From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52013) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekgUv-0001yy-CO for guix-patches@gnu.org; Sat, 10 Feb 2018 20:32:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekgUs-00016L-F6 for guix-patches@gnu.org; Sat, 10 Feb 2018 20:32:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57805) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ekgUs-00016G-CE for guix-patches@gnu.org; Sat, 10 Feb 2018 20:32:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ekgUs-0003VX-5E for guix-patches@gnu.org; Sat, 10 Feb 2018 20:32:02 -0500 Subject: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Resent-Message-ID: Date: Sun, 11 Feb 2018 02:31:08 +0100 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Marius Bakke Message-ID: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 30416@debbugs.gnu.org, leo@famulari.name On February 10, 2018 10:54:44 PM GMT+01:00, Leo Famulari wrote: >* gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch: New file=2E >* gnu/local=2Emk (dist_patch_DATA): Add it=2E >* gnu/packages/tls=2Escm (libtasn1/fixed)[source]: Use it=2E LGTM=2E I think we already ungrafted the fixed version on core-updates, so= I guess we should merge and "re-graft" this new patch=2E >--- > gnu/local=2Emk | 1 + >gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch | 73 >+++++++++++++++++++++++ > gnu/packages/tls=2Escm | 3 +- > 3 files changed, 76 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch > >diff --git a/gnu/local=2Emk b/gnu/local=2Emk >index eb968dede=2E=2E9b32e5880 100644 >--- a/gnu/local=2Emk >+++ b/gnu/local=2Emk >@@ -852,6 +852,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt=2Epatch \ > %D%/packages/patches/libtar-CVE-2013-4420=2Epatch \ > %D%/packages/patches/libtasn1-CVE-2017-10790=2Epatch \ >+ %D%/packages/patches/libtasn1-CVE-2018-6003=2Epatch \ > %D%/packages/patches/libtheora-config-guess=2Epatch \ > %D%/packages/patches/libtiff-CVE-2016-10688=2Epatch \ > %D%/packages/patches/libtiff-CVE-2017-9936=2Epatch \ >diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >b/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >new file mode 100644 >index 000000000=2E=2E3e6140518 >--- /dev/null >+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >@@ -0,0 +1,73 @@ >+Fix CVE-2018-6003: >+ >+https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2018-6003 >+https://lists=2Egnu=2Eorg/archive/html/help-libtasn1/2018-01/msg00000=2E= html >+ >+Patch copied from upstream source repository: >+ >+https://gitlab=2Ecom/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950= e0ac71e9ca97 >+ >+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 >+From: Nikos Mavrogiannopoulos >+Date: Thu, 4 Jan 2018 10:52:05 +0100 >+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of >recursion to 3 >+ >+On indefinite string decoding, setting a maximum level of recursions >+protects the BER decoder from a stack exhaustion due to large amounts >+of recursion=2E >+ >+Signed-off-by: Nikos Mavrogiannopoulos >+--- >+ lib/decoding=2Ec | 21 +++++++++++++++++++-- >+ 1 file changed, 19 insertions(+), 2 deletions(-) >+ >+diff --git a/lib/decoding=2Ec b/lib/decoding=2Ec >+index 2240b09=2E=2E0ee35d3 100644 >+--- a/lib/decoding=2Ec >++++ b/lib/decoding=2Ec >+@@ -45,6 +45,13 @@ >+=20 >+ #define DECODE_FLAG_HAVE_TAG 1 >+ #define DECODE_FLAG_INDEFINITE (1<<1) >++/* On indefinite string decoding, allow this maximum levels >++ * of recursion=2E Allowing infinite recursion, makes the BER >++ * decoder susceptible to stack exhaustion due to that recursion=2E >++ */ >++#define DECODE_FLAG_LEVEL1 (1<<2) >++#define DECODE_FLAG_LEVEL2 (1<<3) >++#define DECODE_FLAG_LEVEL3 (1<<4) >+=20 >+ #define DECR_LEN(l, s) do { \ >+ l -=3D s; \ >+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, >const unsigned char *der, >+ } >+=20 >+ /* indefinite constructed */ >+- if (((dflags & DECODE_FLAG_INDEFINITE) || class =3D=3D >ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) >++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class =3D=3D >ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && >++ !(dflags & DECODE_FLAG_LEVEL3)) >+ { >+ len_len =3D 1; >+=20 >+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, >const unsigned char *der, >+ do >+ { >+ unsigned tmp_len; >++ unsigned flags =3D DECODE_FLAG_HAVE_TAG; >++ >++ if (dflags & DECODE_FLAG_LEVEL1) >++ flags |=3D DECODE_FLAG_LEVEL2; >++ else if (dflags & DECODE_FLAG_LEVEL2) >++ flags |=3D DECODE_FLAG_LEVEL3; >++ else >++ flags |=3D DECODE_FLAG_LEVEL1; >+=20 >+- result =3D asn1_decode_simple_ber(etype, p, der_len, &out, >&out_len, &tmp_len); >++ result =3D _asn1_decode_simple_ber(etype, p, der_len, &out, >&out_len, &tmp_len, >++ flags); >+ if (result !=3D ASN1_SUCCESS) >+ { >+ warn(); >+-- >+libgit2 0=2E26=2E0 >+ >diff --git a/gnu/packages/tls=2Escm b/gnu/packages/tls=2Escm >index fa58f90cb=2E=2Ec2123add4 100644 >--- a/gnu/packages/tls=2Escm >+++ b/gnu/packages/tls=2Escm >@@ -91,7 +91,8 @@ specifications=2E") > (inherit libtasn1) > (source (origin > (inherit (package-source libtasn1)) >- (patches (search-patches >"libtasn1-CVE-2017-10790=2Epatch")))))) >+ (patches (search-patches "libtasn1-CVE-2017-10790=2Epatch" >+ =20 >"libtasn1-CVE-2018-6003=2Epatch")))))) >=20 > (define-public asn1c > (package --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E