[Pkg-gnutls-commits] r541 - in /packages/gnutls13/trunk/debian: changelog patches/18_gnutls-sa-2008-01.diff
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Thu May 22 07:46:40 UTC 2008
Author: ametzler
Date: Thu May 22 07:46:40 2008
New Revision: 541
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=541
Log:
2.0.4-4 fixing DSA-1581-1
Added:
packages/gnutls13/trunk/debian/patches/18_gnutls-sa-2008-01.diff
Modified:
packages/gnutls13/trunk/debian/changelog
Modified: packages/gnutls13/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls13/trunk/debian/changelog?rev=541&op=diff
==============================================================================
--- packages/gnutls13/trunk/debian/changelog (original)
+++ packages/gnutls13/trunk/debian/changelog Thu May 22 07:46:40 2008
@@ -1,8 +1,12 @@
-gnutls13 (2.0.4-4) UNRELEASED; urgency=low
-
- * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org> Wed, 13 Feb 2008 20:19:21 +0100
+gnutls13 (2.0.4-4) unstable; urgency=high
+
+ * Add debian/patches/18_gnutls-sa-2008-01.diff.
+ Fixes three security vulnerabilities.
+ [GNUTLS-SA-2008-1-1] [GNUTLS-SA-2008-1-2] [GNUTLS-SA-2008-1-3]. See
+ <http://www.gnu.org/software/gnutls/security.html>.
+ CVE-2008-1948, CVE-2008-1949, CVE-2008-1950. DSA-1581-1
+
+ -- Andreas Metzler <ametzler at debian.org> Thu, 22 May 2008 09:16:41 +0200
gnutls13 (2.0.4-3) unstable; urgency=low
Added: packages/gnutls13/trunk/debian/patches/18_gnutls-sa-2008-01.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls13/trunk/debian/patches/18_gnutls-sa-2008-01.diff?rev=541&op=file
==============================================================================
--- packages/gnutls13/trunk/debian/patches/18_gnutls-sa-2008-01.diff (added)
+++ packages/gnutls13/trunk/debian/patches/18_gnutls-sa-2008-01.diff Thu May 22 07:46:40 2008
@@ -1,0 +1,166 @@
+Three security vulnerabilities in GnuTLS [GNUTLS-SA-2008-1]
+-----------------------------------------------------------
+
+Released 2008-05-19 12:00:00 UTC. Updated 2008-05-19 20:00.
+
+Vulnerabilities were discovered by Ossi Herrala and Jukka Taimisto
+from the CROSS project at Codenomicon Ltd., and reported directly to
+the vendor through CERT-FI. Problems reproduced and patches developed
+by Simon Josefsson and Nikos Mavrogiannopoulos. Flaw in the initial
+advisory reported by Andreas Metzler.
+
+All updates with more details about these vulnerabilities will be
+added to <http://www.gnu.org/software/gnutls/security.html>.
+
+libgnutls: Fix crash when sending invalid server name
+-----------------------------------------------------
+[GNUTLS-SA-2008-1-1]
+
+The crash can be triggered remotely before authentication, which can
+lead to a Denial of Service attack to disable the server. The bug
+cause gnutls to store more session resumption data than what was
+allocated for, thus overwriting unallocated memory. The fix is to
+patch ext_server_name.c as below.
+
+libgnutls: Fix crash when sending repeated client hellos
+--------------------------------------------------------
+[GNUTLS-SA-2008-1-2]
+
+The crash can be triggered remotely before authentication, which can
+lead to a Denial of Service attack to disable the server. The bug
+triggers a null-pointer dereference. The fix is to patch
+gnutls_handshake.c as below.
+
+libgnutls: Fix crash in cipher padding decoding for invalid record lengths
+--------------------------------------------------------------------------
+[GNUTLS-SA-2008-1-3]
+
+The crash can be triggered remotely before authentication, which can
+lead to a Denial of Service attack to disable the server. The bug
+cause gnutls to read memory beyond the end of the received record.
+The fix is to patch gnutls_cipher.c as below.
