packages/gnutls
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 【Mainline】Fix CVE-2021-20231 CVE-2021-20232

Browse Source 
From: @yixiangzhike
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-03-23 16:46:30 +08:00 committed by Gitee
commit bce8a43059
3 changed files with 128 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
backport-CVE-2021-20231.patch Normal file
View File

@ -0,0 +1,62 @@
From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 29 Jan 2021 14:06:32 +0100
Subject: [PATCH] key_share: avoid use-after-free around realloc
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/ext/key_share.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index ab8abf8fe6..a8c4bb5cff 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
{
unsigned i;
int ret;
- unsigned char *lengthp;
- unsigned int cur_length;
unsigned int generated = 0;
const gnutls_group_entry_st *group;
const version_entry_st *ver;
/* this extension is only being sent on client side */
if (session->security_parameters.entity == GNUTLS_CLIENT) {
+ unsigned int length_pos;
+
ver = _gnutls_version_max(session);
if (unlikely(ver == NULL || ver->key_shares == 0))
return 0;
@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
if (!have_creds_for_tls13(session))
return 0;
- /* write the total length later */
- lengthp = &extdata->data[extdata->length];
+ length_pos = extdata->length;
ret =
_gnutls_buffer_append_prefix(extdata, 16, 0);
if (ret < 0)
return gnutls_assert_val(ret);
- cur_length = extdata->length;
-
if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
group = get_group(session);
if (unlikely(group == NULL))
@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
}
/* copy actual length */
- _gnutls_write_uint16(extdata->length - cur_length, lengthp);
+ _gnutls_write_uint16(extdata->length - length_pos - 2,
+ &extdata->data[length_pos]);
} else { /* server */
ver = get_version(session);
--
GitLab

60
backport-CVE-2021-20232.patch Normal file
View File

@ -0,0 +1,60 @@
From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 29 Jan 2021 14:06:50 +0100
Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/ext/pre_shared_key.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index a042c6488e..380bf39ed5 100644
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session,
size_t spos;
gnutls_datum_t username = {NULL, 0};
gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0};
- gnutls_datum_t client_hello;
+ unsigned client_hello_len;
unsigned next_idx;
const mac_entry_st *prf_res = NULL;
const mac_entry_st *prf_psk = NULL;
@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session,
assert(extdata->length >= sizeof(mbuffer_st));
assert(ext_offset >= (ssize_t)sizeof(mbuffer_st));
ext_offset -= sizeof(mbuffer_st);
- client_hello.data = extdata->data+sizeof(mbuffer_st);
- client_hello.size = extdata->length-sizeof(mbuffer_st);
+ client_hello_len = extdata->length-sizeof(mbuffer_st);
next_idx = 0;
@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session,
}
if (prf_res && rkey.size > 0) {
+ gnutls_datum_t client_hello;
+
+ client_hello.data = extdata->data+sizeof(mbuffer_st);
+ client_hello.size = client_hello_len;
+
ret = compute_psk_binder(session, prf_res,
binders_len, binders_pos,
ext_offset, &rkey, &client_hello, 1,
@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session,
}
if (prf_psk && user_key.size > 0 && info) {
+ gnutls_datum_t client_hello;
+
+ client_hello.data = extdata->data+sizeof(mbuffer_st);
+ client_hello.size = client_hello_len;
+
ret = compute_psk_binder(session, prf_psk,
binders_len, binders_pos,
ext_offset, &user_key, &client_hello, 0,
--
GitLab

7
gnutls.spec
View File

@ -1,6 +1,6 @@
Name: gnutls Name: gnutls
Version: 3.6.15 Version: 3.6.15
Release: 2 Release: 3
Summary: The GNU Secure Communication Protocol Library Summary: The GNU Secure Communication Protocol Library
License: LGPLv2.1+ and GPLv3+ License: LGPLv2.1+ and GPLv3+
@ -11,6 +11,8 @@ Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
Patch1: fix-ipv6-handshake-failed.patch Patch1: fix-ipv6-handshake-failed.patch
Patch2: backport-tests-remove-launch_pkcs11_server.patch Patch2: backport-tests-remove-launch_pkcs11_server.patch
Patch3: backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch Patch3: backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
Patch4: backport-CVE-2021-20231.patch
Patch5: backport-CVE-2021-20232.patch
%bcond_without dane %bcond_without dane
%bcond_with guile %bcond_with guile
@ -201,6 +203,9 @@ make check %{?_smp_mflags}
%endif %endif
%changelog %changelog
* Mon Mar 22 2021 yixiangzhike <zhangxingliang3@huawei.com> - 3.6.15-3
- fix CVE-2021-20231 CVE-2021-20232
* Sat Jan 30 2021 lirui <lirui130@huawei.com> - 3.6.15-2 * Sat Jan 30 2021 lirui <lirui130@huawei.com> - 3.6.15-2
- backport upsteam patches to fix testpkcs11.sh test failed - backport upsteam patches to fix testpkcs11.sh test failed