From unknown Sat Sep 13 07:33:29 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Feb 2018 21:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 30416 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 30416@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.151829970919182 (code B ref -1); Sat, 10 Feb 2018 21:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 21:55:09 +0000 Received: from localhost ([127.0.0.1]:37304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd6v-0004zG-Qo for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:55:09 -0500 Received: from eggs.gnu.org ([208.118.235.92]:43817) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd6r-0004yh-Ca for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:55:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd6k-00030d-Qe for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:54:56 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48355) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekd6k-00030V-MY for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:54:54 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34749) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekd6j-0002G8-2R for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd6f-0002x9-Jw for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:53 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44615) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekd6f-0002wg-DJ for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9BEC420A28; Sat, 10 Feb 2018 16:54:48 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 16:54:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=PBrMo6MC+sqPuR7usHr+JfRVQ4iEhHtWUabJmG ZJDL8=; b=RFvckxABw2WDOxTVZuufT51eLAOFtFvGjLF+kyeXFXcVIxgZS8hiaY KmzbOjrydr4H2t2k+ao0vFRRiHHt7bF2LGoDZisVe1x+erYPuRZk9aJc0kllvqsI MZtAlSJ07/wv8EXj6XcoA2438PDUgEVNuDJgLoBEeCEJHzaCqTyZk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=PBrMo6MC+sqPuR7us Hr+JfRVQ4iEhHtWUabJmGZJDL8=; b=mn3BNhZGDy8a8m3gHwiwsyVyDJXed1Rjn EUvdhjri2GFTIx5n701Um4QlJtOo9sJJy7/j1VnDcqi3M69ds+i9Qv5FK7kAA/Qb FryJCdl6ckQMQU4U6dP+sdYeiGk+Bd2+xeo5ROIAadA/lArctbKCx1HLa0qRwbSQ hYoF9rqJZuY0CJamkOxeqddYf/J+sHxEPT/FPGxK5/bdM8cOB7keiO/Moqhvm2z4 MWFlcsxYkYzsF8ULfJ/B9dmvqGlZSAcDZ+Zg1Jea9JE+1OzIYNw8t19XEhjfBgXH 4ILojzMTIW7JYS4wg8KMMzKq9RkjOeBt0Y48/IScJN2GhNOY4V5LQ== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 4DF1A7E0FD for ; Sat, 10 Feb 2018 16:54:48 -0500 (EST) From: Leo Famulari Date: Sat, 10 Feb 2018 16:54:44 -0500 Message-Id: X-Mailer: git-send-email 2.16.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73 +++++++++++++++++++++++ gnu/packages/tls.scm | 3 +- 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..9b32e5880 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -852,6 +852,7 @@ dist_patch_DATA = \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ + %D%/packages/patches/libtasn1-CVE-2018-6003.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch new file mode 100644 index 000000000..3e6140518 --- /dev/null +++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch @@ -0,0 +1,73 @@ +Fix CVE-2018-6003: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003 +https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html + +Patch copied from upstream source repository: + +https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97 + +From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 4 Jan 2018 10:52:05 +0100 +Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3 + +On indefinite string decoding, setting a maximum level of recursions +protects the BER decoder from a stack exhaustion due to large amounts +of recursion. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/decoding.