- fix buffer overflow in gnutls-serv (#659259)

This commit is contained in:
Tomas Mraz 2010-12-02 15:36:29 +01:00
parent 9f571c62cb
commit d7caee0560
2 changed files with 157 additions and 1 deletions

150
gnutls-2.10.3-sprintf.patch Normal file
View File

@ -0,0 +1,150 @@
diff -up gnutls-2.10.3/src/serv.c.sprintf gnutls-2.10.3/src/serv.c
--- gnutls-2.10.3/src/serv.c.sprintf 2010-11-01 13:18:24.000000000 +0100
+++ gnutls-2.10.3/src/serv.c 2010-12-02 15:13:12.000000000 +0100
@@ -438,7 +438,7 @@ static const char DEFAULT_DATA[] =
/* Creates html with the current session information.
*/
-#define tmp2 &http_buffer[strlen(http_buffer)]
+#define tmp2 &http_buffer[strlen(http_buffer)], len-strlen(http_buffer)
static char *
peer_print_info (gnutls_session_t session, int *ret_length,
const char *header)
@@ -448,7 +448,7 @@ peer_print_info (gnutls_session_t sessio
size_t i, sesid_size;
char *http_buffer;
gnutls_kx_algorithm_t kx_alg;
- size_t len = 5 * 1024 + strlen (header);
+ size_t len = 20 * 1024 + strlen (header);
char *crtinfo = NULL;
size_t ncrtinfo = 0;
@@ -512,11 +512,11 @@ peer_print_info (gnutls_session_t sessio
/* print session_id */
gnutls_session_get_id (session, sesid, &sesid_size);
- sprintf (tmp2, "\n<p>Session ID: <i>");
+ snprintf (tmp2, "\n<p>Session ID: <i>");
for (i = 0; i < sesid_size; i++)
- sprintf (tmp2, "%.2X", sesid[i]);
- sprintf (tmp2, "</i></p>\n");
- sprintf (tmp2,
+ snprintf (tmp2, "%.2X", sesid[i]);
+ snprintf (tmp2, "</i></p>\n");
+ snprintf (tmp2,
"<h5>If your browser supports session resuming, then you should see the "
"same session ID, when you press the <b>reload</b> button.</h5>\n");
@@ -530,7 +530,7 @@ peer_print_info (gnutls_session_t sessio
if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
{
- sprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
+ snprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
}
}
@@ -541,7 +541,7 @@ peer_print_info (gnutls_session_t sessio
#ifdef ENABLE_SRP
if (kx_alg == GNUTLS_KX_SRP)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_srp_server_get_username (session));
}
#endif
@@ -549,7 +549,7 @@ peer_print_info (gnutls_session_t sessio
#ifdef ENABLE_PSK
if (kx_alg == GNUTLS_KX_PSK)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_psk_server_get_username (session));
}
#endif
@@ -557,7 +557,7 @@ peer_print_info (gnutls_session_t sessio
#ifdef ENABLE_ANON
if (kx_alg == GNUTLS_KX_ANON_DH)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"<p> Connect using anonymous DH (prime of %d bits)</p>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -565,7 +565,7 @@ peer_print_info (gnutls_session_t sessio
if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -576,7 +576,7 @@ peer_print_info (gnutls_session_t sessio
tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2,
+ snprintf (tmp2,
"<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
tmp);
@@ -587,50 +587,44 @@ peer_print_info (gnutls_session_t sessio
(session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
}
tmp = gnutls_kx_get_name (kx_alg);
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_compression_get_name (gnutls_compression_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_mac_get_name (gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_suite_get_name (kx_alg,
gnutls_cipher_get (session),
gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
+ snprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
tmp);
if (crtinfo)
{
- strcat (http_buffer, "<hr><PRE>");
- strcat (http_buffer, crtinfo);
- strcat (http_buffer, "\n</PRE>\n");
+ snprintf(tmp2, "<hr><PRE>%s\n</PRE>\n", crtinfo);
free (crtinfo);
}
- strcat (http_buffer, "<hr><P>Your HTTP header was:<PRE>");
- strcat (http_buffer, header);
- strcat (http_buffer, "</PRE></P>");
-
- strcat (http_buffer, "\n" HTTP_END);
+ snprintf(tmp2, "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END, header);
*ret_length = strlen (http_buffer);

View File

@ -1,7 +1,7 @@
Summary: A TLS protocol implementation Summary: A TLS protocol implementation
Name: gnutls Name: gnutls
Version: 2.10.3 Version: 2.10.3
Release: 1%{?dist} Release: 2%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+ License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
@ -21,6 +21,8 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
Patch3: gnutls-2.10.1-nosrp.patch Patch3: gnutls-2.10.1-nosrp.patch
# Backport from upstream git # Backport from upstream git
Patch4: gnutls-2.10.1-handshake-errors.patch Patch4: gnutls-2.10.1-handshake-errors.patch
# Sent to upstream
Patch5: gnutls-2.10.3-sprintf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2 Requires: libgcrypt >= 1.2.2
@ -77,6 +79,7 @@ This package contains Guile bindings for the library.
%patch2 -p1 -b .link %patch2 -p1 -b .link
%patch3 -p1 -b .nosrp %patch3 -p1 -b .nosrp
%patch4 -p1 -b .errors %patch4 -p1 -b .errors
%patch5 -p1 -b .sprintf
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i touch lib/$i
@ -160,6 +163,9 @@ fi
%{_datadir}/guile/site/gnutls.scm %{_datadir}/guile/site/gnutls.scm
%changelog %changelog
* Tue Dec 2 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-2
- fix buffer overflow in gnutls-serv (#659259)
* Fri Nov 19 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-1 * Fri Nov 19 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-1
- new upstream version - new upstream version