rpms/gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1

Browse Source 
(#447461, #447462, #447463)
This commit is contained in:
Tomáš Mráz 2008-05-20 13:45:03 +00:00
parent 0c2a289f4e
commit 7eaa87392c
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
gnutls-1.4.1-sa-2008-1.patch Normal file
View File

@ -0,0 +1,98 @@
diff -up gnutls-1.4.1/lib/ext_server_name.c.sa-2008-1 gnutls-1.4.1/lib/ext_server_name.c
--- gnutls-1.4.1/lib/ext_server_name.c.sa-2008-1 2006-03-08 11:44:59.000000000 +0100
+++ gnutls-1.4.1/lib/ext_server_name.c 2008-05-20 09:52:13.000000000 +0200
@@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_
len = _gnutls_read_uint16 (p);
p += 2;
- DECR_LENGTH_RET (data_size, len, 0);
- server_names++;
+ if (len > 0)
+ {
+ DECR_LENGTH_RET (data_size, len, 0);
+ server_names++;
+ p += len;
+ }
+ else
+ _gnutls_handshake_log
+ ("HSK[%x]: Received zero size server name (under attack?)\n",
+ session);
- p += len;
+ }
+
+ /* we cannot accept more server names.
+ */
+ if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+ {
+ _gnutls_handshake_log
+ ("HSK[%x]: Too many server names received (under attack?)\n",
+ session);
+ server_names = MAX_SERVER_NAME_EXTENSIONS;
}
session->security_parameters.extensions.server_names_size =
@@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_
if (server_names == 0)
return 0; /* no names found */
- /* we cannot accept more server names.
- */
- if (server_names > MAX_SERVER_NAME_EXTENSIONS)
- server_names = MAX_SERVER_NAME_EXTENSIONS;
p = data + 2;
for (i = 0; i < server_names; i++)
diff -up gnutls-1.4.1/lib/gnutls_handshake.c.sa-2008-1 gnutls-1.4.1/lib/gnutls_handshake.c
--- gnutls-1.4.1/lib/gnutls_handshake.c.sa-2008-1 2006-04-17 18:32:16.000000000 +0200
+++ gnutls-1.4.1/lib/gnutls_handshake.c 2008-05-20 09:52:13.000000000 +0200
@@ -929,6 +929,14 @@ _gnutls_recv_handshake_header (gnutls_se
*recv_type = session->internals.handshake_header_buffer.recv_type;
+ if (*recv_type != type)
+ {
+ gnutls_assert ();
+ _gnutls_handshake_log
+ ("HSK[%x]: Handshake type mismatch (under attack?)\n", session);
+ return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
+ }
+
return session->internals.handshake_header_buffer.packet_length;
}
diff -up gnutls-1.4.1/lib/gnutls_cipher.c.sa-2008-1 gnutls-1.4.1/lib/gnutls_cipher.c
--- gnutls-1.4.1/lib/gnutls_cipher.c.sa-2008-1 2006-03-08 11:44:59.000000000 +0100
+++ gnutls-1.4.1/lib/gnutls_cipher.c 2008-05-20 09:52:48.000000000 +0200
@@ -445,7 +445,6 @@ _gnutls_ciphertext2compressed (gnutls_se
return GNUTLS_E_INTERNAL_ERROR;
}
-
/* actual decryption (inplace)
*/
switch (_gnutls_cipher_is_block
@@ -496,17 +495,20 @@ _gnutls_ciphertext2compressed (gnutls_se
pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
- length = ciphertext.size - hash_size - pad;
-
- if (pad > ciphertext.size - hash_size)
+ if ((int)pad > (int)ciphertext.size - hash_size)
{
gnutls_assert ();
+ _gnutls_record_log
+ ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
+ session, pad, ciphertext.size, hash_size);
/* We do not fail here. We check below for the
* the pad_failed. If zero means success.
*/
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}
+ length = ciphertext.size - hash_size - pad;
+
/* Check the pading bytes (TLS 1.x)
*/
if (ver >= GNUTLS_TLS1 && pad_failed == 0)

8
gnutls.spec
View File

@ -1,7 +1,7 @@
Summary: A TLS protocol implementation Summary: A TLS protocol implementation
Name: gnutls Name: gnutls
Version: 2.0.4 Version: 2.0.4
Release: 2%{?dist} Release: 3%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv2+ # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv2+
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
@ -15,6 +15,7 @@ URL: http://www.gnutls.org/
Source0: %{name}-%{version}-nosrp.tar.bz2 Source0: %{name}-%{version}-nosrp.tar.bz2
Source1: libgnutls-config Source1: libgnutls-config
Patch0: gnutls-2.0.4-nosrp.patch Patch0: gnutls-2.0.4-nosrp.patch
Patch4: gnutls-1.4.1-sa-2008-1.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2 Requires: libgcrypt >= 1.2.2
@ -56,6 +57,7 @@ manipulation tools.
%prep %prep
%setup -q %setup -q
%patch0 -p1 -b .nosrp %patch0 -p1 -b .nosrp
%patch4 -p1 -b .sa-2008-1
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i touch lib/$i
@ -124,6 +126,10 @@ fi
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue May 20 2008 Tomas Mraz <tmraz@redhat.com> 2.0.4-3
- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1
(#447461, #447462, #447463)
* Mon Feb 4 2008 Joe Orton <jorton@redhat.com> 2.0.4-2 * Mon Feb 4 2008 Joe Orton <jorton@redhat.com> 2.0.4-2
- use system libtasn1 - use system libtasn1