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 2240b09..0ee35d3 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -45,6 +45,13 @@ + + #define DECODE_FLAG_HAVE_TAG 1 + #define DECODE_FLAG_INDEFINITE (1<<1) ++/* On indefinite string decoding, allow this maximum levels ++ * of recursion. Allowing infinite recursion, makes the BER ++ * decoder susceptible to stack exhaustion due to that recursion. ++ */ ++#define DECODE_FLAG_LEVEL1 (1<<2) ++#define DECODE_FLAG_LEVEL2 (1<<3) ++#define DECODE_FLAG_LEVEL3 (1<<4) + + #define DECR_LEN(l, s) do { \ + l -= s; \ +@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + } + + /* indefinite constructed */ +- if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) ++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && ++ !(dflags & DECODE_FLAG_LEVEL3)) + { + len_len = 1; + +@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + do + { + unsigned tmp_len; ++ unsigned flags = DECODE_FLAG_HAVE_TAG; ++ ++ if (dflags & DECODE_FLAG_LEVEL1) ++ flags |= DECODE_FLAG_LEVEL2; ++ else if (dflags & DECODE_FLAG_LEVEL2) ++ flags |= DECODE_FLAG_LEVEL3; ++ else ++ flags |= DECODE_FLAG_LEVEL1; + +- result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len); ++ result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len, ++ flags); + if (result != ASN1_SUCCESS) + { + warn(); +-- +libgit2 0.26.0 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index fa58f90cb..c2123add4 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -91,7 +91,8 @@ specifications.") (inherit libtasn1) (source (origin (inherit (package-source libtasn1)) - (patches (search-patches "libtasn1-CVE-2017-10790.patch")))))) + (patches (search-patches "libtasn1-CVE-2017-10790.patch" + "libtasn1-CVE-2018-6003.patch")))))) (define-public asn1c (package -- 2.16.1 From unknown Sat Sep 13 07:33:29 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Feb 2018 01:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30416 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 30416@debbugs.gnu.org, leo@famulari.name X-Debbugs-Original-To: guix-patches@gnu.org, Leo Famulari , 30416@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.151831269313435 (code B ref -1); Sun, 11 Feb 2018 01:32:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Feb 2018 01:31:33 +0000 Received: from localhost ([127.0.0.1]:37468 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgUK-0003UX-Rb for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:31:33 -0500 Received: from eggs.gnu.org ([208.118.235.92]:60522) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgUG-0003UC-8e for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:31:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekgU9-0000f4-RB for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:31:19 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:60489) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekgU9-0000el-OG for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:31:17 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51454) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekgU7-0001is-SP for guix-patches@gnu.org; Sat, 10 Feb 2018 20:31:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekgU4-0000b3-Hn for guix-patches@gnu.org; Sat, 10 Feb 2018 20:31:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:53709) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekgU4-0000aY-Cn for guix-patches@gnu.org; Sat, 10 Feb 2018 20:31:12 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 16A7F20AF0; Sat, 10 Feb 2018 20:31:12 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Feb 2018 20:31:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=4JCtnnmXdEoCiOd0EjhcdGGDeHeiE 5NCD4G0xm8/nuA=; b=IpH8rlE1VPsQw2AIMG/pxpC/3VhQeBGt5gwfT8JnCA9JG 99ONFv5sm9+y7YogwpVeSQnmzh39nZQvfr4s3ctWRR8EfLO/uQnAhWCxmfA3S8hC