GNU bug report logs -
#30416
[PATCH] gnu: libtasn1: Fix CVE-2018-6003.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 10 Feb 2018 21:56:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30416 in the body.
You can then email your comments to 30416 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30416; Package
guix-patches.
(Sat, 10 Feb 2018 21:56:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 10 Feb 2018 21:56:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73 +++++++++++++++++++++++
gnu/packages/tls.scm | 3 +-
3 files changed, 76 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index eb968dede..9b32e5880 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -852,6 +852,7 @@ dist_patch_DATA = \
%D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
+ %D%/packages/patches/libtasn1-CVE-2018-6003.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
new file mode 100644
index 000000000..3e6140518
--- /dev/null
+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
@@ -0,0 +1,73 @@
+Fix CVE-2018-6003:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
+https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97
+
+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav <at> redhat.com>
+Date: Thu, 4 Jan 2018 10:52:05 +0100
+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3
+
+On indefinite string decoding, setting a maximum level of recursions
+protects the BER decoder from a stack exhaustion due to large amounts
+of recursion.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav <at> redhat.com>
+---
+ lib/decoding.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 2240b09..0ee35d3 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -45,6 +45,13 @@
+
+ #define DECODE_FLAG_HAVE_TAG 1
+ #define DECODE_FLAG_INDEFINITE (1<<1)
++/* On indefinite string decoding, allow this maximum levels
++ * of recursion. Allowing infinite recursion, makes the BER
++ * decoder susceptible to stack exhaustion due to that recursion.
++ */
++#define DECODE_FLAG_LEVEL1 (1<<2)
++#define DECODE_FLAG_LEVEL2 (1<<3)
++#define DECODE_FLAG_LEVEL3 (1<<4)
+
+ #define DECR_LEN(l, s) do { \
+ l -= s; \
+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+ }
+
+ /* indefinite constructed */
+- if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype))
++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) &&
++ !(dflags & DECODE_FLAG_LEVEL3))
+ {
+ len_len = 1;
+
+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+ do
+ {
+ unsigned tmp_len;
++ unsigned flags = DECODE_FLAG_HAVE_TAG;
++
++ if (dflags & DECODE_FLAG_LEVEL1)
++ flags |= DECODE_FLAG_LEVEL2;
++ else if (dflags & DECODE_FLAG_LEVEL2)
++ flags |= DECODE_FLAG_LEVEL3;
++ else
++ flags |= DECODE_FLAG_LEVEL1;
+
+- result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len);
++ result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len,
++ flags);
+ if (result != ASN1_SUCCESS)
+ {
+ warn();
+--
+libgit2 0.26.0
+
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index fa58f90cb..c2123add4 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -91,7 +91,8 @@ specifications.")
(inherit libtasn1)
(source (origin
(inherit (package-source libtasn1))
- (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
+ (patches (search-patches "libtasn1-CVE-2017-10790.patch"
+ "libtasn1-CVE-2018-6003.patch"))))))
(define-public asn1c
(package
--
2.16.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#30416; Package
guix-patches.
(Sun, 11 Feb 2018 01:32:01 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
On February 10, 2018 10:54:44 PM GMT+01:00, Leo Famulari <leo <at> famulari.name> wrote:
>* gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file.
>* gnu/local.mk (dist_patch_DATA): Add it.
>* gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it.
LGTM. I think we already ungrafted the fixed version on core-updates, so I guess we should merge and "re-graft" this new patch.
>---
> gnu/local.mk | 1 +
>gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73
>+++++++++++++++++++++++
> gnu/packages/tls.scm | 3 +-
> 3 files changed, 76 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003.patch
>
>diff --git a/gnu/local.mk b/gnu/local.mk
>index eb968dede..9b32e5880 100644
>--- a/gnu/local.mk
>+++ b/gnu/local.mk
>@@ -852,6 +852,7 @@ dist_patch_DATA = \
> %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \
> %D%/packages/patches/libtar-CVE-2013-4420.patch \
> %D%/packages/patches/libtasn1-CVE-2017-10790.patch \
>+ %D%/packages/patches/libtasn1-CVE-2018-6003.patch \
> %D%/packages/patches/libtheora-config-guess.patch \
> %D%/packages/patches/libtiff-CVE-2016-10688.patch \
> %D%/packages/patches/libtiff-CVE-2017-9936.patch \
>diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
>b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
>new file mode 100644
>index 000000000..3e6140518
>--- /dev/null
>+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
>@@ -0,0 +1,73 @@
>+Fix CVE-2018-6003:
>+
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
>+https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97
>+
>+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001
>+From: Nikos Mavrogiannopoulos <nmav <at> redhat.com>
>+Date: Thu, 4 Jan 2018 10:52:05 +0100
>+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of
>recursion to 3
>+
>+On indefinite string decoding, setting a maximum level of recursions
>+protects the BER decoder from a stack exhaustion due to large amounts
>+of recursion.
