Re: [PATCH][dizzy] gnutls: CVE-2015-3308

[akuster808 <akuster808@gmail.com>]

in my queue.

Thanks,
Armin

On 09/03/2015 04:53 AM, Sona Sarmadi wrote:
> Fixes use-after-free flaw in CRL distribution points parsing
> 
> Reference:
> https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
> https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02
> 
> http://www.openwall.com/lists/oss-security/2015/04/15/6
> 
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
>  .../better-fix-for-double-free-CVE-2015-3308.patch | 65 ++++++++++++++++++++++
>  .../eliminated-double-free-CVE-2015-3308.patch     | 33 +++++++++++
>  meta/recipes-support/gnutls/gnutls_3.3.5.bb        |  2 +
>  3 files changed, 100 insertions(+)
>  create mode 100644 meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
> 
> diff --git a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
> new file mode 100644
> index 0000000..8824729
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
> @@ -0,0 +1,65 @@
> +From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
> +From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
> +Date: Sat, 28 Mar 2015 22:41:03 +0100
> +Subject: [PATCH] Better fix for the double free in dist point parsing
> +
> +Fixes CVE-2015-3308
> +Upstream-Status: Backport
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + lib/x509/x509_ext.c | 10 ++++++----
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
> +index 2e69ed0..f974b02 100644
> +--- a/lib/x509/x509_ext.c
> ++++ b/lib/x509/x509_ext.c
> +@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 	int len, ret;
> + 	uint8_t reasons[2];
> + 	unsigned i, type, rflags, j;
> +-	gnutls_datum_t san;
> ++	gnutls_datum_t san = {NULL, 0};
> + 
> + 	result = asn1_create_element
> + 	    (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
> +@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 
> + 	i = 0;
> + 	do {
> +-		san.data = NULL;
> +-		san.size = 0;
> +-
> + 		snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
> + 
> + 		len = sizeof(reasons);
> +@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 
> + 		j = 0;
> + 		do {
> ++			san.data = NULL;
> ++			san.size = 0;
> ++
> + 			ret =
> + 			    _gnutls_parse_general_name2(c2, name, j, &san,
> + 							&type, 0);
> +@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 			ret = crl_dist_points_set(cdp, type, &san, rflags);
> + 			if (ret < 0)
> + 				break;
> ++			san.data = NULL; /* it is now in cdp */
> + 
> + 			j++;
> + 		} while (ret >= 0);
> +@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 
> + 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
> + 		gnutls_assert();
> ++		gnutls_free(san.data);
> + 		goto cleanup;
> + 	}
> + 
> +-- 
> +1.9.1
> +
> diff --git a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
> new file mode 100644
> index 0000000..628103f
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
> @@ -0,0 +1,33 @@
> +From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
> +From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
> +Date: Mon, 23 Mar 2015 22:55:29 +0100
> +Subject: [PATCH] eliminated double-free in the parsing of dist points
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Reported by Robert Święcki.
> +
> +Fixes CVE-2015-3308
> +Upstream-Status: Backport
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + lib/x509/x509_ext.c | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
> +index c8d5867..6f09438 100644
> +--- a/lib/x509/x509_ext.c
> ++++ b/lib/x509/x509_ext.c
> +@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
> + 
> + 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
> + 		gnutls_assert();
> +-		gnutls_free(san.data);
> + 		goto cleanup;
> + 	}
> + 
> +-- 
> +1.9.1
> +
> diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
> index b3daa49..9f26470 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.3.5.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
> @@ -1,6 +1,8 @@
>  require gnutls.inc
>  
>  SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
> +            file://eliminated-double-free-CVE-2015-3308.patch \
> +            file://better-fix-for-double-free-CVE-2015-3308.patch \
>             "
>  
>  SRC_URI[md5sum] = "1f396dcf3c14ea67de7243821006d1a2"
> 
> 
>