GteNIitoqgdCRyhcMoOKZW6hqDpR+MDYgOidKVhthxIANRqs1k8jszc5IbA54rav ysSsJhw6VyQLrARSf5F39MSYm7+EHHYgSeXBuyMAoIcTWnzLfN5EI62DZ0lja0pk Ed7xhCixcUGKA5uYoFDTAalHQnopLzKXBhYpxU8/+zbci4MbOol7MUQpJbuDCwHl 7ttxY6Teb3G0vnWOtnc0wm/3gegpeb9ysO8b6ZBtg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=4JCtnn mXdEoCiOd0EjhcdGGDeHeiE5NCD4G0xm8/nuA=; b=dud/VaX4EfH0qgHyA07uJG pICEmFndT07w02jO2OK35XjLZ7QAnanUCSBa/TpmaKizTkFWrFJ58UCAII+DycMq vrL4TrKoc2MbLkLR/ZIzmL8lpXlfn+lHXk6M9RQqqMLihG0D6/SHenHjlt7sbi9x e0pR51jKaU1os2AMHPstZSfrIcAIJc7S8gAkbPiVd7wVz+jETK+cCu/aO6emINIl pHyPYKEz90wa/yfEPSkFvbLgqO+kc7sRXxFZAZ0DkxcT3E3u1PogSJ03w79BVjgV bVYTZHcwIG7qS9/kWxaxv2fDFEOkAUdIgoDhjhOMU09dfzEgiD7W20gFKqWjYqUg == X-ME-Sender: Received: from [10.233.121.25] (26-121-11.connect.netcom.no [176.11.121.26]) by mail.messagingengine.com (Postfix) with ESMTPA id 83E6524636; Sat, 10 Feb 2018 20:31:11 -0500 (EST) Date: Sun, 11 Feb 2018 02:31:08 +0100 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Marius Bakke Message-ID: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.3 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.3 (----) On February 10, 2018 10:54:44 PM GMT+01:00, Leo Famulari wrote: >* gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch: New file=2E >* gnu/local=2Emk (dist_patch_DATA): Add it=2E >* gnu/packages/tls=2Escm (libtasn1/fixed)[source]: Use it=2E LGTM=2E I think we already ungrafted the fixed version on core-updates, so= I guess we should merge and "re-graft" this new patch=2E >--- > gnu/local=2Emk | 1 + >gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch | 73 >+++++++++++++++++++++++ > gnu/packages/tls=2Escm | 3 +- > 3 files changed, 76 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch > >diff --git a/gnu/local=2Emk b/gnu/local=2Emk >index eb968dede=2E=2E9b32e5880 100644 >--- a/gnu/local=2Emk >+++ b/gnu/local=2Emk >@@ -852,6 +852,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt=2Epatch \ > %D%/packages/patches/libtar-CVE-2013-4420=2Epatch \ > %D%/packages/patches/libtasn1-CVE-2017-10790=2Epatch \ >+ %D%/packages/patches/libtasn1-CVE-2018-6003=2Epatch \ > %D%/packages/patches/libtheora-config-guess=2Epatch \ > %D%/packages/patches/libtiff-CVE-2016-10688=2Epatch \ > %D%/packages/patches/libtiff-CVE-2017-9936=2Epatch \ >diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >b/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >new file mode 100644 >index 000000000=2E=2E3e6140518 >--- /dev/null >+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003=2Epatch >@@ -0,0 +1,73 @@ >+Fix CVE-2018-6003: >+ >+https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2018-6003 >+https://lists=2Egnu=2Eorg/archive/html/help-libtasn1/2018-01/msg00000=2E= html >+ >+Patch copied from upstream source repository: >+ >+https://gitlab=2Ecom/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950= e0ac71e9ca97 >+ >+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 >+From: Nikos Mavrogiannopoulos >+Date: Thu, 4 Jan 2018 10:52:05 +0100 >+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of >recursion to 3 >+ >+On indefinite string decoding, setting a maximum level of recursions >+protects the BER decoder from a stack exhaustion due to large amounts >+of recursion=2E >+ >+Signed-off-by: Nikos Mavrogiannopoulos >+--- >+ lib/decoding=2Ec | 21 +++++++++++++++++++-- >+ 1 file changed, 19 insertions(+), 2 deletions(-) >+ >+diff --git a/lib/decoding=2Ec b/lib/decoding=2Ec >+index 2240b09=2E=2E0ee35d3 100644 >+--- a/lib/decoding=2Ec >++++ b/lib/decoding=2Ec >+@@ -45,6 +45,13 @@ >+=20 >+ #define DECODE_FLAG_HAVE_TAG 1 >+ #define DECODE_FLAG_INDEFINITE (1<<1) >++/* On indefinite string decoding, allow this maximum levels >++ * of recursion=2E Allowing infinite recursion, makes the BER >++ * decoder