OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=12

2008-06-03 14:13:23 +00:00 · 2008-06-03 14:13:23 +00:00 · 1648c80240
commit 1648c80240
parent bc8f511a66
3 changed files with 115 additions and 1 deletions
--- a/gnutls-GNUTLS_SA_2008_1.patch
+++ b/gnutls-GNUTLS_SA_2008_1.patch
@ -0,0 +1,93 @@
+diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c
+index 72e42ff..a2db949 100644
+--- a/lib/ext_server_name.c
+++ b/lib/ext_server_name.c
+@@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
+ 	  len = _gnutls_read_uint16 (p);
+ 	  p += 2;
+
+-	  DECR_LENGTH_RET (data_size, len, 0);
+-	  server_names++;
+	  if (len > 0)
+	    {
+	      DECR_LENGTH_RET (data_size, len, 0);
+	      server_names++;
+	      p += len;
+	    }
+	  else
+	    _gnutls_handshake_log
+	      ("HSK[%x]: Received zero size server name (under attack?)\n",
+	       session);
+
+-	  p += len;
+	}
+
+      /* we cannot accept more server names.
+       */
+      if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+	{
+	  _gnutls_handshake_log
+	    ("HSK[%x]: Too many server names received (under attack?)\n",
+	     session);
+	  server_names = MAX_SERVER_NAME_EXTENSIONS;
+ 	}
+
+       session->security_parameters.extensions.server_names_size =
+@@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
+       if (server_names == 0)
+ 	return 0;		/* no names found */
+
+-      /* we cannot accept more server names.
+-       */
+-      if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+-	server_names = MAX_SERVER_NAME_EXTENSIONS;
+
+       p = data + 2;
+       for (i = 0; i < server_names; i++)
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index e930c1d..e16ad1f 100644
+--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
+@@ -504,17 +503,20 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ 
+       pad = ciphertext.data[ciphertext.size - 1] + 1;	/* pad */
+ 
+-      length = ciphertext.size - hash_size - pad;
+-
+-      if (pad > ciphertext.size - hash_size)
+      if ((int)pad > (int)ciphertext.size - hash_size)
+ 	{
+ 	  gnutls_assert ();
+	  _gnutls_record_log
+	    ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
+	     session, pad, ciphertext.size, hash_size);
+ 	  /* We do not fail here. We check below for the
+ 	   * the pad_failed. If zero means success.
+ 	   */
+ 	  pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ 	}
+ 
+      length = ciphertext.size - hash_size - pad;
+
+       /* Check the pading bytes (TLS 1.x)
+        */
+       if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
+index 4ab6db6..d798180 100644
+--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
+@@ -1003,6 +1003,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
+
+       *recv_type = session->internals.handshake_header_buffer.recv_type;
+
+      if (*recv_type != type)
+	{
+	  gnutls_assert ();
+	  _gnutls_handshake_log
+	    ("HSK[%x]: Handshake type mismatch (under attack?)\n", session);
+	  return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
+	}
+
+       return session->internals.handshake_header_buffer.packet_length;
+     }
+
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed May 21 16:32:26 CEST 2008 - mkoenig@suse.de
+
+- fix three security bugs [bnc#392947]
+  CVE-2008-1948 GNUTLS-SA-2008-1-1
+  Fix crash when sending invalid server name
+  CVE-2008-1949 GNUTLS-SA-2008-1-2
+  Fix crash when sending repeated client hellos
+  CVE-2008-1950 GNUTLS-SA-2008-1-3
+  Fix crash in cipher padding decoding for invalid record lengths
+
 -------------------------------------------------------------------
 Thu May  8 14:17:41 CEST 2008 - mkoenig@suse.de

--- a/gnutls.spec
+++ b/gnutls.spec
@ -14,7 +14,7 @@
 Name:           gnutls
 BuildRequires:  gcc-c++ libgcrypt-devel libopencdk-devel
 Version:        2.2.2
-Release:        10
+Release:        16
 License:        GPL v3 or later; LGPL v2.1 or later
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://www.gnutls.org/
@ -22,6 +22,7 @@ Source0:        %name-%version.tar.bz2
 Patch0:         gnutls-char-signedness.patch
 Patch1:         gnutls-1.6.1-srptool.patch
 Patch2:         gnutls-2.2.2-uninitialized.patch
+Patch3:         gnutls-GNUTLS_SA_2008_1.patch
 Summary:        The GNU Transport Layer Security Library
 Group:          Productivity/Networking/Security
 AutoReqProv:    on
@ -125,6 +126,7 @@ Authors:
 %patch0
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 autoreconf -fi
@ -211,6 +213,14 @@ rm -rf %buildroot
 %_libdir/pkgconfig/gnutls-extra.pc

 %changelog
+* Wed May 21 2008 mkoenig@suse.de
+- fix three security bugs [bnc#392947]
+  CVE-2008-1948 GNUTLS-SA-2008-1-1
+  Fix crash when sending invalid server name
+  CVE-2008-1949 GNUTLS-SA-2008-1-2
+  Fix crash when sending repeated client hellos
+  CVE-2008-1950 GNUTLS-SA-2008-1-3
+  Fix crash in cipher padding decoding for invalid record lengths
 * Thu May 08 2008 mkoenig@suse.de
 - fix build
 * Tue Apr 29 2008 cthiel@suse.de