Accepting request 114560 from Base:System

OBS-URL: https://build.opensuse.org/request/show/114560
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=43

CVE-2012-1569.patch

@@ -0,0 +1,44 @@
+Index: gnutls-3.0.3/lib/minitasn1/decoding.c
+===================================================================
+--- gnutls-3.0.3.orig/lib/minitasn1/decoding.c
++++ gnutls-3.0.3/lib/minitasn1/decoding.c
+@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_
+  * Extract a length field from DER data.
+  *
+  * Returns: Return the decoded length value, or -1 on indefinite
+- *   length, or -2 when the value was too big.
++ *   length, or -2 when the value was too big to fit in a int, or -4
++ *   when the decoded length value plus @len would exceed @der_len.
+  **/
+ signed long
+ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ {
+-  unsigned long ans;
++  int ans;
+   int k, punt;
+ 
+   *len = 0;
+@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char
+ 	  ans = 0;
+ 	  while (punt <= k && punt < der_len)
+ 	    {
+-	      unsigned long last = ans;
++	      int last = ans;
+ 
+ 	      ans = ans * 256 + der[punt++];
+ 	      if (ans < last)
+@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char
+ 	}
+       else
+ 	{			/* indefinite length method */
+-	  ans = -1;
++	  *len = punt;
++	  return -1;
+ 	}
+ 
+       *len = punt;
++      if (ans + *len < ans || ans + *len > der_len)
++	      return -4;
+       return ans;
+     }
+ }

CVE-2012-1573.patch

@@ -0,0 +1,31 @@
+Index: gnutls-3.0.3/lib/gnutls_cipher.c
+===================================================================
+--- gnutls-3.0.3.orig/lib/gnutls_cipher.c
++++ gnutls-3.0.3/lib/gnutls_cipher.c
+@@ -502,7 +502,7 @@ ciphertext_to_compressed (gnutls_session
+ 
+       break;
+     case CIPHER_BLOCK:
+-      if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0))
++      if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))
+         return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ 
+       /* ignore the IV in TLS 1.1+
+@@ -514,14 +514,11 @@ ciphertext_to_compressed (gnutls_session
+ 
+           ciphertext->size -= blocksize;
+           ciphertext->data += blocksize;
+-
+-          if (ciphertext->size == 0)
+-            {
+-              gnutls_assert ();
+-              return GNUTLS_E_DECRYPTION_FAILED;
+-            }
+         }
+ 
++      if (ciphertext->size < tag_size)
++	      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
++
+       /* we don't use the auth_cipher interface here, since
+        * TLS with block ciphers is impossible to be used under such
+        * an API. (the length of plaintext is required to calculate

gnutls.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Apr 12 05:17:04 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#753301] - VUL-0: gnutls/libtasn1 
+  "asn1_get_length_der()" DER decoding issue
+  CVE-2012-1569
+  and bug[bnc#754223] - GenericBlockCipher heap corruption DoS
+  CVE-2012-1573
+
 -------------------------------------------------------------------
 Mon Feb 13 06:09:57 UTC 2012 - gjhe@suse.com
 

gnutls.spec

@@ -36,6 +36,8 @@ Patch0:         gnutls-fix-compression.patch
 Patch1:         gnutls-fix-crash-on-strcat.patch
 Patch2:         CVE-2011-4128.patch
 Patch3:         CVE-2012-0390.patch
+Patch4:         CVE-2012-1569.patch
+Patch5:         CVE-2012-1573.patch
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libnettle-devel >= 2.2
@@ -160,6 +162,8 @@ implements the proposed standards of the IETF's TLS working group.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 %configure \