susceptible to stack exhaustion due to that recursion=2E >++ */ >++#define DECODE_FLAG_LEVEL1 (1<<2) >++#define DECODE_FLAG_LEVEL2 (1<<3) >++#define DECODE_FLAG_LEVEL3 (1<<4) >+=20 >+ #define DECR_LEN(l, s) do { \ >+ l -=3D s; \ >+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, >const unsigned char *der, >+ } >+=20 >+ /* indefinite constructed */ >+- if (((dflags & DECODE_FLAG_INDEFINITE) || class =3D=3D >ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) >++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class =3D=3D >ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && >++ !(dflags & DECODE_FLAG_LEVEL3)) >+ { >+ len_len =3D 1; >+=20 >+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, >const unsigned char *der, >+ do >+ { >+ unsigned tmp_len; >++ unsigned flags =3D DECODE_FLAG_HAVE_TAG; >++ >++ if (dflags & DECODE_FLAG_LEVEL1) >++ flags |=3D DECODE_FLAG_LEVEL2; >++ else if (dflags & DECODE_FLAG_LEVEL2) >++ flags |=3D DECODE_FLAG_LEVEL3; >++ else >++ flags |=3D DECODE_FLAG_LEVEL1; >+=20 >+- result =3D asn1_decode_simple_ber(etype, p, der_len, &out, >&out_len, &tmp_len); >++ result =3D _asn1_decode_simple_ber(etype, p, der_len, &out, >&out_len, &tmp_len, >++ flags); >+ if (result !=3D ASN1_SUCCESS) >+ { >+ warn(); >+-- >+libgit2 0=2E26=2E0 >+ >diff --git a/gnu/packages/tls=2Escm b/gnu/packages/tls=2Escm >index fa58f90cb=2E=2Ec2123add4 100644 >--- a/gnu/packages/tls=2Escm >+++ b/gnu/packages/tls=2Escm >@@ -91,7 +91,8 @@ specifications=2E") > (inherit libtasn1) > (source (origin > (inherit (package-source libtasn1)) >- (patches (search-patches >"libtasn1-CVE-2017-10790=2Epatch")))))) >+ (patches (search-patches "libtasn1-CVE-2017-10790=2Epatch" >+ =20 >"libtasn1-CVE-2018-6003=2Epatch")))))) >=20 > (define-public asn1c > (package --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E From unknown Sat Sep 13 07:33:29 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#30416: closed (Re: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003.) Message-ID: References: <20180211040237.GA8180@jasmine.lan> X-Gnu-PR-Message: they-closed 30416 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 30416@debbugs.gnu.org Date: Sun, 11 Feb 2018 04:03:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1518321782-27072-1" This is a multi-part message in MIME format... ------------=_1518321782-27072-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #30416: [PATCH] gnu: libtasn1: Fix CVE-2018-6003. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 30416@debbugs.gnu.org. --=20 30416: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D30416 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1518321782-27072-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 30416-done) by debbugs.gnu.org; 11 Feb 2018 04:02:42 +0000 Received: from localhost ([127.0.0.1]:37541 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekiqf-000729-S0 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 23:02:42 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52631) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekiqc-000720-N3 for 30416-done@debbugs.gnu.org; Sat, 10 Feb 2018 23:02:41 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 90DBB20D83; Sat, 10 Feb 2018 23:02:38 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 23:02:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=OZQw7xsCxiR1NgcyhitVby9SWD52oqstASVtFMSwjFc=; b=u/8KC EiJDuAZb7mhbbClrkM6qSoJQI33j+87XpB6oLgrrjOhS0U2FF5ExPzAuYkl1WsnW RBs69QnQ/EMtV8X5ncYS2/jVW65jMQ4Edp7ijDXjQwD//bwU4J5srAM3eTyKN9F0 aaFdXZAOLDtc9RQNOwnC1PC9Wh84PRvFP/dt+E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=OZQw7xsCxiR1NgcyhitVby9SWD52o qstASVtFMSwjFc=; b=A6o7LiUlaGns6mbl3x+qNUnYQSPR60b/m8LLSnGTClkAl bGAwEriN/VFfnSjSzEk6eFXL3FsItqdJoY5N+ygC/vn6o5eq/A2bhX3sABiwhAS1 