>+
>+Signed-off-by: Nikos Mavrogiannopoulos <nmav <at> redhat.com>
>+---
>+ lib/decoding.c | 21 +++++++++++++++++++--
>+ 1 file changed, 19 insertions(+), 2 deletions(-)
>+
>+diff --git a/lib/decoding.c b/lib/decoding.c
>+index 2240b09..0ee35d3 100644
>+--- a/lib/decoding.c
>++++ b/lib/decoding.c
>+@@ -45,6 +45,13 @@
>+
>+ #define DECODE_FLAG_HAVE_TAG 1
>+ #define DECODE_FLAG_INDEFINITE (1<<1)
>++/* On indefinite string decoding, allow this maximum levels
>++ * of recursion. Allowing infinite recursion, makes the BER
>++ * decoder susceptible to stack exhaustion due to that recursion.
>++ */
>++#define DECODE_FLAG_LEVEL1 (1<<2)
>++#define DECODE_FLAG_LEVEL2 (1<<3)
>++#define DECODE_FLAG_LEVEL3 (1<<4)
>+
>+ #define DECR_LEN(l, s) do { \
>+ l -= s; \
>+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype,
>const unsigned char *der,
>+ }
>+
>+ /* indefinite constructed */
>+- if (((dflags & DECODE_FLAG_INDEFINITE) || class ==
>ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype))
>++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class ==
>ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) &&
>++ !(dflags & DECODE_FLAG_LEVEL3))
>+ {
>+ len_len = 1;
>+
>+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype,
>const unsigned char *der,
>+ do
>+ {
>+ unsigned tmp_len;
>++ unsigned flags = DECODE_FLAG_HAVE_TAG;
>++
>++ if (dflags & DECODE_FLAG_LEVEL1)
>++ flags |= DECODE_FLAG_LEVEL2;
>++ else if (dflags & DECODE_FLAG_LEVEL2)
>++ flags |= DECODE_FLAG_LEVEL3;
>++ else
>++ flags |= DECODE_FLAG_LEVEL1;
>+
>+- result = asn1_decode_simple_ber(etype, p, der_len, &out,
>&out_len, &tmp_len);
>++ result = _asn1_decode_simple_ber(etype, p, der_len, &out,
>&out_len, &tmp_len,
>++ flags);
>+ if (result != ASN1_SUCCESS)
>+ {
>+ warn();
>+--
>+libgit2 0.26.0
>+
>diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
>index fa58f90cb..c2123add4 100644
>--- a/gnu/packages/tls.scm
>+++ b/gnu/packages/tls.scm
>@@ -91,7 +91,8 @@ specifications.")
> (inherit libtasn1)
> (source (origin
> (inherit (package-source libtasn1))
>- (patches (search-patches
>"libtasn1-CVE-2017-10790.patch"))))))
>+ (patches (search-patches "libtasn1-CVE-2017-10790.patch"
>+
>"libtasn1-CVE-2018-6003.patch"))))))
>
> (define-public asn1c
> (package
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30416; Package
guix-patches.
(Sun, 11 Feb 2018 01:32:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sun, 11 Feb 2018 04:03:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 11 Feb 2018 04:03:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 30416-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 02:31:08AM +0100, Marius Bakke wrote:
>
>
> On February 10, 2018 10:54:44 PM GMT+01:00, Leo Famulari <leo <at> famulari.name> wrote:
> >* gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file.
> >* gnu/local.mk (dist_patch_DATA): Add it.
> >* gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it.
>
> LGTM. I think we already ungrafted the fixed version on core-updates,
> so I guess we should merge and "re-graft" this new patch.
Yeah, I'll do it shortly.
Pushed as 31c7002b466c6d09400a95bc15774f232b51ce0b
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 11 Mar 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 188 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.