[Pkg-gnutls-commits] r1457 - in /packages/libtasn1-3/branches/branch2.7+squeeze/debian: changelog patches/CVE-2012-1569.diff patches/series

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sun Mar 25 06:57:36 UTC 2012 

Author: ametzler
Date: Sun Mar 25 06:57:36 2012
New Revision: 1457

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=1457
Log:
Fix ASN.1 length decoding vulnerability. CVE-2012-1569.

Added:
    packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/CVE-2012-1569.diff
    packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/series
Modified:
    packages/libtasn1-3/branches/branch2.7+squeeze/debian/changelog

Modified: packages/libtasn1-3/branches/branch2.7+squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/libtasn1-3/branches/branch2.7%2Bsqueeze/debian/changelog?rev=1457&op=diff
==============================================================================
--- packages/libtasn1-3/branches/branch2.7+squeeze/debian/changelog (original)
+++ packages/libtasn1-3/branches/branch2.7+squeeze/debian/changelog Sun Mar 25 06:57:36 2012
@@ -1,3 +1,9 @@
+libtasn1-3 (2.7-1+squeeze+1) stable-security; urgency=low
+
+  * ASN.1 length decoding vulnerability. CVE-2012-1569.
+
+ -- Andreas Metzler <ametzler at debian.org>  Wed, 21 Mar 2012 16:01:21 +0100
+
 libtasn1-3 (2.7-1) unstable; urgency=low
 
   * New upstream version.

Added: packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/CVE-2012-1569.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/libtasn1-3/branches/branch2.7%2Bsqueeze/debian/patches/CVE-2012-1569.diff?rev=1457&op=file
==============================================================================
--- packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/CVE-2012-1569.diff (added)
+++ packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/CVE-2012-1569.diff Sun Mar 25 06:57:36 2012
@@ -1,0 +1,91 @@
+From: Simon Josefsson <simon at josefsson.org>
+To: help-libtasn1 at gnu.org
+Subject: minimal fix to security issue
+OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
+Date: Mon, 19 Mar 2012 11:48:50 +0100
+Message-ID: <87d388dfxp.fsf at latte.josefsson.org>
+User-Agent: Gnus/5.130003 (Ma Gnus v0.3) Emacs/24.0.94 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-BeenThere: help-libtasn1 at gnu.org
+Precedence: list
+List-Id: Discussion list for GNU Libtasn1 <help-libtasn1.gnu.org>
+List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-libtasn1>,
+	<mailto:help-libtasn1-request at gnu.org?subject=unsubscribe>
+List-Archive: <http://lists.gnu.org/archive/html/help-libtasn1>
+List-Post: <mailto:help-libtasn1 at gnu.org>
+List-Help: <mailto:help-libtasn1-request at gnu.org?subject=help>
+List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-libtasn1>,
+	<mailto:help-libtasn1-request at gnu.org?subject=subscribe>
+
+If you want to patch an earlier version of libtasn1 instead of
+upgrading, below is a small patch that does the trick.  You can check
+whether a library is patched or not by running tests/Test_overflow.c
+from version 2.12 on your libtasn1 library (use LD_PRELOAD to force
+loading of a particular library).
+
+I want to mention that there were no security problem in the
+asn1_get_length_der function.  It was working properly and as documented
+before.  The security problem was the callers not checking that the
+returned values were reasonable, i.e., that the output length was less
+than or equal to the total length of the buffer.  However, fixing all
+callers of this function would be a huge amount of work.  Instead, we
+made asn1_get_length_der return an error code when the situation
+occured, to protect callers.  This fix could be the wrong thing if some
+code out there calls the function with a der_len parameter that is
+smaller than the entire DER structure length.  However, we are hoping
+that is not in any significant use, and that overall security will be
+improved by having the function sanity check its output rather than
+letting the caller do that.  This was a judgement call.
+
+Thanks again to Matthew Hall for reporting the issue and to Nikos for
+discussion.
+
+/Simon
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 8c46ce5..968fa96 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -54,12 +54,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription)
+  * Extract a length field from DER data.
+  *
+  * Returns: Return the decoded length value, or -1 on indefinite
+- *   length, or -2 when the value was too big.
++ *   length, or -2 when the value was too big to fit in a int, or -4
++ *   when the decoded length value plus @len would exceed @der_len.
+  **/
+ signed long
+ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ {
+-  unsigned long ans;
++  int ans;
+   int k, punt;
+ 
+   *len = 0;
+@@ -82,7 +83,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ 	  ans = 0;
+ 	  while (punt <= k && punt < der_len)
+ 	    {
+-	      unsigned long last = ans;
++	      int last = ans;
+ 
+ 	      ans = ans * 256 + der[punt++];
+ 	      if (ans < last)
+@@ -92,10 +93,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ 	}
+       else
+ 	{			/* indefinite length method */
+-	  ans = -1;
++	  *len = punt;
++	  return -1;
+ 	}
+ 
+       *len = punt;
++      if (ans + *len < ans || ans + *len > der_len)
++	return -4;
+       return ans;
+     }
+ }
+
+

Added: packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/libtasn1-3/branches/branch2.7%2Bsqueeze/debian/patches/series?rev=1457&op=file
==============================================================================
--- packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/series (added)
+++ packages/libtasn1-3/branches/branch2.7+squeeze/debian/patches/series Sun Mar 25 06:57:36 2012
@@ -1,0 +1,1 @@
+CVE-2012-1569.diff

More information about the Pkg-gnutls-commits mailing list