From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35697) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekd7v-0002l8-Gc for guix-patches@gnu.org; Sat, 10 Feb 2018 16:56:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd7s-00041f-0P for guix-patches@gnu.org; Sat, 10 Feb 2018 16:56:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57640) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ekd7r-00041R-S7 for guix-patches@gnu.org; Sat, 10 Feb 2018 16:56:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ekd7r-00050Q-Ig for guix-patches@gnu.org; Sat, 10 Feb 2018 16:56:03 -0500 Subject: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34749) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekd6j-0002G8-2R for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd6f-0002x9-Jw for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:53 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44615) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekd6f-0002wg-DJ for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:49 -0500 Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 4DF1A7E0FD for ; Sat, 10 Feb 2018 16:54:48 -0500 (EST) From: Leo Famulari Date: Sat, 10 Feb 2018 16:54:44 -0500 Message-Id: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 30416@debbugs.gnu.org * gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73 +++++++++++++++++++++++ gnu/packages/tls.scm | 3 +- 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..9b32e5880 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -852,6 +852,7 @@ dist_patch_DATA = \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ + %D%/packages/patches/libtasn1-CVE-2018-6003.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch new file mode 100644 index 000000000..3e6140518 --- /dev/null +++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch @@ -0,0 +1,73 @@ +Fix CVE-2018-6003: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003 +https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html + +Patch copied from upstream source repository: + +https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97 + +From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 4 Jan 2018 10:52:05 +0100 +Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3 + +On indefinite string decoding, setting a maximum level of recursions +protects the BER decoder from a stack exhaustion due to large amounts +of recursion. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/decoding.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 2240b09..0ee35d3 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -45,6 +45,13 @@ + + #define DECODE_FLAG_HAVE_TAG 1 + #define DECODE_FLAG_INDEFINITE (1<<1) ++/* On indefinite string decoding, allow this maximum levels ++ * of recursion. Allowing infinite recursion, makes the BER ++ * decoder susceptible to stack exhaustion due to that recursion. ++ */ ++#define DECODE_FLAG_LEVEL1 (1<<2) ++#define DECODE_FLAG_LEVEL2 (1<<3) ++#define DECODE_FLAG_LEVEL3 (1<<4) + + #define DECR_LEN(l, s) do { \ + l -= s; \ +@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + } + + /* indefinite constructed */ +- if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) ++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && ++ !(dflags & DECODE_FLAG_LEVEL3)) + { + len_len = 1; + +@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + do + { + unsigned tmp_len; ++ unsigned flags = DECODE_FLAG_HAVE_TAG; ++ ++ if (dflags & DECODE_FLAG_LEVEL1) ++ flags |= DECODE_FLAG_LEVEL2; ++ else if (dflags & DECODE_FLAG_LEVEL2) ++ flags |= DECODE_FLAG_LEVEL3; ++ else ++ flags |= DECODE_FLAG_LEVEL1; + +- result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len); ++ result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len, ++ flags); + if (result != ASN1_SUCCESS) + { + warn(); +-- +libgit2 0.26.0 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index fa58f90cb..c2123add4 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -91,7 +91,8 @@ specifications.") (inherit libtasn1) (source (origin (inherit (package-source libtasn1)) - (patches (search-patches "libtasn1-CVE-2017-10790.patch")))))) + (patches (search-patches "libtasn1-CVE-2017-10790.patch" + "libtasn1-CVE-2018-6003.patch")))))) (define-public asn1c (package -- 2.16.1