From d7caee05603679c2c7a3afc1e7b8d1dee90ea074 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 2 Dec 2010 15:36:29 +0100
Subject: [PATCH] - fix buffer overflow in gnutls-serv (#659259)

---
 gnutls-2.10.3-sprintf.patch | 150 ++++++++++++++++++++++++++++++++++++
 gnutls.spec                 |   8 +-
 2 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-2.10.3-sprintf.patch
diff --git a/gnutls-2.10.3-sprintf.patch b/gnutls-2.10.3-sprintf.patch
new file mode 100644
index 0000000..646f102
--- /dev/null
+++ b/gnutls-2.10.3-sprintf.patch
@@ -0,0 +1,150 @@
+diff -up gnutls-2.10.3/src/serv.c.sprintf gnutls-2.10.3/src/serv.c
+--- gnutls-2.10.3/src/serv.c.sprintf	2010-11-01 13:18:24.000000000 +0100
++++ gnutls-2.10.3/src/serv.c	2010-12-02 15:13:12.000000000 +0100
+@@ -438,7 +438,7 @@ static const char DEFAULT_DATA[] =
+ 
+ /* Creates html with the current session information.
+  */
+-#define tmp2 &http_buffer[strlen(http_buffer)]
++#define tmp2 &http_buffer[strlen(http_buffer)], len-strlen(http_buffer)
+ static char *
+ peer_print_info (gnutls_session_t session, int *ret_length,
+ 		 const char *header)
+@@ -448,7 +448,7 @@ peer_print_info (gnutls_session_t sessio
+   size_t i, sesid_size;
+   char *http_buffer;
+   gnutls_kx_algorithm_t kx_alg;
+-  size_t len = 5 * 1024 + strlen (header);
++  size_t len = 20 * 1024 + strlen (header);
+   char *crtinfo = NULL;
+   size_t ncrtinfo = 0;
+ 
+@@ -512,11 +512,11 @@ peer_print_info (gnutls_session_t sessio
+ 
+   /* print session_id */
+   gnutls_session_get_id (session, sesid, &sesid_size);
+-  sprintf (tmp2, "\n<p>Session ID: <i>");
++  snprintf (tmp2, "\n<p>Session ID: <i>");
+   for (i = 0; i < sesid_size; i++)
+-    sprintf (tmp2, "%.2X", sesid[i]);
+-  sprintf (tmp2, "</i></p>\n");
+-  sprintf (tmp2,
++    snprintf (tmp2, "%.2X", sesid[i]);
++  snprintf (tmp2, "</i></p>\n");
++  snprintf (tmp2,
+ 	   "<h5>If your browser supports session resuming, then you should see the "
+ 	   "same session ID, when you press the <b>reload</b> button.</h5>\n");
+ 
+@@ -530,7 +530,7 @@ peer_print_info (gnutls_session_t sessio
+ 
+     if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
+       {
+-	sprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
++	snprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
+       }
+ 
+   }
+@@ -541,7 +541,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_SRP
+   if (kx_alg == GNUTLS_KX_SRP)
+     {
+-      sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
++      snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ 	       gnutls_srp_server_get_username (session));
+     }
+ #endif
+@@ -549,7 +549,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_PSK
+   if (kx_alg == GNUTLS_KX_PSK)
+     {
+-      sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
++      snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ 	       gnutls_psk_server_get_username (session));
+     }
+ #endif
+@@ -557,7 +557,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_ANON
+   if (kx_alg == GNUTLS_KX_ANON_DH)
+     {
+-      sprintf (tmp2,
++      snprintf (tmp2,
+ 	       "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
+ 	       gnutls_dh_get_prime_bits (session));
+     }
+@@ -565,7 +565,7 @@ peer_print_info (gnutls_session_t sessio
+ 
+   if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
+     {
+-      sprintf (tmp2,
++      snprintf (tmp2,
+ 	       "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
+ 	       gnutls_dh_get_prime_bits (session));
+     }
+@@ -576,7 +576,7 @@ peer_print_info (gnutls_session_t sessio
+   tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2,
++  snprintf (tmp2,
+ 	   "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
+ 	   tmp);
+ 
+@@ -587,50 +587,44 @@ peer_print_info (gnutls_session_t sessio
+ 					  (session));
+       if (tmp == NULL)
+ 	tmp = str_unknown;
+-      sprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
++      snprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
+     }
+ 
+   tmp = gnutls_kx_get_name (kx_alg);
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
++  snprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
+ 
+   tmp = gnutls_compression_get_name (gnutls_compression_get (session));
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
++  snprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
+ 
+   tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
++  snprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
+ 
+   tmp = gnutls_mac_get_name (gnutls_mac_get (session));
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
++  snprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
+ 
+   tmp = gnutls_cipher_suite_get_name (kx_alg,
+ 				      gnutls_cipher_get (session),
+ 				      gnutls_mac_get (session));
+   if (tmp == NULL)
+     tmp = str_unknown;
+-  sprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
++  snprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
+ 	   tmp);
+ 
+   if (crtinfo)
+     {
+-      strcat (http_buffer, "<hr><PRE>");
+-      strcat (http_buffer, crtinfo);
+-      strcat (http_buffer, "\n</PRE>\n");
++      snprintf(tmp2, "<hr><PRE>%s\n</PRE>\n", crtinfo);
+       free (crtinfo);
+     }
+ 
+-  strcat (http_buffer, "<hr><P>Your HTTP header was:<PRE>");
+-  strcat (http_buffer, header);
+-  strcat (http_buffer, "</PRE></P>");
+-
+-  strcat (http_buffer, "\n" HTTP_END);
++  snprintf(tmp2, "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END, header);
+ 
+   *ret_length = strlen (http_buffer);
+ 
diff --git a/gnutls.spec b/gnutls.spec
index 4a249eb..0462880 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 2.10.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -21,6 +21,8 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
 Patch3: gnutls-2.10.1-nosrp.patch
 # Backport from upstream git
 Patch4: gnutls-2.10.1-handshake-errors.patch
+# Sent to upstream
+Patch5: gnutls-2.10.3-sprintf.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libgcrypt >= 1.2.2
@@ -77,6 +79,7 @@ This package contains Guile bindings for the library.
 %patch2 -p1 -b .link
 %patch3 -p1 -b .nosrp
 %patch4 -p1 -b .errors
+%patch5 -p1 -b .sprintf
 
 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
     touch lib/$i
@@ -160,6 +163,9 @@ fi
 %{_datadir}/guile/site/gnutls.scm
 
 %changelog
+* Tue Dec  2 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-2
+- fix buffer overflow in gnutls-serv (#659259)
+
 * Fri Nov 19 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-1
 - new upstream version
 

Protocol version:	%s
Certificate Type:	%s
Certificate Type:	%s
Key Exchange:	%s
Key Exchange:	%s
Compression	%s
Compression	%s
Cipher	%s
Cipher	%s
MAC	%s
MAC	%s
Ciphersuite	%s