firstElement; ++ ++ while (p) ++ { ++ if (p->node == node) ++ p->node = NULL; ++ p = p->next; ++ } ++} ++ + /******************************************************************/ + /* Function : _asn1_delete_list */ + /* Description: deletes the list elements (not the elements */ +@@ -667,15 +684,15 @@ _asn1_change_integer_value (asn1_node node) + /* Parameters: */ + /* node: root of an ASN1 element. */ + /* Return: */ +-/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */ +-/* otherwise ASN1_SUCCESS */ ++/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */ ++/* otherwise ASN1_SUCCESS */ + /******************************************************************/ + int + _asn1_expand_object_id (asn1_node node) + { + asn1_node p, p2, p3, p4, p5; + char name_root[ASN1_MAX_NAME_SIZE], name2[2 * ASN1_MAX_NAME_SIZE + 1]; +- int move, tlen; ++ int move, tlen, tries; + + if (node == NULL) + return ASN1_ELEMENT_NOT_FOUND; +@@ -684,6 +701,7 @@ _asn1_expand_object_id (asn1_node node) + + p = node; + move = DOWN; ++ tries = 0; + + while (!((p == node) && (move == UP))) + { +@@ -707,6 +725,7 @@ _asn1_expand_object_id (asn1_node node) + || !(p3->type & CONST_ASSIGN)) + return ASN1_ELEMENT_NOT_FOUND; + _asn1_set_down (p, p2->right); ++ _asn1_delete_node_from_list(p2); + _asn1_remove_node (p2, 0); + p2 = p; + p4 = p3->down; +@@ -738,6 +757,11 @@ _asn1_expand_object_id (asn1_node node) + p4 = p4->right; + } + move = DOWN; ++ ++ tries++; ++ if (tries >= EXPAND_OBJECT_ID_MAX_RECURSION) ++ return ASN1_RECURSION; ++ + continue; + } + } +@@ -747,6 +771,7 @@ _asn1_expand_object_id (asn1_node node) + else + move = RIGHT; + ++ tries = 0; + if (move == DOWN) + { + if (p->down) +diff --git a/lib/parser_aux.h b/lib/parser_aux.h +index 9f91833..bb05ae8 100644 +--- a/lib/parser_aux.h ++++ b/lib/parser_aux.h +@@ -60,6 +60,7 @@ asn1_node _asn1_find_up (asn1_node node); + + int _asn1_change_integer_value (asn1_node node); + ++#define EXPAND_OBJECT_ID_MAX_RECURSION 16 + int _asn1_expand_object_id (asn1_node node); + + int _asn1_type_set_config (asn1_node node); +diff --git a/lib/structure.c b/lib/structure.c +index 01715b1..f6a93fa 100644 +--- a/lib/structure.c ++++ b/lib/structure.c +@@ -245,7 +245,7 @@ asn1_array2tree (const asn1_static_node * array, asn1_node * definitions, + if (result == ASN1_SUCCESS) + { + _asn1_change_integer_value (*definitions); +- _asn1_expand_object_id (*definitions); ++ result = _asn1_expand_object_id (*definitions); + } + } + else + -- cgit v1.2.3