fix CVE-2019-17362

2021-01-14 11:41:13 +08:00 · 2021-01-14 11:41:13 +08:00 · b86a145932
commit b86a145932
parent 0f2134c15a
2 changed files with 30 additions and 2 deletions
--- a/CVE-2019-17362.patch
+++ b/CVE-2019-17362.patch
@ -0,0 +1,25 @@
+From 25c26a3b7a9ad8192ccc923e15cf62bf0108ef94 Mon Sep 17 00:00:00 2001
+From: werew <werew@ret2libc.com>
+Date: Thu, 3 Oct 2019 19:57:10 +0200
+Subject: [PATCH] Fixes #507
+
+---
+ src/pk/asn1/der/utf8/der_decode_utf8_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pk/asn1/der/utf8/der_decode_utf8_string.c b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+index 94555b99..d3ed82be 100644
+--- a/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+++ b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+@@ -65,7 +65,7 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
+       /* count number of bytes */
+       for (z = 0; (tmp & 0x80) && (z <= 4); z++, tmp = (tmp << 1) & 0xFF);
+ 
+-      if (z > 4 || (x + (z - 1) > inlen)) {
+      if (z == 1 || z > 4 || (x + (z - 1) > inlen)) {
+          return CRYPT_INVALID_PACKET;
+       }
+ 
+-- 
+2.27.0
+
--- a/libtomcrypt.spec
+++ b/libtomcrypt.spec
@ -1,11 +1,11 @@
 Name:            libtomcrypt
 Version:         1.18.2
-Release:         3
+Release:         4
 Summary:         A comprehensive, portable cryptographic toolkit
 License:         Public Domain or WTFPL
 URL:             http://www.libtom.net/
 Source0:         https://github.com/libtom/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-
+Patch0:          CVE-2019-17362.patch
 BuildRequires:   libtommath-devel libtool

 %description
@ -52,6 +52,9 @@ make test
 %{_libdir}/pkgconfig/*.pc

 %changelog
+* Thu Jan 14 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.18.2-4
+- fix CVE-2019-17362
+
 * Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.18.2-3
 - modify build path