mKqvrwCoT0wm11G6a7jY9P0xhlN+MsbW/8Senvd4tgGwHznmDTioG6XrsC2Ub3vX cz9rBz1FKyRy6mJitHbaecsN3R7RMxlnfEYh9HNVYxRQpZrtL/zteqBpa+LUlUef hxJmXvPx/JP9rgQrXvir5nMsySmYyUb0DSWX+5rBWgK4kLmalcMhVDya6CE8Zyiu irrfC6gJWm+/xiWEKL4GWtJtFbGRDxFKL8g8K42rA== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 310DE245F1; Sat, 10 Feb 2018 23:02:38 -0500 (EST) Date: Sat, 10 Feb 2018 23:02:37 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#30416] [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Message-ID: <20180211040237.GA8180@jasmine.lan> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30416-done Cc: 30416-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2018 at 02:31:08AM +0100, Marius Bakke wrote: >=20 >=20 > On February 10, 2018 10:54:44 PM GMT+01:00, Leo Famulari wrote: > >* gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file. > >* gnu/local.mk (dist_patch_DATA): Add it. > >* gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it. >=20 > LGTM. I think we already ungrafted the fixed version on core-updates, > so I guess we should merge and "re-graft" this new patch. Yeah, I'll do it shortly. Pushed as 31c7002b466c6d09400a95bc15774f232b51ce0b --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/wF0ACgkQJkb6MLrK fwg17g//Xk/cv6nNDAw6k4Fdduc8BcBKrftDEL097Qx2sGv5euQT4nV73cxqSYQR //dpUGlsVn8X3VVXdBf8TwiZZR3+Qy6EHP9WEqGBBV2tffpylv8AEdMWg3lncqVE RclvcQCL/9oyLKY0EEc1MJ3MQes0H33XrRLaJx3WCKGLZqJlaJsgiWdBbmBpwa77 dIU26xzfXt+PkxLQtIY6FMGuOyRmIgzlwLLTz3gU/dLwFvsOAjcVu7EQEybw9F0n 6/OvQ7KcSJy+2LrLw1HsY/GfGMqSO/eorq3zXJS5uTaDA9RjHbYfieGN0vGp9q+q JFbU8pvImjNc/T/WWfoqy3zCWCrMEVd/tr5gRbUoP2WpUVvhgk0rEPy4DzKjKcEt Pvfl5dq1J/ENDfOQ4HGu5MNuadSVUqKpPdGO9kg6g+yF+Mw1XQd9WOPuo5bKZJYx 2jP9edeRCJnFLlPsEAHyZNtFoysRi+o21sZOXkTCVzWD53hmRLI4edvMsHguErdG YWfLrg0DmtmcS2BxBn1uCR7GwQSG+rybAqr368/NfGFkUA+/zo8BuR3dZTWW5oVZ hi8w2b3KNAwX3NPgRNsmH6/KPBpZdyDdoQlkIdLRCCVJz3k8Bq/cCBsMvkyH2g/M MPlt5lsgQmXDNM3umbjI90qlK4at0udl/BJc5WwvS6hFf01O2D8= =8LdE -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- ------------=_1518321782-27072-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 21:55:09 +0000 Received: from localhost ([127.0.0.1]:37304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd6v-0004zG-Qo for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:55:09 -0500 Received: from eggs.gnu.org ([208.118.235.92]:43817) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd6r-0004yh-Ca for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:55:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd6k-00030d-Qe for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:54:56 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48355) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekd6k-00030V-MY for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:54:54 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34749) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekd6j-0002G8-2R for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekd6f-0002x9-Jw for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:53 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44615) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekd6f-0002wg-DJ for guix-patches@gnu.org; Sat, 10 Feb 2018 16:54:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9BEC420A28; Sat, 10 Feb 2018 16:54:48 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 16:54:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=PBrMo6MC+sqPuR7usHr+JfRVQ4iEhHtWUabJmG ZJDL8=; b=RFvckxABw2WDOxTVZuufT51eLAOFtFvGjLF+kyeXFXcVIxgZS8hiaY KmzbOjrydr4H2t2k+ao0vFRRiHHt7bF2LGoDZisVe1x+erYPuRZk9aJc0kllvqsI MZtAlSJ07/wv8EXj6XcoA2438PDUgEVNuDJgLoBEeCEJHzaCqTyZk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=PBrMo6MC+sqPuR7us