+
+How to Apply the Patch
+----------------------
+
+This file has been verified to apply to the latest stable release of
+the recent stable branches: version 1.4.5, 1.6.3, 2.0.4, and 2.2.3.
+The patch will also work with version 1.2.11 but you will need to
+apply it manually. The patch also apply to the latest development
+version 2.3.9 but keep in mind that this version is not intended for
+production systems. (The patch will not work for the broken releases
+version 2.2.4 and 2.3.10 since they contained an incorrect patch.)
+
+The patch was created with 'git-diff', so you will need to use '-p 1'
+when invoking patch. The following illustrate how you apply the patch
+against version 1.6.3.
+
+jas at mocca:~/src$ gpg gnutls-sa-2008-01.txt.asc
+gpg: Signature made Mon 19 May 2008 12:03:18 PM CEST using RSA key ID B565716F
+gpg: Good signature from "Simon Josefsson <simon at josefsson.org>"
+gpg: aka "Simon Josefsson <jas at extundo.com>"
+jas at mocca:~/src$ tar xfj gnutls-1.6.3.tar.bz2
+jas at mocca:~/src$ cd gnutls-1.6.3/
+jas at mocca:~/src/gnutls-1.6.3$ patch -p 1 < ../gnutls-sa-2008-01.txt
+patching file lib/ext_server_name.c
+patching file lib/gnutls_cipher.c
+Hunk #1 succeeded at 495 (offset -8 lines).
+patching file lib/gnutls_handshake.c
+Hunk #1 succeeded at 929 (offset -74 lines).
+jas at mocca:~/src/gnutls-1.6.3$
+
+Then build the package as normal.
+
+diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c
+index 72e42ff..a2db949 100644
+--- a/lib/ext_server_name.c
++++ b/lib/ext_server_name.c
+@@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
+ len = _gnutls_read_uint16 (p);
+ p += 2;
+
+- DECR_LENGTH_RET (data_size, len, 0);
+- server_names++;
++ if (len > 0)
++ {
++ DECR_LENGTH_RET (data_size, len, 0);
++ server_names++;
++ p += len;
++ }
++ else
++ _gnutls_handshake_log
++ ("HSK[%x]: Received zero size server name (under attack?)\n",
++ session);
+
+- p += len;
++ }
++
++ /* we cannot accept more server names.
++ */
++ if (server_names > MAX_SERVER_NAME_EXTENSIONS)
++ {
++ _gnutls_handshake_log
++ ("HSK[%x]: Too many server names received (under attack?)\n",
++ session);
++ server_names = MAX_SERVER_NAME_EXTENSIONS;
+ }
+
+ session->security_parameters.extensions.server_names_size =
+@@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
+ if (server_names == 0)
+ return 0; /* no names found */
+
+- /* we cannot accept more server names.
+- */
+- if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+- server_names = MAX_SERVER_NAME_EXTENSIONS;
+
+ p = data + 2;
+ for (i = 0; i < server_names; i++)
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index e930c1d..e16ad1f 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -504,17 +503,20 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+
+ pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+
+- length = ciphertext.size - hash_size - pad;
+-
+- if (pad > ciphertext.size - hash_size)
++ if ((int)pad > (int)ciphertext.size - hash_size)
+ {
+ gnutls_assert ();
++ _gnutls_record_log
++ ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
++ session, pad, ciphertext.size, hash_size);
+ /* We do not fail here. We check below for the
+ * the pad_failed. If zero means success.
+ */
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
+
++ length = ciphertext.size - hash_size - pad;
++
+ /* Check the pading bytes (TLS 1.x)
+ */
+ if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
+index 4ab6db6..d798180 100644
+--- a/lib/gnutls_handshake.c
++++ b/lib/gnutls_handshake.c
+@@ -1003,6 +1003,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
+
+ *recv_type = session->internals.handshake_header_buffer.recv_type;
+
++ if (*recv_type != type)
++ {
++ gnutls_assert ();
++ _gnutls_handshake_log
++ ("HSK[%x]: Handshake type mismatch (under attack?)\n", session);
++ return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
++ }
++
+ return session->internals.handshake_header_buffer.packet_length;
+ }
+
More information about the Pkg-gnutls-commits
mailing list