Hr+JfRVQ4iEhHtWUabJmGZJDL8=; b=mn3BNhZGDy8a8m3gHwiwsyVyDJXed1Rjn EUvdhjri2GFTIx5n701Um4QlJtOo9sJJy7/j1VnDcqi3M69ds+i9Qv5FK7kAA/Qb FryJCdl6ckQMQU4U6dP+sdYeiGk+Bd2+xeo5ROIAadA/lArctbKCx1HLa0qRwbSQ hYoF9rqJZuY0CJamkOxeqddYf/J+sHxEPT/FPGxK5/bdM8cOB7keiO/Moqhvm2z4 MWFlcsxYkYzsF8ULfJ/B9dmvqGlZSAcDZ+Zg1Jea9JE+1OzIYNw8t19XEhjfBgXH 4ILojzMTIW7JYS4wg8KMMzKq9RkjOeBt0Y48/IScJN2GhNOY4V5LQ== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 4DF1A7E0FD for ; Sat, 10 Feb 2018 16:54:48 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libtasn1: Fix CVE-2018-6003. Date: Sat, 10 Feb 2018 16:54:44 -0500 Message-Id: X-Mailer: git-send-email 2.16.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/libtasn1-CVE-2018-6003.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73 +++++++++++++++++++++++ gnu/packages/tls.scm | 3 +- 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtasn1-CVE-2018-6003.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..9b32e5880 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -852,6 +852,7 @@ dist_patch_DATA = \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ + %D%/packages/patches/libtasn1-CVE-2018-6003.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch new file mode 100644 index 000000000..3e6140518 --- /dev/null +++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch @@ -0,0 +1,73 @@ +Fix CVE-2018-6003: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003 +https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html + +Patch copied from upstream source repository: + +https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97 + +From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 4 Jan 2018 10:52:05 +0100 +Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3 + +On indefinite string decoding, setting a maximum level of recursions +protects the BER decoder from a stack exhaustion due to large amounts +of recursion. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/decoding.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 2240b09..0ee35d3 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -45,6 +45,13 @@ + + #define DECODE_FLAG_HAVE_TAG 1 + #define DECODE_FLAG_INDEFINITE (1<<1) ++/* On indefinite string decoding, allow this maximum levels ++ * of recursion. Allowing infinite recursion, makes the BER ++ * decoder susceptible to stack exhaustion due to that recursion. ++ */ ++#define DECODE_FLAG_LEVEL1 (1<<2) ++#define DECODE_FLAG_LEVEL2 (1<<3) ++#define DECODE_FLAG_LEVEL3 (1<<4) + + #define DECR_LEN(l, s) do { \ + l -= s; \ +@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + } + + /* indefinite constructed */ +- if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) ++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && ++ !(dflags & DECODE_FLAG_LEVEL3)) + { + len_len = 1; + +@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + do + { + unsigned tmp_len; ++ unsigned flags = DECODE_FLAG_HAVE_TAG; ++ ++ if (dflags & DECODE_FLAG_LEVEL1) ++ flags |= DECODE_FLAG_LEVEL2; ++ else if (dflags & DECODE_FLAG_LEVEL2) ++ flags |= DECODE_FLAG_LEVEL3; ++ else ++ flags |= DECODE_FLAG_LEVEL1; + +- result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len); ++ result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len, ++ flags); + if (result != ASN1_SUCCESS) + { + warn(); +-- +libgit2 0.26.0 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index fa58f90cb..c2123add4 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -91,7 +91,8 @@ specifications.") (inherit libtasn1) (source (origin (inherit (package-source libtasn1)) - (patches (search-patches "libtasn1-CVE-2017-10790.patch")))))) + (patches (search-patches "libtasn1-CVE-2017-10790.patch" + "libtasn1-CVE-2018-6003.patch")))))) (define-public asn1c (package -- 2.16.1 ------------=_1518321782-27072-1--